A security zone is a specific portion of a network to which certain security protocols and guidelines apply. These protocols will vary depending on the zone. Traditionally, the three layers of network security zones are 1) the outer zone, such as the Internet; 2) the zone in between, often including a firewall; and 3) the trusted inner or private network. This inner zone might be all of a company’s private resources, such as their connected networks, IP address, and applications. The outer zone is public, often requesting access to parts of the private network: for example, an Internet user searching for the company’s webpage.
The in-between security zone is often known as a demilitarized zone (or DMZ). This middle zone is where the outer and inner networks interact. A firewall would be employed in this middle area; it filters traffic and requests from the public outer network to the private one. In a traditional network zone structure, a DMZ receives heavy monitoring because it is where Internet users or traffic from public networks are most likely to enter the private network and potentially access sensitive data. DMZs can include the places where internal and external servers communicate, like websites and domain name system servers.
Traditional network segmentation vs. microsegmentation
Security zones typically rely on perimeter technology, such as firewalls, to filter all of the traffic and requests coming from outer networks. That’s traditional network segmentation: the entire private network of a company is surrounded by security measures. But inside, there is little to no protection. If an attacker does make it past the firewall, they have access to all of the internal network’s connected applications and platforms.
It’s better to implement microsegmentation, especially for larger organizations with more sensitive data. Microsegmentation establishes security zones within the private network as well, not trusting that every bit of traffic that passes through the firewall is safe. Establishing smaller security zones that all have their own protocols (which might vary depending on the application or platform) is better for big networks, in case an attacker accesses them. Zero trust is a similar security approach.