4.3 Given a scenario, apply network security features, defense techniques, and solutions
Zones
📘CompTIA Network+ (N10-009)
What Are Security Zones?
In network security, zones are sections of a network that are separated based on their security level, trust level, and type of traffic allowed.
- Different zones help control access.
- Each zone has rules that decide what traffic can enter or exit.
- Firewalls, routers, and security appliances enforce these rules.
Understanding zones is important for protecting internal resources and controlling external threats.
The two main zones in Network+ exams are:
- Trusted Zones
- Untrusted Zones
Let’s break them down in simple terms.
1. Trusted Zones
A trusted zone is a part of the network that is considered safe, controlled, and managed by the organization.
Only allowed devices and users should be inside this zone.
Examples of Trusted Zones in an IT Environment
(These are IT-focused examples as requested.)
- Internal corporate LAN
- Data center servers
- Internal application networks
- Management VLANs (switch management, router management)
Characteristics of a Trusted Zone
| Feature | Description |
|---|---|
| Controlled access | Only authenticated and authorized users/devices can enter. |
| Lower risk | Because the organization manages security inside the zone. |
| More permissive rules | Firewalls allow more internal traffic because it is trusted. |
| Protected by security devices | Firewalls, NAC, ACLs, segmentation. |
Security Behavior
- Trusted zones often allow internal devices to communicate freely.
- Outbound traffic to other trusted areas is usually allowed.
- Access from untrusted zones requires strict security checks.
2. Untrusted Zones
An untrusted zone is any part of the network not controlled by the organization.
These zones are considered high-risk and potentially harmful.
Examples of Untrusted Zones in an IT Environment
- The public internet
- Guest Wi-Fi networks
- Partner networks where your organization has no administrative control
- External cloud environments not directly managed by your staff
Characteristics of an Untrusted Zone
| Feature | Description |
|---|---|
| High risk | Unknown devices and unknown users connect here. |
| No organizational control | Cannot ensure security policies, patching, or device integrity. |
| Strict access rules | Firewalls and security appliances must heavily filter traffic. |
| Often isolated | Separated from trusted zones using segmentation or DMZs. |
Security Behavior
- Traffic from untrusted zones is never allowed directly into trusted zones.
- Must go through firewalls, proxies, IDS/IPS, and other security layers.
- Authentication is required before granting limited access.
Why “Trusted vs. Untrusted” Separation Matters
For the exam, CompTIA wants you to understand why these distinctions exist.
Key Benefits
- Reduces attack surface
Untrusted traffic cannot directly reach sensitive internal systems. - Improves traffic control
Firewalls can enforce different rules for different zones. - Prevents lateral movement
Attackers who compromise an untrusted zone (like guest Wi-Fi) cannot easily get into internal networks. - Supports layered security (defense in depth)
Multiple zones equal multiple layers of inspection.
How Traffic Moves Between Zones
Traffic between zones is controlled by security devices.
Typical sequence
- Untrusted zone traffic → hits firewall
- Firewall checks rules (ACLs, policies, NAT)
- Firewall allows, denies, or inspects traffic
- Only approved traffic reaches a trusted zone
You might also see DMZs (Demilitarized Zones) as intermediate zones between trusted and untrusted. These are covered in another section but are important because they act like a buffer zone.
Firewall Policies for Zone Control
Firewalls enforce policies between zones:
Common rules
- Block by default from untrusted → trusted
- Allow from trusted → untrusted (with inspection)
- Log and inspect all untrusted traffic
- Strict access controls for any traffic entering internal networks
Network+ may test you on the idea that zones affect how firewalls apply security rules.
Trusted vs. Untrusted Zones – Quick Comparison Table
| Feature | Trusted Zone | Untrusted Zone |
|---|---|---|
| Control | Fully under organization’s control | Not controlled by the organization |
| Security risk | Lower | Very high |
| Access rules | More permissive | Very strict |
| Common examples | Internal LAN, server networks | Internet, guest Wi-Fi |
| Firewall behavior | Often allows internal traffic | Denies most inbound traffic |
| Trust level | High | None |
| Traffic inspection | Moderate | High-level inspection and filtering |
Exam Tips for Network+ (N10-009)
Remember these key points for the exam:
✔ Trusted zones = internal, controlled, lower risk
✔ Untrusted zones = external, uncontrolled, high risk
✔ Firewalls and security appliances enforce access between zones
✔ Untrusted-to-trusted traffic is never allowed without strong filtering
✔ Networks often use multiple zones (LAN → DMZ → Internet)
✔ Zones help implement defense in depth
✔ Guest networks always belong to untrusted zones
✔ Internal corporate networks always belong to trusted zones
If the exam question asks something like:
“Where should unknown devices be placed?”
→ Untrusted zone
“Which zone contains internal company resources?”
→ Trusted zone
Conclusion
Trusted vs. Untrusted Zones are fundamental concepts for designing secure networks. They help control who can access what, reduce risk, and ensure networks are protected from external threats. Understanding how these zones work—and how firewalls enforce rules between them—is critical for passing the CompTIA Network+ (N10-009) exam.
