Screened Subnet (DMZ)

4.3 Given a scenario, apply network security features, defense techniques, and solutions

Zones

📘CompTIA Network+ (N10-009)

Why a Screened Subnet (DMZ) Is Needed

Organizations often have services that must be accessed from outside. Examples include:

  • Web servers
  • Email servers
  • VPN gateways
  • DNS servers
  • Reverse proxies

These cannot be placed directly inside the internal network because attackers on the internet would have direct access to them.

A DMZ limits the impact of attacks by isolating these public-facing servers.

How a Screened Subnet Works (Simple Explanation)

A DMZ is usually built using firewalls—either:

  • One firewall with multiple interfaces (3-legged firewall), or
  • Two firewalls (dual-firewall DMZ)

1. Three-legged Firewall

A single firewall has three zones:

  1. External (internet)
  2. Internal (trusted network)
  3. DMZ (screened subnet)

The firewall controls:

  • what internet traffic can reach the DMZ,
  • what DMZ systems can reach inside the LAN,
  • and what traffic can pass from the internal network to the DMZ.

This is very common and cost-effective.

2. Dual-Firewall DMZ

Two firewalls protect the DMZ from both sides:

  • Firewall 1: Internet → DMZ
  • Firewall 2: DMZ → Internal network

This setup provides stronger security because an attacker would need to bypass two firewalls.

Traffic Rules in a DMZ (Very Important for the Exam)

A DMZ uses strict security rules to control traffic.

Typical Rules

SourceDestinationAllowed?Why
Internet → DMZLimited, specific portsYesPublic needs access to web/mail/etc.
Internet → Internal NetworkNoToo risky
DMZ → Internal NetworkVery restrictedDMZ servers rarely need access inside
Internal Network → DMZAllowed (admin, management)Admins need to manage servers

Examples of Allowed Traffic

  • Allow HTTP/HTTPS from internet → web server in DMZ
  • Allow DNS queries from internet → DNS server in DMZ
  • Allow admin SSH/RDP from internal → DMZ
  • Block all inbound traffic from internet → internal LAN

Important Concept

If a DMZ server is hacked, the attacker cannot directly reach the internal network due to strict firewall rules.

Why It’s Called a “Screened Subnet”

The word screened means:

  • traffic is filtered or screened by the firewall before entering the subnet.

The subnet itself is separate from the internal network and is monitored carefully.

Systems Commonly Placed in a DMZ

For the exam, know these:

  • Web servers (HTTP/HTTPS)
  • Email servers (SMTP)
  • DNS servers
  • Proxy and reverse proxy servers
  • Authentication servers used for external users (e.g., VPN portal)
  • VoIP gateways exposed to outside networks
  • Public-facing application servers (APIs, portals, etc.)

These servers need to be reachable from outside, but must not expose the internal LAN.

Benefits of a Screened Subnet (DMZ)

1. Protects the Internal Network

If a public-facing server is attacked or compromised, the internal LAN remains protected.

2. Controlled Access

Admins can tightly control what traffic can go in and out of the DMZ.

3. Better Monitoring

Security teams can focus intrusion detection on a smaller, more exposed zone.

4. Limits Attack Surface

The DMZ only holds the necessary public-facing systems—not sensitive internal data.

Key Security Techniques Used in a DMZ

1. Firewall Filtering

Only required ports are opened.

2. Network Segmentation

DMZ is a separate subnet (VLAN or physical) from internal networks.

3. Intrusion Detection/Prevention (IDS/IPS)

Monitoring and alerting for suspicious activity in the DMZ is common.

4. Reverse Proxying

External users interact with a proxy instead of the internal server directly.

5. Logging and Monitoring

DMZ traffic is heavily logged for security audits and threat detection.

Exam Tips (Very Important)

✔ A DMZ hosts public-facing servers
✔ A DMZ is separate from both the internal LAN and the internet
✔ A DMZ is protected by one or two firewalls
✔ If a DMZ server is compromised, the internal LAN is still protected
✔ Only specific, limited traffic is allowed from the internet
✔ Internal network access from the DMZ should be minimized or blocked

Expect questions like:

  • “Where should you place a public-facing web server?”DMZ
  • “Which zone provides limited trust between internet and internal LAN?”Screened subnet / DMZ
  • “Why use two firewalls for a DMZ?”Stronger security
  • “What is placed inside a DMZ?”Web, DNS, mail, proxy servers

Short Summary for Students

A screened subnet (DMZ) is a special, isolated network used for public-facing systems. It sits between the internet and the internal network. Firewalls carefully control all traffic going in and out, which protects the internal network even if a DMZ server is attacked. It is one of the most important security zones you must understand for the Network+ exam.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by