Infrastructure Security Foundations (Domain 3)
In this episode, we’re laying the groundwork for secure network architecture with a focus on infrastructure security foundations. These include proper device placement, the use of security zones, and effective attack surface management. Together, these principles define the structure of a secure environment and help prevent threats from reaching critical systems in the first place.
Let’s begin with device placement. Strategic placement of security and networking devices plays a vital role in both preventing and detecting attacks. If a firewall is placed in the wrong location, it can’t block threats effectively. If a server is placed in an exposed segment, it becomes a tempting target. Proper placement is about putting the right defenses in the right places.
For example, firewalls are typically placed at the network perimeter, where they serve as the first line of defense between the internal network and the internet. But many organizations also use internal firewalls between segments—such as between user workstations and sensitive databases. This segmentation ensures that even if one area is compromised, attackers can’t move freely across the network.
Intrusion detection systems and intrusion prevention systems should also be strategically placed. An IDS is often positioned just inside the firewall to monitor traffic entering the internal network. An IPS may be placed in-line, so it can actively block malicious traffic before it reaches critical systems. The key is to ensure that these tools have visibility into the right data flows—whether they’re protecting web servers, file servers, or workstations.
A common best practice is the use of a demilitarized zone, or DMZ. This is a buffer area that sits between the public internet and the internal network. Public-facing services like web servers, mail servers, and DNS resolvers are placed in the DMZ. If these systems are compromised, the attacker is still isolated from sensitive internal assets.
Let’s now move to security zones. Security zones are defined areas of the network that have different levels of trust, access, and security requirements. The simplest model includes three zones: trusted, semi-trusted, and untrusted.
The trusted zone is the internal network. This includes workstations, file servers, internal applications, and management interfaces. The semi-trusted zone includes areas like the DMZ, partner networks, or segmented user networks. These zones require security controls but may have more relaxed rules than core infrastructure. The untrusted zone includes the public internet, guest networks, and anything not under the organization’s control.
Each zone has its own security policies. Firewalls and access control lists enforce communication boundaries between zones. For example, traffic from the untrusted internet should never have direct access to the trusted network. It should flow through controlled entry points, be inspected, and be filtered according to policy.
Segmentation is the core technique used to define these zones. You can segment by IP subnets, VLANs, physical interfaces, or software-defined networking rules. Zone-specific controls may include rate limiting, deeper inspection, multi-factor authentication, and tighter logging.
Defining and enforcing security zones limits lateral movement by attackers, restricts the spread of malware, and supports compliance efforts by isolating regulated systems.
Now let’s talk about attack surface management. The attack surface is the total set of points where an unauthorized user could try to enter or extract data from your environment. This includes exposed ports, active services, APIs, applications, and even users. The larger the attack surface, the more opportunities an attacker has to succeed.
Managing the attack surface starts with discovery. You need to know what systems exist, what ports are open, what software is running, and who has access. This involves asset inventory, vulnerability scanning, port scanning, and monitoring tools that detect new devices or services as they appear on the network.
Once you understand your attack surface, the next step is reduction. This means closing unused ports, disabling unnecessary services, and removing software that is no longer required. It also includes limiting external exposure. For example, not every web application needs to be accessible from the internet. By restricting external access, you immediately reduce risk.
You can also reduce attack surface by simplifying architecture. Fewer tools, fewer integrations, and fewer externally accessible services make systems easier to defend. Every dependency you remove is one less thing that can break, misbehave, or be exploited.
A real-world example of attack surface management came from a company that used a scanner to map all public-facing IP addresses. They discovered that a forgotten development server was still online—and still using default credentials. The system was taken offline before it could be exploited. The lesson was simple: visibility leads to control.
As you prepare for the Security Plus exam, know how device placement, zoning, and attack surface management work together. You may be asked to recommend secure placement of a firewall, define a DMZ, or evaluate a scenario where a misconfigured system expands the attack surface. Be ready to choose segmentation techniques, identify indicators of an exposed service, or suggest ways to shrink the visible footprint of a network. Focus on visibility, control, and isolation as your architectural guideposts.
