1.4.2. Trust Boundaries and Segmentation

Networks divide into zones of trust. Traffic crossing boundaries should be inspected and controlled:

Key concepts for the exam:

• Screened subnet (DMZ): Semi-trusted zone for public-facing services. If compromised, attackers still face another firewall before reaching internal resources.
• Network segmentation: Separating departments, IoT devices, and guests limits blast radius—a compromised IoT camera can't reach the finance server.
• Zero trust: Assumes the network is already compromised. Every access request is authenticated and authorized, regardless of whether it comes from "inside."