Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA Security+ Study Guide - Network Segmentation, DMZ, and Micro-Segmentation
Source: https://www.fatskills.com/comptia-security-/chapter/tech-comptia-security-study-guide-network-segmentation-dmz-and-micro-segmentation

CompTIA Security+ Study Guide - Network Segmentation, DMZ, and Micro-Segmentation

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~9 min read

CompTIA Security+ Study Guide: Network Segmentation, DMZ, and Micro-Segmentation

Hyper-practical, zero-fluff, hands-on playbook for real-world security engineers

1. What This Is & Why It Matters

Network segmentation is slicing a flat network into isolated zones to contain breaches, reduce attack surfaces, and enforce least privilege. A DMZ (Demilitarized Zone) is a semi-trusted buffer between the internet and your internal network, while micro-segmentation takes this further by isolating workloads inside the same network (e.g., separating a database from an app server).

Why this matters in production: - Without segmentation, a single compromised host (e.g., a misconfigured web server) can pivot to your entire network. Think of it like a fire in a building with no firewalls—it spreads unchecked. - DMZs let you expose public services (web, email, VPN) without risking your internal LAN. If your web server gets hacked, the attacker still can’t reach your HR or finance systems. - Micro-segmentation is critical in cloud and containerized environments. If your Kubernetes pod gets breached, micro-segmentation ensures it can’t talk to other pods unless explicitly allowed.

Real-world scenario: You’re a security engineer at a healthcare company. A ransomware attack hits your public-facing web portal. Without segmentation, the malware spreads to your patient records database (HIPAA violation = fines + lawsuits). With segmentation, the breach is contained to the DMZ, and your internal systems stay safe.

2. Core Concepts & Components

Term Definition Production Insight
Network Segmentation Dividing a network into smaller subnets to control traffic flow. If you don’t segment, a single compromised device can scan and attack your entire LAN.
DMZ (Demilitarized Zone) A semi-trusted network segment between the internet and internal LAN. Never put internal databases in the DMZ—only public-facing services (web, email, VPN).
Firewall A device or software that enforces access control between network segments. A misconfigured firewall rule (e.g., ANY:ANY ALLOW) is a top cause of breaches.
VLAN (Virtual LAN) Logical segmentation of a network at Layer 2 (switch level). VLANs alone don’t provide security—you need ACLs or firewalls to enforce rules.
ACL (Access Control List) Rules that permit/deny traffic based on IP, port, or protocol. ACLs are stateless—unlike firewalls, they don’t track connections (e.g., return traffic).
Micro-Segmentation Fine-grained segmentation at the workload level (e.g., VMs, containers). Critical in cloud environments (AWS Security Groups, Azure NSGs, Kubernetes Network Policies).
Zero Trust "Never trust, always verify"—every request is authenticated and authorized. Micro-segmentation is a key enabler of Zero Trust.
East-West Traffic Traffic between servers inside your network (e.g., app-database). Most breaches involve lateral movement (east-west), not just north-south (internet-LAN).
North-South Traffic Traffic entering/exiting your network (e.g., user-web server). DMZs handle north-south traffic; micro-segmentation handles east-west.

3. Step-by-Step Hands-On: Deploying a DMZ with a Firewall (Using pfSense)

Prerequisites: - A hypervisor (VirtualBox, VMware, or bare metal). - pfSense ISO (free download: https://www.pfsense.org/download/). - Two additional VMs (e.g., Ubuntu for a web server, Kali Linux for testing).

Step 1: Set Up the Network Topology

You’ll create: - WAN (Internet): Simulated by a NAT network in VirtualBox. - DMZ: A separate subnet for public-facing services. - LAN: Internal network (no direct internet access).

VirtualBox Network Setup:
1. Go to File-Preferences-Network.
2. Add two Host-Only Networks: - vboxnet0 (LAN, e.g., 192.168.1.0/24). - vboxnet1 (DMZ, e.g., 10.0.0.0/24).
3. Configure pfSense VM with 3 network adapters: - Adapter 1: NAT (WAN). - Adapter 2: Host-Only (vboxnet0 – LAN). - Adapter 3: Host-Only (vboxnet1 – DMZ).

Step 2: Install pfSense

  1. Boot the pfSense ISO in your VM.
  2. Accept defaults until you reach Assign Interfaces:
  3. WAN: em0 (NAT).
  4. LAN: em1 (vboxnet0).
  5. OPT1 (DMZ): em2 (vboxnet1).
  6. Set IP addresses:
  7. LAN: 192.168.1.1/24.
  8. DMZ: 10.0.0.1/24.
  9. Complete installation and reboot.

Step 3: Configure Firewall Rules

Goal: Allow internet-DMZ (web server), but block DMZ-LAN.

  1. Log in to pfSense web UI (https://192.168.1.1).
  2. Go to Firewall-Rules-DMZ.
  3. Add a rule to allow HTTP/HTTPS to the web server:
  4. Action: Pass.
  5. Interface: DMZ.
  6. Protocol: TCP.
  7. Source: Any.
  8. Destination: 10.0.0.10 (web server IP).
  9. Ports: 80 (HTTP), 443 (HTTPS).
  10. Add a block rule for DMZ-LAN:
  11. Action: Block.
  12. Interface: DMZ.
  13. Protocol: Any.
  14. Source: Any.
  15. Destination: LAN net (192.168.1.0/24).
  16. Apply changes.

Step 4: Deploy a Web Server in the DMZ

  1. Create an Ubuntu VM in VirtualBox.
  2. Attach it to vboxnet1 (DMZ).
  3. Assign IP 10.0.0.10/24 with gateway 10.0.0.1.
  4. Install Apache: bash sudo apt update && sudo apt install apache2 -y sudo systemctl start apache2
  5. Test from your host machine:
  6. Open a browser and go to http://10.0.0.10. You should see the Apache default page.

Step 5: Test Segmentation

  1. From the web server (DMZ), try to ping the LAN: bash ping 192.168.1.100 # Should fail (blocked by firewall).
  2. From a Kali VM (attached to WAN), scan the DMZ: bash nmap -sV 10.0.0.10 # Should show ports 80/443 open. nmap -sV 192.168.1.1 # Should show no open ports (LAN is blocked).

Expected Output:

Starting Nmap 7.92 ( https://nmap.org )
Nmap scan report for 10.0.0.10
Host is up (0.00045s latency).
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.41
443/tcp open  ssl/http Apache httpd 2.4.41

4.-Production-Ready Best Practices

Security

  • Least privilege: Only allow necessary traffic (e.g., web server-database on port 3306, not ANY).
  • Default deny: Start with DENY ALL and add exceptions.
  • Stateful firewalls: Use them (pfSense, AWS Security Groups) instead of stateless ACLs where possible.
  • Segment by function: Group servers by role (e.g., web-tier, db-tier, admin-tier).
  • Isolate legacy systems: Old Windows XP machines should be in their own VLAN with no internet access.

Cost Optimization

  • Cloud: Use AWS Security Groups or Azure NSGs (free) instead of third-party firewalls.
  • On-prem: Open-source firewalls (pfSense, OPNsense) save licensing costs.
  • Micro-segmentation: In cloud, use AWS VPC Endpoints or Azure Private Link to avoid NAT gateway costs.

Reliability & Maintainability

  • Naming conventions: dmz-web-01, lan-db-01 (not server1, server2).
  • Tagging: In cloud, tag resources by environment (prod, dev) and function (web, db).
  • Change control: Document firewall rule changes (e.g., "Added rule to allow 10.0.0.10:3306-192.168.1.20:3306 for app migration").
  • Backup firewall configs: pfSense allows exporting configs (Diagnostics-Backup/Restore).

Observability

  • Log firewall denies: Set up alerts for repeated denies (possible attack).
  • Monitor east-west traffic: Tools like Zeek (Bro) or AWS VPC Flow Logs can detect lateral movement.
  • Test segmentation: Regularly scan your network to verify rules (e.g., nmap from a DMZ host to LAN should fail).

5. Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Overly permissive rules (e.g., ANY:ANY ALLOW) Unauthorized access, lateral movement. Start with DENY ALL, then add specific rules. Audit rules quarterly.
No DMZ for public services Internal databases exposed to the internet. Always put public-facing services in a DMZ, never on the LAN.
VLANs without ACLs/firewalls VLANs provide no real security (easy to hop). Combine VLANs with firewalls or ACLs.
Micro-segmentation too granular Unmanageable rules, performance overhead. Group workloads by function (e.g., web-tier, db-tier) instead of per-server.
No testing of segmentation Rules work in theory but fail in production. Test with nmap, curl, or automated tools (e.g., ScoutSuite).

6.-Exam/Certification Focus (CompTIA Security+)

Typical Question Patterns

  1. Scenario-based: "A company wants to expose a web server to the internet while protecting internal databases. What should they implement?"
  2. Answer: DMZ.

  3. Trap: "Put the web server on the LAN" (wrong—exposes internal network).

  4. Port-based: "Which port should be open between the DMZ and LAN for a database server?"

  5. Answer: 3306 (MySQL), 1433 (MSSQL), or 5432 (PostgreSQL).

  6. Trap: "All ports" (wrong—violates least privilege).

  7. Micro-segmentation: "Which technology enforces micro-segmentation in a cloud environment?"

  8. Answer: AWS Security Groups, Azure NSGs, or Kubernetes Network Policies.

  9. Trap: "VLANs" (wrong—VLANs are Layer 2, not fine-grained enough).

  10. Zero Trust: "Which principle is most aligned with micro-segmentation?"

  11. Answer: Least privilege or "never trust, always verify."
  12. Trap: "Defense in depth" (partially correct but not the best answer).

Key Trap Distinctions

Concept Security+ Trap
Firewall vs. ACL Firewalls are stateful (track connections); ACLs are stateless (no context).
DMZ vs. LAN DMZ = semi-trusted; LAN = fully trusted. Never mix them.
VLAN vs. Micro-Segmentation VLANs = Layer 2 segmentation; micro-segmentation = Layer 7 (workload-level).
East-West vs. North-South East-West = internal traffic (e.g., app-DB); North-South = internet-LAN.

7.-Hands-On Challenge (with Solution)

Challenge: You’re deploying a web app in AWS. The app has: - A public-facing web server (EC2 in a public subnet). - A private database (RDS in a private subnet). - An admin bastion host (EC2 in a separate private subnet).

Task: Configure Security Groups to:
1. Allow internet-web server (HTTP/HTTPS).
2. Allow web server-database (MySQL port 3306).
3. Allow bastion host-database (SSH port 22).
4. Block all other traffic.

Solution:

# 1. Web Server Security Group (allow HTTP/HTTPS from internet)
aws ec2 create-security-group --group-name WebServerSG --description "Allow HTTP/HTTPS" --vpc-id vpc-123456
aws ec2 authorize-security-group-ingress --group-id sg-123456 --protocol tcp --port 80 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id sg-123456 --protocol tcp --port 443 --cidr 0.0.0.0/0

# 2. Database Security Group (allow MySQL from WebServerSG, SSH from BastionSG)
aws ec2 create-security-group --group-name DBSG --description "Allow MySQL from WebServerSG" --vpc-id vpc-123456
aws ec2 authorize-security-group-ingress --group-id sg-789012 --protocol tcp --port 3306 --source-group sg-123456
aws ec2 authorize-security-group-ingress --group-id sg-789012 --protocol tcp --port 22 --source-group sg-456789  # BastionSG

# 3. Bastion Host Security Group (allow SSH from your IP)
aws ec2 create-security-group --group-name BastionSG --description "Allow SSH from admin IP" --vpc-id vpc-123456
aws ec2 authorize-security-group-ingress --group-id sg-456789 --protocol tcp --port 22 --cidr YOUR_IP/32

Why it works: - Least privilege: Only necessary ports are open. - Micro-segmentation: Web server can’t SSH to the database (only MySQL). - Stateful: AWS Security Groups track connections (no need to allow return traffic).

8.-Rapid-Reference Crib Sheet

Item Command/Value Notes
DMZ subnet example 10.0.0.0/24 Never use 192.168.x.x for DMZ (common LAN range).
Firewall rule order DENY ALL-ALLOW specific Rules are evaluated top-down.
VLAN tagging vconfig add eth0 10 (Linux) VLAN 10 on interface eth0.
AWS Security Group aws ec2 authorize-security-group-ingress --group-id sg-123456 --protocol tcp --port 80 --cidr 0.0.0.0/0 Stateful (tracks connections).
Azure NSG az network nsg rule create --nsg-name MyNSG --name AllowHTTP --priority 100 --access Allow --protocol Tcp --direction Inbound --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 80 Stateless (like ACLs).
Kubernetes NetworkPolicy kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-except-web
spec:
podSelector: {}
policyTypes: ["Ingress"]
ingress:
- ports:
- port: 80
protocol: TCP
EOF		 Micro-segmentation for pods.
pfSense block rule Action: Block
Interface: DMZ
Protocol: Any
Source: Any
Destination: LAN net		 Blocks DMZ-LAN traffic.
Ports to remember 80 (HTTP), 443 (HTTPS), 22 (SSH), 3306 (MySQL), 1433 (MSSQL), 5432 (PostgreSQL) Commonly exposed in DMZs.
Default VLAN VLAN 1 Never use VLAN 1—it’s the default and a common attack vector.
AWS Security Group default All outbound allowed, all inbound denied. Change this—it’s a common misconfiguration.

9.-Where to Go Next

  1. pfSense Documentation: https://docs.netgate.com/pfsense/en/latest/ (Hands-on firewall setup).
  2. AWS Networking Deep Dive: https://aws.amazon.com/blogs/networking-and-content-delivery/ (VPCs, Security Groups, NACLs).
  3. Kubernetes Network Policies: https://kubernetes.io/docs/concepts/services-networking/network-policies/ (Micro-segmentation for containers).
  4. Nmap Network Scanning: https://nmap.org/book/ (Test your segmentation).
  5. CompTIA Security+ Study Guide (Chapter on Network Security): Focus on Objective 2.1: Install and configure network components.

⚡ Recently practiced quizzes in this class
SY0-501 CompTIA Security+ Certification Exam SY0-501 CompTIA Security+ Certification Exam - Practice Test 2 SY0-401 Exam: CompTIA Security+ CS0-001 Exam: CompTIA Cybersecurity Analyst (CySA+)

 
If you liked Fatskills, consider supporting us by checking out The Life Manuals You Never Got.

🌈  Our mission is to help improve your scores in any subject and exam withonline quizzes, practice tests, study guides, & advice for students. Since 2018.
About | Explore | User Guide | Topics | Subjects | Doubt Solver | Career Aptitude Test | Answers | Free Tools | What Should We Know?
Privacy | Terms |
Without work one finishes nothing. - Ralph Waldo Emerson
© 2026 Fatskills.com

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.