Network Defense in Depth

Nested trust zones from the untrusted internet (outer) to the crown jewels (inner). Hover a zone for the controls at that boundary.

Internet / Untrusted — DDoS scrubbing / edge filtering — Edge Perimeter edge firewall · DDoS mitigation · IPS — TLS termination / WAF — DMZ reverse proxy · public DNS · email gateway — stateful firewall — Internal Network — VLAN-segmented stateful firewall · NAC · IDS sensors — micro-segmentation — Sensitive Zone app servers · internal services Crown Jewels DB · key vault · payment data ingress egress lateral movement (what segmentation is meant to stop)

Arrow legend

Ingress traffic — inbound, crossing each control on the way in.
Egress traffic — outbound; controlled too, to limit data exfiltration.
Lateral movement — an attacker pivoting between internal hosts. Segmentation exists to stop this.

How to read it

Each ring crosses a trust boundary with its own control (italic labels). Trust increases inward; the crown jewels are the most protected. Hover any zone for the controls that live at that boundary.

Back to Documentation