Best Firewall Security Zone Segmentation Setup

Regardless of the size of your company, or what type of TCP/IP setup you have, a hardware firewall is essential. It is one of the most fundamental network security elements. It provides basic protection and is capable of preventing many attacks on your network from being successful. It is therefore essential that you have the best firewall security zone segmentation setup.

What is the best firewall security zone segmentation setup?

Today, networks typically extend outside of the firewall perimeter, but that said, they do tend to have a well-defined structure. Your network should therefore have:

  • An internal network zone
  • An untrusted external network
  • One or more intermediate security zones

Each of your intermediate security zones – commonly Layer3 network subnets with multiple workstations and/or servers – should contain systems which can be protected in a similar fashion. They are groups of servers that have similar requirements. They can be protected with a firewall on the application level, or more typically, on the Port and IP level.

Perimeter firewall security zone segmentation

Unfortunately, the perimeter network topology that is best for you may differ considerably from the one that you used for your previous company. Your current network will naturally be different and have its own requirements and different functions. Your perimeter security zone segmentation will have to therefore be set up to match the unique needs of your business. That said, there are a number of best practices to follow when devising your network perimeter.

To help explain a typical network perimeter, we have illustrated this in the diagram below. Your network may differ, but the illustration shows a typical setup used by many enterprises. You may use two firewalls, or only have one DMZ (Demilitarized) zone. The red arrows show the traffic direction permitted by the firewall

Security zone segmentation: Setting up your DMZ (Demilitarized Zones)

Your equipment and sections of your network that will be most susceptible to attack will be the parts that face the public and are connected to the internet. These will include your web servers, email servers, and DNS for example. If an attack on your network is attempted, this is where it is most likely to occur. It is therefore important to be able to minimize the potential for damage if one of those attacks is successful and one or more of your servers is compromised.

To do this, it is important to set up a DMZ or Demilitarized zone. A DMZ is basically a Layer3 subnet that is isolated. In our example we have included two, as this set up offers the best protection for our internal zone. In your case one may be appropriate or three or four, depending on the size of your network, number of servers etc.


You are going to have to have at least one public facing server that is accessible via the Internet. Traffic flow must be restricted for security, so it should only be possible for traffic to go from the Internet to your DMZ1. It is also essential that you only have the necessary TCP/UDP ports open. All other must be closed. Your DMZ1 should host your DNS, Proxy server, Email server, and web server.


For the best protection, you should never have your databases located on the same hardware as your web server. Database are likely to need to be accessed via your web server, but they should be set up in a different DMZ. In this example, we have set up DMZ2 where we have placed the application servers and database servers. You can see from the red traffic arrows that these servers can be accessed directly from the internal zone, and also from DMZ1. They can therefore be accessed from the Internet, but only indirectly via DMZ1.

It is also important to have your web application server and a front end web server located in different DMZs.

Using the above setup, if one server is compromised, say one of your application servers in DMZ2 via DMZ1, the attacker will not be able to access to your internal zone.

You should configure your firewall to allow traffic between both of your DMZs, but only on specific ports. Traffic between your internal zone and your DMZ2 is possible, but this should be limited.  Traffic may be necessary for performing data backups for instance or for accessing an internal management server for example.

Your internal security zone

Located in the internal security zone will be your end user workstations, your file servers, and other critical internal servers. You will also have internal databases located in the internal zone, Active Directory servers, and many business applications.

It is essential that there is no direct access from the Internet to your internal security zone. Any user requiring Internet access must not be permitted to access the Internet directly. Internet access must only be possible via a proxy server, which should be located in DMZ1.

It is essential to have security zone segmentation, although the setup you choose must reflect your business requirements. Our example of a typical security zone segmentation setup is ideal for the enterprise environment. Use this and it should ensure you have solid network security.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has focus on data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone.