Topology · DMZ Segmentation

Architect a 3-zone network for a credit union — place web, mail, database and admin hosts in the right zone (DMZ / Internal / Management) and write the inter-zone firewall rules.

Tests: Network segmentation, defence-in-depth, ACL design between trust zones — a top-weighted Security+ objective.

~9 minNo signup needed

Scenario

A regional credit union is migrating from a flat /24 network to a three-zone architecture. Place each host in the correct zone and tighten the perimeter firewall.

Place each host in its correct zone (DMZ / Internal / Management) and configure the perimeter firewall so the auditors find clean segmentation.

Network Topology — Live View

monitoring

InfectedAlertConfiguredclick any hostto configure

Perimeter FW

fw-edge-01

Alert

Inbound Rules

Only services that the internet actually needs to reach should be allowed in.

Allow inbound HTTPS (443) to:

DMZ-WEB (public web server)DMZ-MAIL (SMTP relay)DB-CORE (customer database)WS-USER (teller workstation)

Allow inbound SMTP (25) to:

DMZ-WEBDMZ-MAILDB-CORE

Allow inbound DB (3306/5432) from internet to:

Trap question. The internet should never directly reach the database.

DB-CORE — direct DB exposureNone of the above

Management Access

Allow SSH/RDP management from:

Any internet source (convenient)Management VLAN only (jump host)Mgmt VLAN + named admin VPN

Tasks

Place DMZ-WEB and DMZ-MAIL in the DMZ. Place DB-CORE in Internal LAN (never DMZ).
Place WS-ADMIN in the Management VLAN with MFA + no direct internet.
Open inbound HTTPS to the web server only. Never expose the database from the internet.
Restrict management access to the admin jump host.

0 settings configured

Topology · DMZ Segmentation

Liked this PBQ? There are 80+ more inside.