SkarpSkarp

Chapter 12 of 27

Applying Security Principles to Network, Host, and Application Infrastructure

Connect abstract security principles to concrete infrastructure decisions, from secure routing and switching to hardened servers and resilient application tiers.

27 min readen

From Principles to Infrastructure Decisions

Module Goal

Here you will connect abstract security principles directly to concrete infrastructure design: networks, hosts, and application tiers.

Core Principles

We will repeatedly use three ideas: least privilege, segmentation and isolation, and defense in depth, across network, host, and app layers.

Exam Context

These topics map strongly to Security Architecture in SY0-701. Expect diagram questions about placement of firewalls, servers, and sensors.

Scenario Mindset

Picture a mid-size enterprise with on-prem, cloud extension, and remote workers. Your task: choose secure, resilient infrastructure designs.

Security Principles: Least Privilege, Segmentation, Defense in Depth, Zero Trust

Least Privilege

Least privilege means every user, device, and process only gets the minimum access needed. Think tight ACLs, scoped roles, and minimal service rights.

Segmentation and Isolation

Segmentation splits the environment into zones, like VLANs and DMZs, with controlled paths. Isolation can be logical or physical, limiting blast radius.

Defense in Depth

Defense in depth stacks multiple controls. If a firewall fails, host firewalls, EDR, authentication, and monitoring still protect the system.

Zero Trust Lens

Zero trust assumes no implicit trust, even inside. Access is continuously verified and limited to what is needed, enabling fine-grained segmentation.

Secure Network Design: LAN, WAN, DMZ, and Zoning

Core Network Zones

Typical zones: Internet, DMZ, internal user LANs, server networks, management networks, and guest/BYOD networks. Each has different trust levels.

Firewall Placement

Place firewalls at the perimeter, between DMZ and internal, between user LANs and servers, and guarding management networks for tight control.

DMZ Role

The DMZ hosts public-facing services that talk to the Internet but are isolated from core internal networks via strict firewall rules.

Choke Points

Choke points are traffic convergence spots where you deploy controls like firewalls, proxies, IDS/IPS, and DLP for inspection and logging.

Applying Segmentation: A Mini Design Walkthrough

Scenario Overview

Company has an internal HR app, remote VPN users, and a public marketing site. We will place each component into appropriate network zones.

Define Zones

Create zones: Internet, DMZ, internal user VLANs, HR app VLAN, database VLAN, and a separate management VLAN for admin tools.

Place Components

Put the marketing site and VPN gateway in the DMZ; the HR app and DB on internal app and DB VLANs; admin tools on the management VLAN.

Map to Principles

Tight firewall rules enforce least privilege; VLANs provide segmentation; WAF, firewalls, and logging give defense in depth and support zero trust.

Host and Virtualization Security: Hardening and Isolation

Host Hardening

Harden hosts by removing unnecessary services, applying secure configs, enforcing strong auth, enabling host firewalls, and patching regularly.

Role Separation

Avoid all-in-one servers. Keep web, app, DB, and infrastructure roles separate to reduce impact if one component is compromised.

Hypervisor Security

Protect hypervisors by isolating management interfaces, using MFA, and limiting who can manage VMs. Treat them as high-value assets.

VM and Container Isolation

Use virtual switches, port groups, and container namespaces to segment workloads. Avoid mixing trust levels on the same host where possible.

Application Tiering, Load Balancing, and High Availability

Three-Tier Apps

Split apps into presentation, application, and data tiers. Place each tier on its own subnet and control traffic strictly between tiers.

Load Balancing

Load balancers spread traffic across multiple servers and often handle TLS, health checks, and basic DDoS or rate limiting.

High Availability

Design out single points of failure: multiple web servers, redundant firewalls, DB clusters, and diverse network and power paths.

Security vs Availability

Aim for resilient security: layered controls that still function during failures, while avoiding complexity that leads to misconfigurations.

Thought Exercise: Spot the Weaknesses

Use this thought exercise to practice reading an architecture like an examiner.

Textual diagram

  • Internet → single firewall → flat internal network (all users, servers, printers on same VLAN).
  • Public web server sits on this same VLAN.
  • Single database server also on same VLAN.
  • Hypervisor management interface reachable from all internal hosts.
  • Single load balancer in front of two web servers, but the load balancer has only one power supply and one network uplink.

Your tasks

  1. List at least three security issues in this design.
  2. List at least two availability issues or single points of failure.
  3. For each issue, suggest one improvement using the principles you have learned.

Pause and think through your answers before revealing the sample solution below.

Sample solution (compare, do not just memorize)

  1. Security issues:
  • No segmentation: users, servers, and public web server share a flat network; a compromise spreads easily.
  • Public web server on internal VLAN: external attacker who compromises it gets direct access to internal hosts.
  • Hypervisor management open to all internal hosts: huge risk if a user PC is compromised.
  1. Availability issues:
  • Single firewall: if it fails, entire site is offline.
  • Single load balancer with one uplink: if it fails, web tier is offline even though web servers are redundant.
  1. Improvements:
  • Create DMZ VLAN for public web server; place internal servers on separate server VLAN; keep users on user VLAN.
  • Add an internal firewall between DMZ and server VLAN.
  • Isolate hypervisor management on a management VLAN, accessible only from admin jump hosts.
  • Deploy redundant firewalls and a load balancer pair with dual uplinks.

Quiz 1: Network Zoning and Device Placement

Answer this question to check your understanding of secure network design and zoning.

An organization is deploying a new public-facing web application that must access an internal database server. Which placement is the MOST appropriate to follow defense-in-depth and least privilege?

  1. Place both the web server and database server in the DMZ behind a single firewall.
  2. Place the web server in the DMZ and the database server on an internal subnet, with a firewall allowing only the required DB port from the web server to the database.
  3. Place both the web server and database server on the internal user VLAN, protected by host-based firewalls.
  4. Place the web server on the Internet with a public IP and the database server in the DMZ, with any-to-any rules for simplicity.
Show Answer

Answer: B) Place the web server in the DMZ and the database server on an internal subnet, with a firewall allowing only the required DB port from the web server to the database.

Placing the web server in the DMZ and the database server on an internal subnet, with a firewall rule allowing only the required database port from the web server to the database, applies both defense in depth and least privilege. The DMZ isolates the public-facing server, and the internal firewall restricts DB access. Putting the DB in the DMZ or on the user VLAN exposes critical data, and any-to-any rules violate least privilege.

Quiz 2: Host, Virtualization, and Zero Trust

Check how well you can apply host and virtualization security concepts, especially in a zero trust context.

A security architect is designing a new virtualized environment following a zero trust model. Which design choice BEST supports this goal?

  1. Place all production and development VMs on a single virtual switch to simplify management, and rely on a perimeter firewall.
  2. Expose the hypervisor management interface on the same subnet as user workstations to allow easy access for administrators.
  3. Create separate virtual networks for production, development, and management, restrict management access to a jump host network, and apply host-based firewalls to VMs.
  4. Disable host-based firewalls on VMs because the virtual firewall at the edge already provides sufficient protection.
Show Answer

Answer: C) Create separate virtual networks for production, development, and management, restrict management access to a jump host network, and apply host-based firewalls to VMs.

Zero trust assumes no implicit trust and requires continuous verification, limiting access to only what is needed. Separate virtual networks for production, development, and management support segmentation. Restricting management to a jump host network and using host-based firewalls adds additional layers of control and defense in depth. The other options centralize trust in a single perimeter or expose high-value management interfaces.

Key Term Review: Infrastructure and Security Principles

Use these flashcards to reinforce the most important terms from this module.

Least privilege
A principle where each user, device, service, and process is granted only the minimum access rights and permissions necessary to perform its function, and no more.
Segmentation
Dividing a network or environment into smaller zones or segments (such as VLANs, subnets, or security groups) with controlled communication paths to limit the spread of attacks.
Defense in depth
A strategy of using multiple, layered security controls so that if one control fails, others still protect the asset.
Zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
DMZ (Demilitarized Zone)
A network segment that hosts public-facing services and sits between an untrusted network (like the Internet) and an internal network, protected by firewalls on both sides.
Choke point
A location in the network where traffic converges and security controls such as firewalls, proxies, or IDS/IPS can be placed to inspect and control traffic.
Management network
A dedicated network or VLAN used for administrative access to devices such as hypervisors, switches, routers, and servers, typically tightly restricted.
Application tiering
Architecting an application into separate layers (such as presentation, application, and data tiers) that can be isolated and controlled independently.
Load balancer
A device or service that distributes client requests across multiple servers to improve performance, availability, and sometimes security (for example, via TLS termination).
Single point of failure (SPOF)
Any component whose failure would cause an entire system or service to become unavailable.

Mapping Designs to Security Controls and Exam Objectives

Network Controls

Firewalls, WAFs, IDS/IPS, VPNs, and proxies enforce segmentation, least privilege, and monitoring at key choke points.

Host and Platform Controls

EDR, hardening baselines, and privileged access management secure servers, clients, and hypervisors across the environment.

Application and Data Controls

RBAC, database protections, and secure coding practices safeguard the app and data tiers, enforcing least privilege at higher layers.

Exam Mapping

On diagrams, decide where to place controls, how to add redundancy, and which technologies best support segmentation and zero trust.

Key Terms

DMZ
A network segment that hosts public-facing services and sits between an untrusted network and an internal network, protected by firewalls on both sides.
Zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
Choke point
A location in the network where traffic converges and security controls such as firewalls, proxies, or IDS/IPS can be placed to inspect and control traffic.
Segmentation
Dividing a network or environment into smaller zones or segments (such as VLANs, subnets, or security groups) with controlled communication paths to limit the spread of attacks.
Load balancer
A device or service that distributes client requests across multiple servers to improve performance, availability, and sometimes security.
Least privilege
A principle where each user, device, service, and process is granted only the minimum access rights and permissions necessary to perform its function, and no more.
Defense in depth
A strategy of using multiple, layered security controls so that if one control fails, others still protect the asset.
Management network
A dedicated network or VLAN used for administrative access to devices such as hypervisors, switches, routers, and servers, typically tightly restricted.
Application tiering
Architecting an application into separate layers (such as presentation, application, and data tiers) that can be isolated and controlled independently.
Single point of failure
Any component whose failure would cause an entire system or service to become unavailable.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself