Security zones group segments by trust level. Traffic between zones passes through security controls.
Untrusted zone. The internet. Assume everything is hostile. Allow only specific inbound traffic.
DMZ. Public-facing services like web servers and email gateways. Compromise here should not endanger internal systems.
Trusted zone. Internal networks with authenticated users. Apply moderate controls.
Restricted zone. Sensitive systems like databases and domain controllers. Strict access. Logged and monitored.
Traffic from less trusted to more trusted zones should pass through inspection.