The following diagram shows a very basic example of
network segmentation using zones. The more granular you make your
zones (and the corresponding security policy rules that allows traffic
between zones), the more you reduce the attack surface on your network.
This is because traffic can flow freely within a zone (intra-zone
traffic), but traffic cannot flow between zones (inter-zone traffic)
until you define a Security policy rule that allows it. Additionally,
an interface cannot process traffic until you have assigned it to
a zone. Therefore, by segmenting your network into granular zones you have more control over access
to sensitive applications or data and you can prevent malicious
traffic from establishing a communication channel within your network,
thereby reducing the likelihood of a successful attack on your network.