Attacks against your network can originate externally
or internally. Because different parts of a network perform functions
that require different types and levels of protection, a global
security policy or port-based security is not granular enough to properly
secure each part of the network.
The solution is to segment the network into functional and organizational
zones to reduce the network’s attack surface (the portion of the
network and its traffic exposed to potential external and internal
attackers). You protect each zone by using zone protection to protect
zone borders and denial-of-service (DoS) protection to defend the
endpoints and resources in each security zone.