SC-7(1) — Physically Separated Subnetworks

Publicly accessible systems (web servers, email gateways) must sit on a physically separate network subnetwork from your internal systems. This is the classic DMZ architecture.

Example 1: Place your public web server on a DMZ segment with its own firewall interface. The firewall allows inbound HTTP/HTTPS from the internet to the DMZ but blocks all direct traffic from the internet to the internal network. The web server can make limited, specific connections to internal databases.

Example 2: Put your email gateway (Exchange Edge Transport or a Barracuda appliance) in the DMZ. Internet email flows into the DMZ, the gateway scans for malware and spam, then forwards clean mail to the internal Exchange server. No external mail server ever touches your internal network directly.