A screened subnet (often called a DMZ) is an isolated network segment that sits between an untrusted external network like the internet and a trusted internal LAN, with firewalls controlling traffic on both sides so public-facing servers can be reached without exposing internal systems.
A screened subnet is a chunk of your network walled off from both the outside internet and your private internal network. You'll also hear it called a DMZ (demilitarized zone). The idea is simple: anything that needs to talk to the public, like a web server or email server, goes here instead of inside your trusted LAN.
Two firewall checkpoints make it work. One firewall sits between the internet and the screened subnet, and another sits between the screened subnet and the internal LAN. So even if an adversary breaks into a server in the screened subnet, they're still stuck behind a second firewall before they can reach anything sensitive. It's a form of network segmentation built specifically for things you have to expose to outsiders.
This term lives in Unit 3: Securing Networks, under topic 3.1 Network Vulnerabilities and Attacks. It directly supports AP Cybersecurity 3.1.B, which asks you to explain how adversaries exploit network vulnerabilities to steal, disrupt, or destroy communication. EK 3.1.B.1 says networks without firewalls (or with badly configured ones) are wide open to flooding, mapping, and spoofing attacks, and a screened subnet is one of the answers to that problem. It also ties into AP Cybersecurity 3.1.C, since putting public servers in a DMZ limits how far an attacker can move laterally to reach critical systems (EK 3.1.C.1).
Keep studying AP Cybersecurity Unit 3
Visual cheatsheet
view galleryNetwork Segmentation (Unit 3)
A screened subnet is segmentation with a job description. Segmentation is the general idea of splitting a network into zones; the screened subnet is the specific zone you carve out for public-facing servers so a breach there doesn't spill into your LAN.
Lateral Movement and Compromised Devices (Unit 3)
EK 3.1.B.2 says adversaries who compromise one device try to pivot to others on the LAN. The whole point of a screened subnet is to box in a hacked public server so that second firewall stops the pivot cold.
DoS Attack (Unit 3)
EK 3.1.B.1 warns that adversaries flood networks to cause denial of service. If a DoS slams a server in the screened subnet, your internal LAN keeps running because it lives behind a separate firewall.
VLAN (Unit 3)
Both isolate traffic, but a VLAN separates devices logically on the same switch, while a screened subnet uses firewalls to create a true buffer zone between the internet and your trusted network.
Expect screened subnet (or DMZ) to show up in multiple-choice questions about defending a network or about where to place a public-facing server. A common stem describes a company that needs to host a website but keep internal databases safe, and the right answer puts the web server in a screened subnet behind firewalls. No released FRQ has used the term verbatim, but it fits the kind of mitigation question 3.1.C rewards, where you recommend a control to reduce risk from network attacks. If you're asked to explain a defense against lateral movement or against exposing internal systems, naming a screened subnet and explaining the two-firewall design earns the point.
A plain subnet is just a logical division of an IP address range, a way to organize and route traffic. A screened subnet is a security design: it's a subnet placed between firewalls specifically to isolate public-facing systems. Every screened subnet is a subnet, but not every subnet is screened.
A screened subnet, also called a DMZ, is a buffer network between the untrusted internet and your trusted internal LAN.
Two firewalls guard it, one facing the internet and one facing the internal network, so a breach in the DMZ doesn't reach sensitive systems.
Public-facing servers like web and email servers belong in the screened subnet, not inside the LAN.
It supports AP Cybersecurity 3.1.B and 3.1.C by limiting lateral movement and protecting confidentiality, integrity, and availability.
A screened subnet is a specific type of network segmentation, while a plain subnet is just a logical IP division with no security guarantee.
It's an isolated network segment, often called a DMZ, that sits between the internet and your internal LAN. Public-facing servers go there, and firewalls on both sides control traffic so a breach doesn't reach your trusted systems.
Yes. Screened subnet and DMZ (demilitarized zone) are two names for the same concept, a buffer zone between an untrusted external network and a trusted internal one.
A regular subnet is just a logical division of an IP address range for organizing traffic. A screened subnet adds firewalls to create a security buffer for public-facing servers, so it's a defensive design, not just an addressing choice.
If an attacker compromises a server in the DMZ, a second firewall still blocks them from reaching the internal LAN. That stops the lateral movement described in EK 3.1.B.2, where adversaries pivot from one hacked device to more sensitive ones.
Yes, it's relevant to Unit 3, topic 3.1. Be ready to recognize it as a defense in multiple-choice questions and to recommend it when asked how to host public servers while protecting internal systems.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.