---
title: "Screened Subnet — AP Cybersecurity Definition & Exam Guide"
description: "A screened subnet (DMZ) is a buffer network between the internet and your internal LAN, guarded by firewalls. Learn how it defends against the attacks in Unit 3."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/screened-subnet"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 3"
---

# Screened Subnet — AP Cybersecurity Definition & Exam Guide

## Definition

A screened subnet (often called a DMZ) is an isolated network segment that sits between an untrusted external network like the internet and a trusted internal LAN, with firewalls controlling traffic on both sides so public-facing servers can be reached without exposing internal systems.

## What It Is

A **screened subnet** is a chunk of your network walled off from both the outside internet and your private [internal network](/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa "fv-autolink"). You'll also hear it called a **DMZ** ([demilitarized zone](/ap-cybersecurity/unit-3/protecting-networks-segmentation/study-guide/aN5LZLgHojJwIT4AvjWS "fv-autolink")). The idea is simple: anything that needs to talk to the public, like a web server or email server, goes here instead of inside your trusted LAN.

Two [firewall](/ap-cybersecurity/key-terms/firewall "fv-autolink") checkpoints make it work. One firewall sits between the internet and the screened subnet, and another sits between the screened subnet and the internal LAN. So even if an adversary breaks into a server in the screened subnet, they're still stuck behind a second firewall before they can reach anything sensitive. It's a form of network segmentation built specifically for things you have to expose to outsiders.

## Why It Matters

This term lives in **[Unit 3](/ap-cybersecurity/unit-3 "fv-autolink"): Securing Networks**, under topic **3.1 Network Vulnerabilities and Attacks**. It directly supports **[AP Cybersecurity](/ap-cybersecurity "fv-autolink") 3.1.B**, which asks you to explain how adversaries exploit network vulnerabilities to steal, disrupt, or destroy communication. EK 3.1.B.1 says networks without firewalls (or with badly configured ones) are wide open to flooding, mapping, and spoofing attacks, and a screened subnet is one of the answers to that problem. It also ties into **AP Cybersecurity 3.1.C**, since putting public servers in a DMZ limits how far an attacker can move laterally to reach critical systems (EK 3.1.C.1).

## Connections

### [Network Segmentation (Unit 3)](/ap-cybersecurity/key-terms/network-segmentation)

A screened subnet is segmentation with a job description. Segmentation is the general idea of splitting a network into zones; the screened subnet is the specific zone you carve out for public-facing servers so a breach there doesn't spill into your LAN.

### Lateral Movement and Compromised Devices (Unit 3)

EK 3.1.B.2 says [adversaries](/ap-cybersecurity/unit-3/network-vulnerabilities-and-attacks/study-guide/9lJpNM0eCHQ1M3XgFL97 "fv-autolink") who compromise one device try to pivot to others on the LAN. The whole point of a screened subnet is to box in a hacked public server so that second firewall stops the pivot cold.

### [DoS Attack (Unit 3)](/ap-cybersecurity/key-terms/dos-attack)

EK 3.1.B.1 warns that adversaries flood networks to cause [denial of service](/ap-cybersecurity/key-terms/denial-of-service "fv-autolink"). If a DoS slams a server in the screened subnet, your internal LAN keeps running because it lives behind a separate firewall.

### [VLAN (Unit 3)](/ap-cybersecurity/key-terms/vlan)

Both isolate traffic, but a [VLAN](/ap-cybersecurity/key-terms/vlan "fv-autolink") separates devices logically on the same switch, while a screened subnet uses firewalls to create a true buffer zone between the internet and your trusted network.

## On the AP Exam

Expect screened subnet (or DMZ) to show up in multiple-choice questions about defending a network or about where to place a public-facing server. A common stem describes a company that needs to host a website but keep internal databases safe, and the right answer puts the web server in a screened subnet behind firewalls. No released FRQ has used the term verbatim, but it fits the kind of mitigation question 3.1.C rewards, where you recommend a control to reduce risk from network attacks. If you're asked to explain a defense against lateral movement or against exposing internal systems, naming a screened subnet and explaining the two-firewall design earns the point.

## screened subnet vs subnet

A plain subnet is just a logical division of an IP address range, a way to organize and route traffic. A screened subnet is a security design: it's a subnet placed between firewalls specifically to isolate public-facing systems. Every screened subnet is a subnet, but not every subnet is screened.

## Key Takeaways

- A screened subnet, also called a DMZ, is a buffer network between the untrusted internet and your trusted internal LAN.
- Two firewalls guard it, one facing the internet and one facing the internal network, so a breach in the DMZ doesn't reach sensitive systems.
- Public-facing servers like web and email servers belong in the screened subnet, not inside the LAN.
- It supports AP Cybersecurity 3.1.B and 3.1.C by limiting lateral movement and protecting confidentiality, integrity, and availability.
- A screened subnet is a specific type of network segmentation, while a plain subnet is just a logical IP division with no security guarantee.

## FAQs

### What is a screened subnet in cybersecurity?

It's an isolated network segment, often called a DMZ, that sits between the internet and your internal LAN. Public-facing servers go there, and firewalls on both sides control traffic so a breach doesn't reach your trusted systems.

### Is a screened subnet the same thing as a DMZ?

Yes. Screened subnet and DMZ (demilitarized zone) are two names for the same concept, a buffer zone between an untrusted external network and a trusted internal one.

### How is a screened subnet different from a regular subnet?

A regular subnet is just a logical division of an IP address range for organizing traffic. A screened subnet adds firewalls to create a security buffer for public-facing servers, so it's a defensive design, not just an addressing choice.

### Why does putting a server in a screened subnet stop attackers?

If an attacker compromises a server in the DMZ, a second firewall still blocks them from reaching the internal LAN. That stops the lateral movement described in EK 3.1.B.2, where adversaries pivot from one hacked device to more sensitive ones.

### Do I need to know screened subnet for the AP Cybersecurity exam?

Yes, it's relevant to Unit 3, topic 3.1. Be ready to recognize it as a defense in multiple-choice questions and to recommend it when asked how to host public servers while protecting internal systems.

## Related Study Guides

- [3.1 Network Vulnerabilities and Attacks](/ap-cybersecurity/unit-3/network-vulnerabilities-and-attacks/study-guide/9lJpNM0eCHQ1M3XgFL97)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/screened-subnet#resource","name":"Screened Subnet — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/screened-subnet","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/screened-subnet#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:32.732Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/screened-subnet#term","name":"screened subnet","description":"A screened subnet (often called a DMZ) is an isolated network segment that sits between an untrusted external network like the internet and a trusted internal LAN, with firewalls controlling traffic on both sides so public-facing servers can be reached without exposing internal systems.","url":"https://fiveable.me/ap-cybersecurity/key-terms/screened-subnet","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.1, LO 3.1.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.1, LO 3.1.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.1, LO 3.1.C"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is a screened subnet in cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's an isolated network segment, often called a DMZ, that sits between the internet and your internal LAN. Public-facing servers go there, and firewalls on both sides control traffic so a breach doesn't reach your trusted systems."}},{"@type":"Question","name":"Is a screened subnet the same thing as a DMZ?","acceptedAnswer":{"@type":"Answer","text":"Yes. Screened subnet and DMZ (demilitarized zone) are two names for the same concept, a buffer zone between an untrusted external network and a trusted internal one."}},{"@type":"Question","name":"How is a screened subnet different from a regular subnet?","acceptedAnswer":{"@type":"Answer","text":"A regular subnet is just a logical division of an IP address range for organizing traffic. A screened subnet adds firewalls to create a security buffer for public-facing servers, so it's a defensive design, not just an addressing choice."}},{"@type":"Question","name":"Why does putting a server in a screened subnet stop attackers?","acceptedAnswer":{"@type":"Answer","text":"If an attacker compromises a server in the DMZ, a second firewall still blocks them from reaching the internal LAN. That stops the lateral movement described in EK 3.1.B.2, where adversaries pivot from one hacked device to more sensitive ones."}},{"@type":"Question","name":"Do I need to know screened subnet for the AP Cybersecurity exam?","acceptedAnswer":{"@type":"Answer","text":"Yes, it's relevant to Unit 3, topic 3.1. Be ready to recognize it as a defense in multiple-choice questions and to recommend it when asked how to host public servers while protecting internal systems."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 3","item":"https://fiveable.me/ap-cybersecurity/unit-3"},{"@type":"ListItem","position":4,"name":"screened subnet"}]}]}
```
