Boundary controls

Boundary controls

Boundary controls are tools used to monitor and control the communications at the external boundary of an information system.

These controls are used to prevent and detect malicious and other unauthorised communications. Boundary controls include the use of boundary protection devices, for example gateways, routers, firewalls, guards, etc.

Boundary controls can police the traffic coming in and out of an organisation and can help stop malicious code being introduced.

Here in the diagram you can see a system design which includes boundary controls. It illustrates two additional components in the DMZ: the mail gateway and the web gateway.

A gateway is a piece of hardware similar to a router except it can communicate using more than one protocol to connect multiple networks.

A mail gateway is a type of email server that protects an organisation’s or user’s internal email servers. It's designed to prevent unwanted email and deliver good email. Unwanted email includes spam, phishing attacks, malware or fraudulent content. Outgoing messages can be analysed to stop sensitive data from leaving the organisation or to automatically encrypt emails containing sensitive information.

A secure web gateway is a checkpoint that keeps unauthorised traffic from entering an organisation's network. The traffic that a secure web gateway governs is all inline—the gateway stands between all incoming and outgoing data. It stops malicious website traffic, viruses, and malware from entering the enterprise's system. The web gateway only allows users to access approved, secure websites—other sites are blocked.

These two gateways implement additional security controls and enforce additional policy measures. For example:

  • Antivirus scanning to examine web and email traffic, to detect and prevent viruses and other malware from entering the internal network.
  • Content filtering to examine traffic and remove unacceptable file types or content, such as prohibited executable code or pornography.
  • Whitelists or blacklists (these terms are deprecated are subject to change) to define the websites that internal users can access and those they’re prohibited from.

Diagram of Boundary controls showing the additional security offered by using gateways in the DMZ.

Figure 1: Boundary controls


In this step, you have explored the DMZ and seen some of the devices used to separate traffic and reduce risk using filtering, firewalls, gateways and other boundary controls. You will have noted that an up-to-date firewall policy can help direct traffic more safely and shut out unwanted users at source.

What other ways can a DMZ protect the organisation's network?

What's next?

Following on from DMZ and Boundary controls, in the next step you will be examining how best to protect data.


In this course you’ll take a deep dive into networks and communications controls, looking at Firewalls, DMZ and VPN among others.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.