firewall. A firewall is the device that commonly separates a network into security zones and applies policy between those zones. IPS devices inspect traffic for threats, but they are not primarily zone boundary devices. Access points provide wireless access, and switches provide Layer 2 or Layer 3 forwarding, but neither is the standard answer for zone-based security segmentation. Cisco CCNA 200-301 v1.1 Security Fundamentals expects engineers to know that firewalls enforce policy between trusted, untrusted, DMZ, and other security zones. The corrected answer is firewall. In real deployments, firewall rules determine which traffic may cross from one zone to another and often perform stateful inspection while doing so.