"The DigiNotar network was divided into 24 different internal network segments," Fox-IT said in its , published earlier this week by the Dutch Ministry of Interior and Kingdom Relations. "An internal and external Demilitarized Zone (DMZ) separated most segments of the internal network from the Internet. The zones were not strictly described or enforced and the firewall contained many rules that specified exceptions for network traffic between the various segments."

The DigiNotar security breach occurred in July 2011 and resulted in a hacker using the company's certificate authority (CA) infrastructure to issue hundreds of rogue digital certificates for high-profile domains, including one for google.com that was later used in a mass surveillance attack against Internet users in Iran. After the incident became public, browser and operating system developers revoked their trust in the certificates and the company filed for bankruptcy.

The breach was significant because it raised questions about the security and trustworthiness of the public key infrastructure (PKI) in its current form, which led to various technical proposals that promise to reduce the impact of certificate authority compromises and prevent the use of rogue digital certificates. There are currently hundreds of certificate authorities trusted by default in Web browsers and operating systems, and all of them can issue valid digital certificates for any domain on the Internet.

The attacker's original points of entry into the DigiNotar network were two Web servers that hosted public websites running on outdated and vulnerable versions of DotNetNuke, a Web content management system. These Web servers were located in the company's external Demilitarized Zone.

The intruder then leveraged the existent firewall rules to access and compromise servers from different network segments -- first from a segment called Office-net and then from a segment called Secure-net, which housed the certificate authority servers used for digital certificate issuing.