The network segment labeled LAN 4 represents a Demilitarized Zone (DMZ), which is a perimeter network located between two firewalls. A DMZ is the most secure location to deploy services for less-trusted users, such as contractors, because it isolates their traffic from the highly secured internal network (LAN 2). Placing the Wireless Access Point (WAP) in the DMZ allows contractors to access the Internet through the external firewall while the internal firewall can enforce strict rules, granting access only to specific, authorized enterprise services. This architecture upholds the principle of least privilege and protects critical assets on the internal network, such as the Database Server in LAN 2.

Stallings, W. (2017). Network Security Essentials: Applications and Standards (6th ed.). Pearson.

Reference: Chapter 9, Section 9.2, "Firewall Configurations," particularly the discussion on the "Screened Subnet Firewall System" (p. 297, Figure 9.5c). This section details the dual-firewall architecture where the DMZ is the isolated network between an external and internal firewall, which is the standard design for securely hosting systems that require external access without exposing the internal network.

Zwicky, E. D., Cooper, S., & Chapman, D. B. (2000). Building Internet Firewalls (2nd ed.). O'Reilly & Associates.

Reference: Chapter 6, "Firewall Architectures," specifically the section on "Screened Subnet" (pp. 138-142). This source describes the screened subnet (DMZ) as the canonical solution for allowing access from the Internet to selected hosts while protecting the internal network. Placing a WAP for semi-trusted users in this zone is a direct application of this principle.

Cheswick, W. R., Bellovin, S. M., & Rubin, A. D. (2003). Firewalls and Internet Security: Repelling the Wily Hacker (2nd ed.). Addison-Wesley Professional.

Reference: Chapter 4, "Firewall-Friendly Protocols and the DMZ." The chapter explains that the purpose of a DMZ is to create a "neutral zone" for machines that need to be accessible from the outside but should not be trusted on the internal network. This concept directly applies to creating a network segment for contractors.