312-50V10 · Question #120
Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he properly configures the firewall to allow access just to servers/ports, which can have direct internet access,
The correct answer is C. Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations. A DMZ is a critical network security control that isolates public-facing servers from internal workstations, and its value is independent of whether the firewall is stateful or stateless.
Question
Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he properly configures the firewall to allow access just to servers/ports, which can have direct internet access, and block the access to workstations. Bob also concluded that DMZ makes sense just when a stateful firewall is available, which is not the case of TPNQM SA. In this context, what can you say?
Options
- ABob can be right since DMZ does not make sense when combined with stateless firewalls
- BBob is partially right. He does not need to separate networks if he can create rules by destination IPs,
- CBob is totally wrong. DMZ is always relevant when the company has internet servers and workstations
- DBob is partially right. DMZ does not make sense when a stateless firewall is available
How the community answered
(51 responses)- A22% (11)
- B8% (4)
- C67% (34)
- D4% (2)
Why each option
A DMZ is a critical network security control that isolates public-facing servers from internal workstations, and its value is independent of whether the firewall is stateful or stateless.
This is incorrect because a stateless firewall can still filter traffic between network segments using ACLs based on source/destination IP and port, making DMZ segmentation viable and beneficial even without stateful inspection.
Filtering by destination IP alone does not provide network-level isolation - if a public-facing server in the same flat network is compromised, an attacker can still reach internal workstations regardless of firewall rules.
Bob is entirely wrong on both points. A DMZ provides network segmentation that limits the blast radius of a compromised public-facing server - even a stateless firewall can enforce ACLs between DMZ and internal networks, providing meaningful isolation. Relying solely on firewall rules without a separate DMZ segment leaves internal workstations reachable from servers that have direct internet exposure, violating the principle of defense in depth.
DMZ is relevant regardless of firewall type because its primary purpose is network segmentation, not stateful connection tracking; a stateless firewall can still enforce the boundary between a DMZ and the internal network.
Concept tested: DMZ network segmentation relevance with stateless firewalls
Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf
Topics
Community Discussion
No community discussion yet for this question.