🛡️ Free practice test question from: DMZ (Security+)

Correct answer is C)
Stronger Isolation: Dual-firewall DMZs provide a more robust defense-in-depth strategy. If attackers compromise a service in the first DMZ segment (e.g., the web server), they still encounter another firewall before reaching internal systems.

Enhanced Reconnaissance Resistance: This architecture makes it significantly harder for attackers to map the internal network. Even if they compromise a service in the first DMZ, they face limitations in their ability to scan for internal systems or services due to the second firewall.

Improved Compliance: Centralized monitoring and filtering of all outbound traffic can be effectively implemented within the proxy server located in the segmented DMZ zone. This ensures compliance with regulatory requirements.

Support for External Services: The architecture still allows for necessary external services (web, DNS, mail) to be accessible while maintaining a strong security posture.

A) Single Firewall with Minimal Port Openings: This approach relies heavily on obscurity, which is not a reliable security measure. Attackers can still perform port scans and potentially exploit vulnerabilities in the exposed services.
(security by obscurity > https://www.okta.com/identity-101/security-through-obscurity/)

B) Single Firewall with Outbound Filtering: While outbound filtering is crucial, relying solely on it for protection is insufficient. Compromised DMZ services can still be used for internal reconnaissance and attacks.

D) Containerization within a Single DMZ: While containerization can improve resource utilization and application isolation, it does not address the fundamental security concerns of a single-firewall DMZ. Attackers can still exploit vulnerabilities in the containerized services to gain access to the internal network.