A security architect is designing a new DMZ for an e-commerce platform. The DMZ must host a web server, an API gateway, and a database server. The architect needs to minimize the attack surface while ensuring the web server can communicate with the API gateway, and the API gateway can communicate with the database. Which network segmentation approach best meets these requirements?
Trap 1: Place all three services in the same DMZ subnet and use host-based…
Host-based firewalls can be misconfigured or bypassed; a single subnet does not provide network-level isolation.
Trap 2: Create two DMZ subnets: one for the web server and API gateway, and…
The web server and API gateway share a subnet, allowing unnecessary direct access from web to database if the API gateway is compromised.
Trap 3: Place the web server in a DMZ subnet, the API gateway in a separate…
Placing the database on the internal network exposes it to internal threats and complicates firewall rules for encrypted traffic.
- A
Place all three services in the same DMZ subnet and use host-based firewalls to restrict traffic.
Why wrong: Host-based firewalls can be misconfigured or bypassed; a single subnet does not provide network-level isolation.
- B
Create two DMZ subnets: one for the web server and API gateway, and another for the database server.
Why wrong: The web server and API gateway share a subnet, allowing unnecessary direct access from web to database if the API gateway is compromised.
- C
Place the web server in a DMZ subnet, the API gateway in a separate DMZ subnet, and the database server on the internal network.
Why wrong: Placing the database on the internal network exposes it to internal threats and complicates firewall rules for encrypted traffic.
- D
Create three separate DMZ subnets: one for the web server, one for the API gateway, and one for the database server, with firewall rules allowing only required traffic.
This provides defense in depth; each tier is isolated, and only specific ports/protocols are allowed between them.