A security architect is redesigning the network for a payment card processing environment. The goal is to create a cardholder data environment (CDE) that is isolated from the rest of the corporate network to reduce PCI DSS scope. The CDE will contain only the payment application servers and the database storing credit card numbers. The architect must allow authorized administrators in the corporate network to perform updates and monitoring on the CDE servers. Which of the following network architecture designs provides the strongest isolation while still meeting the requirement for authorized administrative access?

Place the CDE servers on a separate subnet within the same VLAN as the corporate network, and rely on host-based firewalls on each server to deny all traffic except from specific administrative IP addresses.

This design uses a shared VLAN and relies solely on host-based firewalls. A shared VLAN means the CDE servers are on the same Layer 2 broadcast domain as the corporate network; a network misconfiguration or compromised device could allow lateral traffic to bypass host firewalls. Host-based firewalls are less robust than network-level isolation, making this option insecure.

Place the CDE servers on a separate VLAN with a Layer 3 switch that uses ACLs to allow only ICMP traffic from the corporate network to the CDE for monitoring, and require administrators to physically connect to the CDE network via a dedicated console server.

While this uses VLAN separation, the ACL only permits ICMP, which is insufficient for administration (no SSH/RDP). Requiring physical console access is impractical for routine updates and monitoring, and it does not support remote management. This design fails to meet the business requirement.

Connect the CDE servers directly to the internet through a web application firewall (WAF), and require all management access to occur through a cloud-based VPN with two-factor authentication.

Directly connecting the CDE to the internet exposes it to external threats, even with a WAF. CDE servers should never be directly internet-facing. While a VPN adds encryption, the design violates the principle of network isolation required by PCI DSS, significantly increasing the attack surface.

What does this SY0-701 question test?

Access ports place end devices into a single VLAN.

What is the correct answer to this question?

The correct answer is: Deploy a dedicated firewall that connects the corporate network to an isolated CDE segment. Configure firewall rules to allow only SSH and RDP from a specific jump box in the corporate network to the CDE servers, and deny all other inbound traffic from the corporate network. — The most secure design for isolating a CDE while allowing authorized administrative access is to use a dedicated firewall between the corporate network and the CDE segment, and to enforce a jump box (bastion host) architecture. The dedicated firewall provides stateful inspection and strict access control lists, ensuring only necessary protocols (e.g., SSH, RDP) from the jump box are permitted into the CDE. This prevents direct access from administrative workstations and limits the attack surface. Option B correctly describes this approach. Option A is weaker because relying solely on host-based firewalls on the servers does not provide the same level of network segmentation; a compromised server could expose the CDE. Option C is overly restrictive by allowing only ICMP for monitoring and requiring physical console access for management, which is impractical and does not support remote administration. Option D exposes the CDE directly to the internet, which violates the principle of least connectivity and would significantly increase risk.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.