An online retailer is redesigning a network for a public web app. Customers must reach only the web tier from the internet. The web tier must reach the application tier, and the application tier must reach the database tier. Which two design changes best support this zoning model? Select two.
A DMZ exposes only the web tier to the internet while keeping internal systems off the public network.
Why this answer
Option B is correct because placing the internet-facing web tier in a DMZ (demilitarized zone) with tightly filtered inbound rules ensures that external users can only reach the web servers, while the DMZ network isolates them from internal tiers. This aligns with the principle of defense in depth, where the DMZ acts as a buffer zone, and inbound rules (e.g., allowing only TCP/443 for HTTPS) minimize the attack surface. The web tier can then initiate outbound connections to the application tier through a firewall with specific allow-lists, maintaining strict segmentation.
Exam trap
The trap here is that candidates often confuse a flat VLAN with host firewalls as sufficient segmentation, not realizing that host firewalls can be disabled or bypassed once an attacker gains local access, whereas network-layer segmentation (e.g., DMZ and separate internal zones) provides a more robust security boundary that is harder to circumvent.