A small company is redesigning its network for a public web application. The web front end must be reachable from the internet, but the database should never be exposed directly to external or general user traffic. Which architecture is the best choice?
This separates the internet-facing system from the sensitive backend. The DMZ limits exposure of the web server, while the database remains inaccessible from external networks and is reachable only over tightly filtered application ports from the web tier.
Why this answer
Option B is correct because it implements a layered security architecture: the web server resides in a DMZ (demilitarized zone) where it is reachable from the internet, while the database is placed in a private internal subnet with strict firewall rules that only allow the required application traffic (e.g., TCP port 3306 for MySQL or 1433 for MSSQL) from the web server. This ensures the database is never directly exposed to external or general user traffic, reducing the attack surface and preventing direct internet-based attacks on the database.
Exam trap
The trap here is that candidates may think host firewalls are sufficient for internal subnet isolation (Option A) or mistakenly believe placing the database in the DMZ simplifies routing (Option C), overlooking the fundamental security principle of defense in depth and the need to keep sensitive data stores off the internet-facing network.
How to eliminate wrong answers
Option A is wrong because placing both the web server and database in the same internal subnet exposes the database to any compromise of the web server or any internal host, and host firewalls alone are insufficient to prevent lateral movement or internal scanning. Option C is wrong because placing the database in the DMZ directly exposes it to the internet, defeating the purpose of isolation and making it vulnerable to direct attacks from external sources.