A DMZ (Demilitarized Zone) is a physical or logical subnet that separates an internal local area network (LAN) from untrusted networks—typically the Internet. It allows an organization to provide external-facing services while isolating internal systems from direct exposure.
From CEH v13 Official Courseware:
Module 13: Hacking Web Applications
Module 14: Hacking Web Servers
Module 1: Introduction to Ethical Hacking – Security Architecture Concepts
CEH v13 clearly outlines:
“A DMZ is critical when deploying Internet-facing servers such as web servers, FTP servers, or mail servers. It provides a buffer zone that allows public access to specific resources while keeping the internal network isolated.”
Bob’s assumption is flawed for several reasons:
DMZs can be implemented even with stateless firewalls using strict access control rules.
Relying solely on IP-based filtering is error-prone and doesn’t offer layered defense.
A DMZ provides an essential layer of segmentation, protecting internal assets from compromised public servers.
Incorrect Options:
A/D: DMZ can still make sense even with stateless firewalls if properly configured.
B: IP filtering is insufficient as a sole security measure; does not replace the need for network segmentation.
[Reference:CEH v13 Study Guide – Module 1 & 14 → Topic: DMZ Design and PurposeNIST SP 800-41 Rev. 1 – Guidelines on Firewalls and Firewall Policy, ==================================================================, ]
Submit