Sim-Ex™ Practice Exams for CCST Cybersecurity: Practice questions

Firewall architectures

Home     Up     Next

Q1. You have clients and vendors accessing your intranet from the Internet. You want to provide security against intruders trying to access your internal network. Which of the following is most secure?

A. Bastion host

B. Screened host gateway

C. Screened subnet gateway (or DMZ)

D. Bastion gateway

Correct Answer: C


The following are the basic types of firewall architectures:
1. Bastion host
2. Screened host gateway
3. Screened subnet gateway or DMZ
1. Bastion host: A bastion host typically has two network cards, one connected to the Internet and the other to the internal network. A firewall or a proxy is installed on the bastion host providing separation of Internet from the internal network. It can also be a router providing NAT or something similar to it.
2. Screened host gateway: It is implemented with a router (Internet end) in series with a bastion host (acting as application gateway). The router filters the packets, and the application gateway routes the packets to appropriate host computers on the internal network and vice versa.
3. Screened subnet gateway (or DMZ): It includes two screened gateway devices, one each on either side of the bastion host. The arrangement involves two sebnets one on each side of the bastion host. The arrangement is also known as DMZ (De Militarized Zone). DMZ is considered most secure of the three discussed here since the internal network is separated by a DMZ.

Home     Up     Next

Disclaimer: is not affiliated with any certification vendor, and Sim-Ex™ Practice Exams are written independently by and not affiliated or authorized by respective certification providers. Sim-Ex™ is a trade mark of or entity representing™ is a trademark of Cisco® systems