When does a DMZ make sense?

• A. When a stateful firewall is available
• B. When all users are on VPN
• C. When only wireless networks are used
• D. When no firewall is deployed

Answer: (A)

A DMZ makes sense as a buffer zone to host Internet-facing services while protecting the internal network. It creates a separate segment so public servers (like a web or mail server) can be accessed from the Internet without granting direct access to internal systems. A stateful firewall is essential for this setup because it enforces rules and tracks connection state across the three zones: Internet, DMZ, and the trusted internal network. With a stateful firewall, you can allow only the necessary traffic to reach DMZ hosts (for example, specific ports) and block direct access from the Internet to the inside. Without any firewall, that boundary isn’t enforced and the DMZ loses its security benefit. The other scenarios—VPN-only access, purely wireless networks, or having no firewall—don’t inherently justify or enable a DMZ.