Mock Exam Part 2: Security Architecture and Infrastructure

Welcome to Mock Exam Part 2, targeting Security+ Domain 3: Security Architecture (18% of the exam). This domain tests your ability to apply security controls to network and cloud infrastructure designs, understand segmentation and isolation strategies, evaluate protocol security, and recommend appropriate architectures for given scenarios. Architectural questions often present a network diagram or system description and ask you to identify the missing control, the vulnerable configuration, or the best design choice. Read each scenario carefully and identify the key architectural element being tested before selecting your answer.

Question: A company hosts a public web server and an internal database server. The security team wants to ensure that if the web server is compromised, attackers cannot directly access the internal database. What network design achieves this?

Answer: Place the web server in a DMZ (Demilitarized Zone) separated from the internal network by a second firewall. A DMZ uses two firewalls: the outer firewall separates the internet from the DMZ, and the inner firewall separates the DMZ from the internal network. Even if the web server is fully compromised, the inner firewall blocks direct access to the internal database — the attacker must break through a second firewall. Placing both servers in the same network segment removes this protection. A single firewall with different ports for web and database traffic is insufficient — a compromised web server can reach database ports from the same segment.