An enterprise relies on a single perimeter firewall to protect its internal network. During a threat-modeling exercise, the security architect must decide whether this control is sufficient against advanced persistent threats (APTs) that frequently use zero-day exploits, phishing, and lateral movement. Which statement BEST justifies why one firewall alone is inadequate in this scenario?
Advanced adversaries can employ application-layer attacks, encrypted tunnels, and insider compromise to bypass or avoid perimeter filtering; layered controls such as IDS/IPS, endpoint protection, and network segmentation reduce this risk.
Next-generation firewalls automatically adapt their rules to any new threat, eliminating the need for additional security controls.
Modern stateful firewalls add latency that conflicts with IDS sensors, so an additional firewall is required only to improve performance.
Perimeter firewalls cannot process any IPv6 traffic, leaving the network wholly exposed to IPv6-borne threats.
Defense-in-depth principles assume that any single control can fail. A lone perimeter firewall cannot inspect all traffic types (for example, encrypted tunnels), cannot detect insider-initiated attacks, and offers no redundancy. Sophisticated adversaries routinely bypass or evade perimeter filtering through application-layer exploits, tunneling, or social-engineering-driven compromise. Complementary controls-such as IDS/IPS, endpoint protection, network segmentation, and continuous monitoring-provide additional visibility and containment, significantly reducing the risk of successful infiltration.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is a single firewall not enough for advanced threats?
Open an interactive chat with Bash
What is network segmentation and how does it help against attacks?
Open an interactive chat with Bash
What additional tools complement a firewall in a layered defense?