Which type of firewall architecture places a firewall both before and after a DMZ?

The choice of a screened subnet architecture is based on its structure, which involves placing a firewall both before and after a demilitarized zone (DMZ). This design enhances the security posture by creating a buffer zone (the DMZ) that isolates external-facing services, such as web servers and email servers, from the internal network. The presence of two firewalls allows for two distinct layers of security—one that manages traffic entering the DMZ and another that controls traffic flowing out to the internal network.

This layered approach provides several advantages: it helps to restrict unauthorized access to sensitive internal resources, mitigates risks from potential attacks targeting services in the DMZ, and allows more granular control over network traffic. Each firewall can have tailored policies specific to the types of traffic allowed, thereby improving overall network security.

In contrast, the other options do not specifically reflect this dual-firewall structure. A virtual public cloud (VPC) relates more to cloud networking rather than a firewall configuration. A virtual firewall is typically software-based and does not imply a specific architecture involving a DMZ. A cloud firewall usually provides security for services hosted in the cloud but does not inherently include the same layered architecture as a screened subnet. Thus, the screened subnet is the recognized architecture