Which statement reflects that only established inbound connections are allowed into the network?

• A. All inbound connections should be allowed if from trusted sources.
• B. The firewall should permit only established connections into the internal network and deny any inbound connections not associated with a previously established session.
• C. Inbound connections should be allowed from any IP address.
• D. Establishing connections is optional if credentials are valid.

Answer: (B)

Stateful filtering at the network perimeter is the key idea. A firewall that uses stateful inspection tracks whether a connection has been established and only allows traffic that belongs to that existing session. This means inbound traffic is permitted only if it’s part of a previously established connection, and any inbound attempt that isn’t tied to such a session is blocked. This approach reduces the attack surface by preventing unsolicited inbound connections from reaching internal systems, which is a fundamental security principle in PCI DSS.

Other options break this protection either by trusting sources without verification, allowing inbound traffic from any IP, or relying on credentials alone without ensuring the connection itself was established. Blanket trust or credential-based access without enforcing the session state would open the network to unsolicited or misused connections.