nerdexam
(ISC)2

CISSP · Question #1228

An information technology (IT) employee who travels frequently to various countries remotely connects to an organization's resources to troubleshoot problems. Which of the following solutions BEST ser

The correct answer is D. Install a bastion host in the demilitarized zone (DMZ) and allow multi-factor authentication (MFA). This question tests knowledge of secure remote access architectures for traveling employees. A bastion host with MFA provides a hardened, centrally controlled entry point that doesn't rely on predictable IP addresses or insecure third-party tools.

Submitted by diego_uy· Mar 5, 2026Communication and Network Security

Question

An information technology (IT) employee who travels frequently to various countries remotely connects to an organization's resources to troubleshoot problems. Which of the following solutions BEST serves as a secure control mechanism to meet the organization's requirements?

Options

  • AUpdate the firewall rules to include the static Internet Protocol (IP) addresses of the locations
  • BInstall a third-party screen sharing solution that provides remote connection from a public website.
  • CImplement a Dynamic Domain Name Services (DDNS) account to initiate a virtual private network
  • DInstall a bastion host in the demilitarized zone (DMZ) and allow multi-factor authentication (MFA)

How the community answered

(20 responses)
  • A
    10% (2)
  • B
    25% (5)
  • C
    5% (1)
  • D
    60% (12)

Why each option

This question tests knowledge of secure remote access architectures for traveling employees. A bastion host with MFA provides a hardened, centrally controlled entry point that doesn't rely on predictable IP addresses or insecure third-party tools.

AUpdate the firewall rules to include the static Internet Protocol (IP) addresses of the locations

A traveling employee connecting from multiple countries will use dynamic, frequently changing IP addresses, making static IP-based firewall rules impractical, unmanageable, and insecure as they would require constant updates or overly broad rules.

BInstall a third-party screen sharing solution that provides remote connection from a public website.

Third-party screen sharing solutions hosted on public websites introduce uncontrolled attack surfaces, may lack enterprise-grade encryption or auditing, and represent a shadow IT risk that bypasses organizational security policies.

CImplement a Dynamic Domain Name Services (DDNS) account to initiate a virtual private network

DDNS maps dynamic IPs to a hostname but does not itself initiate or secure a VPN; without proper endpoint authentication and access controls, a DDNS-initiated VPN still lacks the hardened access control and MFA enforcement needed to be the best secure solution.

DInstall a bastion host in the demilitarized zone (DMZ) and allow multi-factor authentication (MFA)Correct

A bastion host deployed in the DMZ acts as a hardened, single point of entry for remote administrative access, isolating internal resources from direct external exposure. Requiring MFA adds a critical second layer of authentication, ensuring that even compromised credentials alone cannot grant access. This architecture is vendor-agnostic, location-independent, and aligns with zero-trust and defense-in-depth security principles for traveling users connecting from dynamic IPs worldwide.

Concept tested: Secure remote access via bastion host and MFA

Source: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/infrastructure/regulated-multitier-app#bastion-host

Topics

#Remote access security#Bastion host#DMZ#Multi-factor authentication (MFA)

Community Discussion

No community discussion yet for this question.

Full CISSP Practice