CISSP · Question #1228
An information technology (IT) employee who travels frequently to various countries remotely connects to an organization's resources to troubleshoot problems. Which of the following solutions BEST ser
The correct answer is D. Install a bastion host in the demilitarized zone (DMZ) and allow multi-factor authentication (MFA). This question tests knowledge of secure remote access architectures for traveling employees. A bastion host with MFA provides a hardened, centrally controlled entry point that doesn't rely on predictable IP addresses or insecure third-party tools.
Question
An information technology (IT) employee who travels frequently to various countries remotely connects to an organization's resources to troubleshoot problems. Which of the following solutions BEST serves as a secure control mechanism to meet the organization's requirements?
Options
- AUpdate the firewall rules to include the static Internet Protocol (IP) addresses of the locations
- BInstall a third-party screen sharing solution that provides remote connection from a public website.
- CImplement a Dynamic Domain Name Services (DDNS) account to initiate a virtual private network
- DInstall a bastion host in the demilitarized zone (DMZ) and allow multi-factor authentication (MFA)
How the community answered
(20 responses)- A10% (2)
- B25% (5)
- C5% (1)
- D60% (12)
Why each option
This question tests knowledge of secure remote access architectures for traveling employees. A bastion host with MFA provides a hardened, centrally controlled entry point that doesn't rely on predictable IP addresses or insecure third-party tools.
A traveling employee connecting from multiple countries will use dynamic, frequently changing IP addresses, making static IP-based firewall rules impractical, unmanageable, and insecure as they would require constant updates or overly broad rules.
Third-party screen sharing solutions hosted on public websites introduce uncontrolled attack surfaces, may lack enterprise-grade encryption or auditing, and represent a shadow IT risk that bypasses organizational security policies.
DDNS maps dynamic IPs to a hostname but does not itself initiate or secure a VPN; without proper endpoint authentication and access controls, a DDNS-initiated VPN still lacks the hardened access control and MFA enforcement needed to be the best secure solution.
A bastion host deployed in the DMZ acts as a hardened, single point of entry for remote administrative access, isolating internal resources from direct external exposure. Requiring MFA adds a critical second layer of authentication, ensuring that even compromised credentials alone cannot grant access. This architecture is vendor-agnostic, location-independent, and aligns with zero-trust and defense-in-depth security principles for traveling users connecting from dynamic IPs worldwide.
Concept tested: Secure remote access via bastion host and MFA
Source: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/infrastructure/regulated-multitier-app#bastion-host
Topics
Community Discussion
No community discussion yet for this question.