nerdexam
(ISC)2

CISSP · Question #1534

Hotspot Question In the network design below, where is the MOST secure Local Area Network (LAN) segment to deploy a Wireless Access Point (WAP) that provides contractors access to the Internet and aut

The correct answer is where is the MOST secure Local Area Network (LAN) segment to deploy a Wireless Access Point (WAP) that provides contractors access to the Internet and authorized enterprise services?: LAN 4. The most secure LAN segment to deploy a Wireless Access Point for contractors requiring Internet and authorized enterprise service access is the Demilitarized Zone (DMZ), which is LAN 4, situated between two firewalls.

Submitted by jaden.t· Mar 5, 2026Communication and Network Security

Question

Hotspot Question In the network design below, where is the MOST secure Local Area Network (LAN) segment to deploy a Wireless Access Point (WAP) that provides contractors access to the Internet and authorized enterprise services? Answer:

Exhibit

CISSP question #1534 exhibit

Answer Area

  • where is the MOST secure Local Area Network (LAN) segment to deploy a Wireless Access Point (WAP) that provides contractors access to the Internet and authorized enterprise services?LAN 4
    LAN 1LAN 2LAN 3LAN 4

Explanation

The most secure LAN segment to deploy a Wireless Access Point for contractors requiring Internet and authorized enterprise service access is the Demilitarized Zone (DMZ), which is LAN 4, situated between two firewalls.

Approach. The correct interaction is to select 'LAN 4' in the diagram. This segment represents a Demilitarized Zone (DMZ), which is a common and secure architectural pattern for placing publicly accessible services or services that need to be accessed by less trusted entities (like contractors) while still protecting the more sensitive internal network.

Here's why LAN 4 is the most secure and appropriate choice:

  1. Dual Firewall Protection: LAN 4 is sandwiched between two firewalls. The first firewall protects it from the raw Internet, and the second firewall protects the internal enterprise network (LAN 1 and LAN 2) from LAN 4. This creates a secure buffer zone.
  2. Controlled Access: Placing the WAP in LAN 4 allows for granular control over contractor access. The first firewall can manage Internet access for contractors. Crucially, the second firewall can be configured with strict rules to only permit contractors access to specific authorized enterprise services on LAN 1 or LAN 2, blocking access to all other internal resources (like the Database Server on LAN 2).
  3. Isolation from Core Assets: If the WAP or a contractor device connected to it were compromised, the breach would be contained within LAN 4. The attacker would still need to bypass the second, internal firewall to reach critical internal servers like the Ecommerce Server (LAN 1) or the Database Server (LAN 2), significantly increasing the security posture compared to placing it directly on an internal LAN.

Common mistakes.

  • common_mistake. 1. Selecting LAN 1 (Ecommerce Server) or LAN 2 (Database Server): These are internal segments hosting critical enterprise assets. Placing a contractor WAP directly on these segments would expose them to direct threats from contractor devices, bypassing the primary security benefits of network segmentation and firewalls. This is highly insecure, especially for a Database Server, which typically holds the most sensitive data.
  1. Selecting LAN 3 (DNS Server): While LAN 3 is behind the first firewall, it appears to be a perimeter segment directly connected to the Internet-facing firewall. It lacks the additional layer of protection for internal enterprise services that a DMZ (LAN 4) provides. If a WAP in LAN 3 were compromised, it might directly impact the DNS server or pose a threat to the first firewall without the additional isolation offered by the DMZ's inner firewall.
  • alternative_reasoning. Placing the WAP in an internal LAN directly exposes sensitive data and applications. Placing it in a perimeter LAN without the added protection of a DMZ for internal resource access still presents a higher risk and less control than a properly segmented DMZ.

Concept tested. Network segmentation, Demilitarized Zone (DMZ) implementation, firewall placement, and security best practices for network architecture, specifically regarding guest/contractor access and critical asset protection.

Topics

#Network design#Wireless security#Network segmentation#WAP deployment

Community Discussion

No community discussion yet for this question.

Full CISSP Practice