CISSP · Question #364
What is the BEST location in a network to place Virtual Private Network (VPN) devices when an internal review reveals network design flaws in remote access?
The correct answer is A. In a dedicated Demilitarized Zone (DMZ). VPN devices should be placed in a dedicated DMZ to enforce proper security boundaries between remote access traffic and the internal network. This design allows firewall inspection of VPN traffic before it reaches internal resources.
Question
Options
- AIn a dedicated Demilitarized Zone (DMZ)
- BIn its own separate Virtual Local Area Network (VLAN)
- CAt the Internet Service Provider (ISP)
- DOutside the external firewall
How the community answered
(22 responses)- A73% (16)
- B14% (3)
- C9% (2)
- D5% (1)
Why each option
VPN devices should be placed in a dedicated DMZ to enforce proper security boundaries between remote access traffic and the internal network. This design allows firewall inspection of VPN traffic before it reaches internal resources.
Placing VPN devices in a dedicated DMZ creates a security boundary where remote access traffic is isolated and inspected before being permitted into the internal network. The DMZ architecture allows the firewall to enforce granular access control policies on decrypted VPN traffic, preventing a compromised remote client from directly accessing internal resources. This is a security best practice that separates untrusted remote traffic from trusted internal segments.
Placing VPN devices in a separate VLAN still keeps them logically within the internal network boundary without a proper firewall enforcement point between remote users and internal resources, offering weaker segmentation than a DMZ.
Placing VPN devices at the ISP relinquishes control of the VPN infrastructure to a third party, introduces trust and compliance risks, and does not provide the organization with the ability to enforce its own security policies on remote access traffic.
Placing VPN devices outside the external firewall exposes them directly to the internet with no protective filtering, leaving the VPN endpoints vulnerable to attack before any organizational security controls are applied.
Concept tested: Optimal VPN placement using DMZ architecture
Source: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz
Topics
Community Discussion
No community discussion yet for this question.