nerdexam
(ISC)2

CISSP · Question #364

What is the BEST location in a network to place Virtual Private Network (VPN) devices when an internal review reveals network design flaws in remote access?

The correct answer is A. In a dedicated Demilitarized Zone (DMZ). VPN devices should be placed in a dedicated DMZ to enforce proper security boundaries between remote access traffic and the internal network. This design allows firewall inspection of VPN traffic before it reaches internal resources.

Submitted by tarun92· Mar 5, 2026Communication and Network Security

Question

What is the BEST location in a network to place Virtual Private Network (VPN) devices when an internal review reveals network design flaws in remote access?

Options

  • AIn a dedicated Demilitarized Zone (DMZ)
  • BIn its own separate Virtual Local Area Network (VLAN)
  • CAt the Internet Service Provider (ISP)
  • DOutside the external firewall

How the community answered

(22 responses)
  • A
    73% (16)
  • B
    14% (3)
  • C
    9% (2)
  • D
    5% (1)

Why each option

VPN devices should be placed in a dedicated DMZ to enforce proper security boundaries between remote access traffic and the internal network. This design allows firewall inspection of VPN traffic before it reaches internal resources.

AIn a dedicated Demilitarized Zone (DMZ)Correct

Placing VPN devices in a dedicated DMZ creates a security boundary where remote access traffic is isolated and inspected before being permitted into the internal network. The DMZ architecture allows the firewall to enforce granular access control policies on decrypted VPN traffic, preventing a compromised remote client from directly accessing internal resources. This is a security best practice that separates untrusted remote traffic from trusted internal segments.

BIn its own separate Virtual Local Area Network (VLAN)

Placing VPN devices in a separate VLAN still keeps them logically within the internal network boundary without a proper firewall enforcement point between remote users and internal resources, offering weaker segmentation than a DMZ.

CAt the Internet Service Provider (ISP)

Placing VPN devices at the ISP relinquishes control of the VPN infrastructure to a third party, introduces trust and compliance risks, and does not provide the organization with the ability to enforce its own security policies on remote access traffic.

DOutside the external firewall

Placing VPN devices outside the external firewall exposes them directly to the internet with no protective filtering, leaving the VPN endpoints vulnerable to attack before any organizational security controls are applied.

Concept tested: Optimal VPN placement using DMZ architecture

Source: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz

Topics

#VPN placement#DMZ#Network architecture#Remote access

Community Discussion

No community discussion yet for this question.

Full CISSP Practice