CompTIA CASP+ (CAS-003) — Question 365

A network engineer is attempting to design-in resiliency characteristics for an enterprise network's VPN services.
If the engineer wants to help ensure some resilience against zero-day vulnerabilities exploited against the VPN implementation, which of the following decisions would BEST support this objective?

Answer options

• A. Implement a reverse proxy for VPN traffic that is defended and monitored by the organization's SOC with near-real-time alerting to administrators.
• B. Subscribe to a managed service provider capable of supporting the mitigation of advanced DDoS attacks on the enterprise's pool of VPN concentrators.
• C. Distribute the VPN concentrators across multiple systems at different physical sites to ensure some backup services are available in the event of primary site loss.
• D. Employ a second VPN layer concurrently where the other layer's cryptographic implementation is sourced from a different vendor.

Correct answer: D

Explanation

The correct answer, D, is the best option because using a second VPN layer from a different vendor mitigates the risk of a single point of failure and helps protect against zero-day vulnerabilities. Options A and B focus on monitoring and DDoS mitigation, which do not directly address the issue of zero-day vulnerabilities. Option C provides redundancy but does not enhance the security against zero-day exploits.