CompTIA CASP+ (CAS-004) — Question 58

An organization's existing infrastructure includes site-to-site VPNs between datacenters. In the past year, a sophisticated attacker exploited a zero-day vulnerability on the VPN concentrator. Consequently, the Chief Information Security Officer (CISO) is making infrastructure changes to mitigate the risk of service loss should another zero-day exploit be used against the VPN solution.
Which of the following designs would be BEST for the CISO to use?

Answer options

• A. Adding a second redundant layer of alternate vendor VPN concentrators
• B. Using Base64 encoding within the existing site-to-site VPN connections
• C. Distributing security resources across VPN sites
• D. Implementing IDS services with each VPN concentrator
• E. Transitioning to a container-based architecture for site-based services

Correct answer: A

Explanation

Option A is the best choice because having a second layer of VPN concentrators from a different vendor provides redundancy and reduces the risk of a single point of failure. The other options either do not adequately address the risk of a zero-day exploit, such as encoding or distributing resources, or do not provide the necessary redundancy needed to secure the infrastructure.