CompTIA Security+ (SY0-601) — Question 396

An organization routes all of its traffic through a VPN. Most users are remote and connect into a corporate data center that houses confidential information. There is a firewall at the internet border, followed by a DLP appliance, the VPN server, and the data center itself. Which of the following is the weakest design element?

Answer options

• A. The DLP appliance should be integrated into a NGFW.
• B. Split-tunnel connections can negatively impact the DLP appliance's performance.
• C. Encrypted VPN traffic will not be inspected when entering or leaving the network.
• D. Adding two hops in the VPN tunnel may slow down remote connections.

Correct answer: C

Explanation

The correct answer is C because encrypted VPN traffic bypasses inspection, meaning that potential threats can enter or exit the network undetected. Option A is incorrect as integrating a DLP appliance with a NGFW could enhance security, while B is not the weakest point since split-tunneling affects performance but does not compromise security. Option D, although it may introduce latency, does not weaken the security design as significantly as the lack of traffic inspection.