Your organization has implemented a virtual private network (VPN) that allows branch offices to connect to the main office. Recently, you have discovered that the key used on the VPN has been compromised. You need to ensure that the key is not compromised in the future. What should you do?
a. Enable PFS on the main office end of the VPN.
b. Implement IPsec on the main office end of the VPN.
c. Enable PFS on the main office and branch offices' ends of the VPN.
d. Implement IPsec on the main office and branch offices' ends of the VPN.
Answer: C. Explanation: You should enable perfect forward secrecy (PFS) on the main office and branch offices' ends of the VPN. PFS increases the security for a VPN because it ensures that the same key will not be generated by forcing a new key exchange. PFS ensures that a session key created from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future. PFS depends on asymmetric or public key encryption. If you implement PFS, disclosure of the long-term secret keying information that is used to derive a single key does not compromise the previously generated keys. You should not implement IPsec because it does not protect against key compromise. While it does provide confidentiality for the VPN connection, the scenario specifically states that you needed to ensure that the key is not compromised.