Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf
Chapter Glossary 293
Chapter Glossary
The following terms were introduced in this chapter or have special significance to the topics within this chapter.
eXtended AUTHentication (XAUTH) XAUTH permits Cisco VPN Client systems to be authenticated by TACACS+ or RADIUS external servers during IKE Phase 1 negotiations when establishing an IPSec secure tunnel. When XAUTH is configured on the VPN Client, the user of that device is prompted for a username and password, which must be authenticated by the remote authentication server before the IPSec tunnel can be established.
firewall Device or software package designated as a buffer between any connected public networks and a private network. A firewall uses access lists and other methods to ensure the security of the private network.
Generic Routing Encapsulation (GRE) Tunneling protocol developed by Cisco that can encapsulate a variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP tunneling using GRE allows network expansion across a single-protocol backbone environment.
head-end End point of a broadband network. All stations transmit toward the head-end; the head-end then transmits toward the destination stations.
Internet Assigned Numbers Authority (IANA) Organization operated under the auspices of the Internet Society (ISOC) as a part of the Internet Architecture Board (IAB). IANA delegates authority for IP address-space allocation and domain-name assignment to the InterNIC and other organizations. IANA also maintains a database of assigned protocol identifiers used in the TCP/IP stack, including autonomous system numbers.
split tunneling The ability to direct packets over the Internet in clear text while simultaneously encrypting other packets through an IPSec tunnel. The VPN server provides either a list of networks whose traffic must be tunneled or a list of networks whose traffic must not be tunneled. You enable split tunneling on the VPN Client and configure the network list on the VPN server, such as the VPN concentrator.
stateful firewall Denies or permits WAN traffic based on a session’s state. Packets relating to dialogs initiated from within the firewall are permitted passage through the firewall, while those initiating from outside the firewall are denied passage through the firewall.
Virtual Router Redundancy Protocol (VRRP) In installations of two or more VPN concentrators in a parallel (redundant configuration) VRRP provides automatic switchover to a backup system in case the primary system is out of service, thus ensuring user access to the VPN.
294 Chapter 6: Configuring the Cisco VPN Client Firewall Feature
Q&A
As mentioned in Chapter 1, “All About the Cisco Certified Security Professional,” these questions are more difficult than what you should experience on the CCSP exam. The questions do not attempt to cover more breadth or depth than the exam; however, the questions are designed to make sure you know the answer. Rather than allowing you to derive the answer from clues hidden inside the question itself, your understanding and recall of the subject are challenged. Questions from the “Do I Know This Already?” quiz from the beginning of the chapter are repeated here to ensure that you have mastered the chapter’s topic areas. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices
to two options and guess!
1You have a number of clients running Windows 98 and a remote VPN 3002 Hardware Concentrator assigned to the same group. Your supervisor wants you to force everyone on this group connecting to have a firewall running on his or her machine. Can you do this?
2What firewalls can be used within the Custom Firewall option on the concentrator?
3Where are the rules set for a client when using CPP with Zone AlarmPro?
4What protocols are not automatically blocked when using the Stateful Firewall (Always On) feature?
Q&A 295
5Why is CPP not used with the Tunnel Everything option?
6How often does the VPN Client poll the personal firewall when using AYT?
7How is the Always On option set on the VPN Client?
8Where is CPP configured?
9What debug classes are used when creating a rule with the following options:
a.Drop
b.Drop and Log
c.Forward
d.Forward and Log
e.Apply IPSec
f.Apply IPSec and Log
296 Chapter 6: Configuring the Cisco VPN Client Firewall Feature
10By default, what IP address and wildcard mask does VRRP use?
11How do you allow clients to use either of two firewalls? What is the only vendor you can do this with?
12You are using CPP and pushing a policy to a firewall at the client. The client’s firewall allows FTP access. The concentrator’s policy does not allow FTP access. Is FTP access allowed?
13You are using BlackICE as a client firewall. You are presently connected through the VPN. What happens if you stop the service running BlackICE? Does the VPN remain connected? If so, for how long? Can you connect again if BlackICE is not running?
14On the VPN Client, where do you see the current compression used for a VPN connection?
15While configuring a filter, you want to apply this filter to all protocols. What number do you use?
Q&A 297
16When using the VPN Client, what ICMP should be set?
17What authentication methods are allowed with the VPN Client?
18What types of key management can the VPN Client use?
19In addition to IPSec, what tunneling protocols does the VPN Client support?
20Which two products from Zone Labs work with the VPN Client to enable the Are You There (AYT) capability?
21You want to have secure VPN connections to the private network of the head-end concentrator and unsecured communications to the Internet. How would you configure the VPN Client’s Stateful Firewall feature to support this split tunneling?