Файловый архив студентов. Файловый архив студентов.
1304 вуза, 5158 предмета.
/ Регистрация
FAQ Обратная связь Вопросы и предложения
Добавил:
Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз:
Таврический Национальный Университет им. В.И. Вернадского
Предмет:
Сети и Телекоммуникации 
Файл:

Cisco Secure VPN Exam Certification Guide - Cisco press

.pdf
Скачиваний:
65
Добавлен:
24.05.2014
Размер:
19.64 Mб
Скачать

A P P E N D I X A

Answers to the “Do I Know This Already?” Quizzes and Q&A Sections

Chapter 2—Do I Know This Already?

1Which Cisco hardware product families support IPSec VPN technology?

Cisco IOS routers, PIX Firewalls, and VPN 3000 Series Concentrators, including the VPN 3002 Hardware Client, support IPSec VPN technology.

2What are the two IPSec protocols?

The two IPSec protocols are Authentication Header (AH) and Encapsulating Security Payload (ESP).

3Which type of VPNs use a combination of the same infrastructures that are used by the other two types of VPNs?

Business-to-business, or extranet, VPNs use a combination of the same infrastructures that are used by remote access and intranet VPNs.

4Which of the Cisco VPN 3000 Series Concentrators is a fixed-configuration device?

The Cisco VPN 3005 Concentrator is a fixed-configuration system that supports up to 100 simultaneous sessions.

5What key element is contained in the AH or ESP packet header?

The key element contained in each protocol’s header is the Security Parameters Index (SPI), giving the destination peer the information that it needs to authenticate and decrypt the packet.

6What are the two modes of operation for AH and ESP?

AH and ESP use Transport and Tunnel modes. In Transport mode, the original IP packet header is left intact and is not protected by IPSec. In Tunnel mode, the original IP packet header is copied and the entire original IP packet is then protected by AH or ESP.

490 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections

7How many Security Associations (SAs) does it take to establish bidirectional IPSec communications between two peers?

It takes three SAs to establish bidirectional IPSec communications between two peers. IPSec SAs are simplex, so it takes one for each direction for IKE Phase 2. IKE SAs are bidirectional, so you only need one of those to complete IKE Phase 1.

8What is a message digest?

A message digest is a condensed representation of a message of a fixed length, which depends on the hashing algorithm used.

9Which current RFCs define the IPSec protocols?

There are two IPSec protocols, AH and ESP. AH is now defined by RFC 2402. ESP is now defined by RFC 2406. Their original RFCs were 1826 and 1827, respectively.

10What message integrity protocols does IPSec use?

IPSec uses Message Digest 5 (MD5), Secure Hash Algorithm-1 (SHA-1), and HashBased Message Authentication Code (HMAC) as hashing protocols to provide message integrity.

11What is the triplet of information that uniquely identifies a security association?

The combination of the destination IP address, the IPSec protocol, and the SPI uniquely identifies a security association.

12You can select to use both authentication and encryption when using the ESP protocol. Which is performed first when you do this?

If you select to use both ESP authentication and encryption, encryption is performed first. This allows authentication to be done with the assurance that the sender does not alter the datagram before transmission and the receiver can authenticate the datagram before decrypting the package.

13What five parameters are required by IKE Phase 1?

IKE Phase 1 needs to know the following five parameters:

a.Encryption algorithm

b.Hashing algorithm

c.Authentication method

d.Key exchange method

e.IKE SA lifetime

Chapter 2— Q&A 491

14What is the difference between the deny keyword in a crypto Access Control List (ACL) and the deny keyword in an access ACL?

In an access ACL, the deny keyword tells the network device to drop the packet. In a crypto ACL, the deny keyword tells the network device to pass the traffic in the clear without the benefit of IPSec security.

15What transform set would allow SHA-1 authentication of both AH and ESP packets and would also provide Triple Data Encryption Standard (3DES) encryption for ESP?

The transform set that would allow 3DES for ESP and SHA-1 for both is ah-sha- hmac esp-3des esp-sha-hmac.

16What are the five steps of the IPSec process?

The five steps of the IPSec process are as follows:

a.Interesting traffic triggers IPSec process.

b.Authenticate peers and establish IKE SAs (IKE Phase 1).

c.Establish IPSec SAs (IKE Phase 2).

d.Allow secured communications.

e.Terminate VPN.

Chapter 2—Q&A

1What are the Cisco hardware product families that support IPSec VPN technology?

Cisco IOS Software routers, PIX Firewalls, and VPN 3000 Series Concentrators, including the VPN 3002 Hardware Client, support IPSec VPN technology.

2What are the two IPSec protocols?

The two IPSec protocols are Authentication Header (AH) and Encapsulating Security Payload (ESP).

3What are the three major VPN categories?

The three major VPN categories are remote access, intranet (site-to-site), and extranet (business-to-business).

4What is an SEP module used for?

Scalable Encryption Processing (SEP) modules are used with Cisco VPN 3030, 3060, and 3080 Concentrators to provide hardware-based encryption services.

492 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections

5What are the primary reasons cited for choosing VPN technology?

Security and reduced cost are most often cited as the reasons for selecting VPN technology.

6Why are remote access VPNs considered ubiquitous?

Remote access VPNs are considered ubiquitous because they can be established any time from practically anywhere over the Internet.

7What types of VPNs are typically built across service provider shared network infrastructures?

Site-to-site, or intranet, VPNs are typically built across service provider shared network infrastructures, such as Frame Relay, ATM, or point-to-point circuits.

8Which type of VPNs use a combination of the same infrastructures that are used by the other two types of VPNs?

Business-to-business, or extranet, VPNs use a combination of the same infrastructures that are used by remote access and intranet VPNs.

9What hardware would you use to build intranet and extranet VPNs?

Cisco IOS Software routers are the best choice for intranet and the site-to-site portion of extranet VPNs. VPN encryption modules in these devices can provide powerful platforms for supporting VPNs between sites.

10Which Cisco routers provide support for Cisco EzVPN Remote?

The Cisco router models that support Cisco EzVPN Remote include Models 827H, uBR905, 806, 1710, and 1700. Of these, the 827H and the 806 offer support only for EzVPN Remote. The others also provide support for EzVPN Server.

11Which Cisco router series supports VAMs?

The Cisco 7200 Router Series supports VPN Acceleration Modules (VAMs) to enhance VPN support characteristics on the router.

12Which Cisco router series supports ISMs?

The Cisco 7100 Router Series supports Integrated Services Modules (ISMs) to expand the VPN capabilities of the router.

13Which of the Cisco PIX Firewall models are fixed-configuration devices?

The Cisco PIX 501 Firewall and the Cisco PIX 506E Firewall models are fixedconfiguration devices.

Chapter 2— Q&A 493

14Which Cisco PIX Firewall models offer a failover port for high availability and support VACs?

The three high-end models of the PIX Firewall have a failover port and support VPN Accelerator Cards (VACs). Those models are the Cisco PIX 515E Firewall, the Cisco PIX 525 Firewall, and the Cisco PIX 535 Firewall.

15Which series of Cisco hardware devices are purpose-built remote access VPN devices?

The Cisco VPN 3000 Series Concentrators were designed specifically to support remote access VPN services.

16Which of the Cisco VPN 3000 Series Concentrators is a fixed-configuration device?

The Cisco VPN 3005 Concentrator is a fixed-configuration system that supports up to 100 simultaneous sessions.

17Which of the Cisco VPN 3000 Series Concentrators can accept SEP modules?

The three high-end concentrators support SEP modules. These systems are the Cisco VPN 3030 Concentrator, the 3060 Concentrator, and the 3080 Concentrator.

18What feature of the Cisco Unity Client makes it scalable?

The client version updates can be pushed to the user’s system from a central network site when the user makes the initial login attempt. This scalability feature relieves the burden of having to configure numerous client systems and enables a managed growth path for VPN deployment.

19Which of Cisco’s VPN clients can be used with any operating system that communicates in IP?

The Cisco VPN 3002 Hardware Client enables any user device that communicates in IP to access an IPSec tunnel. Operating systems such as Windows, Solaris, MAC, and Linux can all participate in IPSec secure communications using these devices.

20What protocol enables IP-enabled wireless devices such as PDAs and Smart Phones to participate in VPN communications?

The Elliptic Curve Cryptosystem (ECC) Protocol permits IP-enabled wireless devices to participate in VPN communications. All Cisco VPN 3000 Series Concentrators support ECC, which is a new Diffie-Hellman group that allows faster processing of keying information.

21What are the three phases of Cisco Mobile Office?

The three phases of Cisco Mobile Office are On The Road, At Home, and At Work.

22What is the distinctive characteristic of Cisco VPN Device Manager?

Cisco VPN Device Manager is an embedded device manager that is installed directly into a supporting router’s flash memory.

494 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections

23What is Cisco’s AAA server, and what AAA systems does it support?

The Cisco Secure Access Control Server (ACS) is Cisco’s Authentication, Authorization, and Accounting (AAA) server. This device supports both Terminal Access Controller Access Control System Plus (TACACS+) and Remote Authentication Dial-In User Service (RADIUS).

24Which web-based management tool can display a physical representation of each managed device?

CiscoView is the web-based management tool that displays a physical representation of each managed device. Modules, ports, and indicators are depicted with color coding to indicate the current, dynamically updated status of the element.

25What are the current RFCs that define the IPSec protocols?

There are two IPSec protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP). AH is defined by RFC 2402. ESP is defined by RFC 2406. Their original RFCs were 1826 and 1827, respectively.

26What are three shortcomings of IPSec?

Any of the following are shortcomings of IPSec:

a.IPSec does not support DLSw or SRB.

b.IPSec does not support multipoint tunnels.

c.IPSec works strictly with unicast IP datagrams only. It does not work with multicast or broadcast IP datagrams.

d.IPSec is slower than Cisco Encryption Technology (CET) because IPSec provides per-packet data authentication.

e.IPSec provides packet expansion that can cause fragmentation and reassembly of IPSec packets, creating another reason that IPSec is slower than CET.

27What message encryption protocols does IPSec use?

IPSec uses Data Encryption Standard (DES) and Triple DES (3DES) encryption protocols.

28What message integrity protocols does IPSec use?

IPSec uses Message Digest 5 (MD5), Secure Hash Algorithm-1 (SHA-1), and Hashbased Message Authentication Code (HMAC) as hashing protocols to provide message integrity.

29What methods does IPSec use to provide peer authentication?

Three methods are available to IPSec for peer authentication: preshared keys, RSA digital signatures, and RSA encrypted nonces.

Chapter 2— Q&A 495

30What methods does IPSec use for key management?

IPSec uses Certificate Authorities (CAs) and the Diffie-Hellman key exchange process for key management.

31What is the key element contained in the AH or ESP packet header?

The key element contained in each protocol’s header is the SPI, giving the destination peer the information it needs to authenticate and decrypt the packet.

32Which IPSec protocol does not provide encryption services?

Authentication Header (AH) does not provide encryption services. AH packets are sent as clear text.

33What is the triplet of information that uniquely identifies a Security Association?

The combination of the destination IP address, the IPSec protocol, and the Security Parameters Index (SPI) uniquely identifies a Security Association (SA).

34What is an ICV?

An Integrity Check Value (ICV) is a calculated representation of the immutable contents of an IPSec packet. Each peer calculates this value for the packet independently. If the values do not match, the packet is considered as having been altered in transit and the packet is discarded.

35What IPSec protocol must you use when confidentiality is required in your IPSec communications?

You must use ESP when confidentiality is required in your IPSec communications. ESP provides encryption; AH does not.

36What is the primary difference between the mechanisms used by AH and ESP to modify an IP packet for IPSec use?

AH inserts an IPSec header into the packet containing the SPI and other related information. ESP encapsulates the original IP packet or the data portion of that packet by surrounding it with both a header and a trailer.

37What are the two modes of operation for AH and ESP?

AH and ESP use Transport and Tunnel modes. In Transport mode, the original IP packet header is left intact and is not protected by IPSec. In Tunnel mode, the original IP packet header is copied and the entire original IP packet is then protected by AH or ESP.

38Which IPSec protocol should you use if your system is using NAT?

AH does not support Network Address Translation (NAT) because changing the source IP address in the IP header causes authentication to fail.

496 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections

39You can select to use both authentication and encryption when using the ESP protocol. Which is performed first when you do this?

If you select to use both ESP authentication and encryption, encryption is performed first. This allows authentication to be done with assurance that the sender does not alter the datagram before transmission and the receiver can authenticate the datagram before decrypting the package.

40How many SAs does it take to establish bidirectional IPSec communications between two peers?

It takes three SAs to establish bidirectional IPSec communications between two peers. IPSec SAs are simplex, so it takes one for each direction for IKE Phase 2. IKE SAs are bidirectional, so you only need one of those to complete IKE Phase 1.

41Which encryption protocol was considered unbreakable at the time of its adoption?

The Data Encryption Standard (DES) holds this distinction. DES was once considered such a strong encryption technique that it was barred from export from the continental United States.

42What process does 3DES use to obtain an aggregate 168-bit key?

Triple DES performs an encryption process, a decryption process, and then another encryption process, each with a different 56-bit key. This triple process produces an aggregate 168-bit key, providing strong encryption.

43What is a message digest?

A message digest (MD) is a condensed representation of a message of a fixed length, which depends on the hashing algorithm used.

44What does HMAC-MD5-96 mean?

HMAC-MD5-96 is a variant of MD5 that uses a 128-bit secret key to produce a 128-bit MD. AH and ESP-HMAC only use the left-most 96 bits, placing them into the authentication field. The destination peer then calculates a complete 128-bit message digest but then only uses the left-most 96 bits to compare with the value stored in the authentication field.

45What does HMAC-SHA1-96 mean?

HMAC-SHA1-96 is a variant of SHA-1 that produces a 160-bit message digest using a 160-bit secret key. Cisco’s implementation of HMAC-SHA1-96 truncates the 160-bit MD to the left-most 96 bits and sends those in the authentication field. The receiving peer recreates the entire 160-bit message digest using the same 160-bit secret key but then only compares the leading 96 bits against the MD fragment in the authentication field.

Chapter 2— Q&A 497

46How are preshared keys exchanged?

Preshared keys are exchanged manually, severely impacting the scalability of their use.

47What does the Diffie-Hellman key agreement protocol permit?

The Diffie-Hellman (D-H) key agreement protocol allows two peers to exchange a secret key without having any prior secrets. This protocol is an example of an

asymmetrical key exchange process in which peers exchange different public keys to generate identical private keys.

48Why is D-H not used for symmetric key encryption processes?

Asymmetric key encryption processes like Diffie-Hellman are much too slow for the bulk encryption required in high-speed VPN circuits.

49What is a CRL?

A Certificate Revocation List (CRL) is a list of expired or voided digital certificates that a CA makes available to its customers. Clients use these CRLs during the process of authenticating a peer.

50What are the five parameters required by IKE Phase 1?

IKE Phase 1 needs to know the following parameters:

a.Encryption algorithm

b.Hashing algorithm

c.Authentication method

d.Key exchange method

e.IKE SA lifetime

51What are the valid AH authentication transforms?

There are only three valid AH authentication transforms: ah-md5-hmac, ah-sha-hmac, and ah-rfc1828.

52What transform set would allow for SHA-1 authentication of both AH and ESP packets and would also provide 3DES encryption for ESP?

The transform set that would allow for 3DES for ESP and SHA-1 for both is ah-sha-hmac esp-3des esp-sha-hmac.

Соседние файлы в предмете Сети и Телекоммуникации 
Помощь Обратная связь Вопросы и предложения Пользовательское соглашение Политика конфиденциальности