Cisco Secure VPN Exam Certification Guide - Cisco press
.pdf
Chapter 5— Q&A 519
12What entity is responsible for generating the PKI public/private key pair for a requesting host?
The host itself must generate the PKI public/private key pair and include the public key with the enrollment request sent to the CA.
13In the VPN Manager, where do you identify that you want to use RSA Digital Certificates for IKE Phase 1 authentication?
In the VPN Manager, you can select RSA Digital Certificates as the method for IKE Phase 1 authentication from the IKE Proposals screen.
14What three tests does a VPN concentrator perform on a partner’s identity certificate before performing the authentication process?
The VPN concentrator validates the partner’s identity certificate before authentication by verifying that the certificate was signed by a trusted CA, that the certificate has not expired, and that the certificate has not been revoked.
15Which version of the X.509 standard identity certificate permits extensions?
X.509 version 3 permits extensions.
16What is RSA Keon?
RSA Keon is a CA application that runs on Solaris, Windows 2000, and Windows NT.
17When does the Click here to install a CA certificate option appear on the Administration | Certificate Management screen of the VPN Manager?
The Click here to install a CA certificate option appears on the Administration | Certificate Management screen until you have installed the first CA certificate.
18The VPN concentrator is certified to work with three Internet-based CAs. Which CAs are they?
The VPN concentrator is certified to work with these Internet-based CAs: Entrust, VeriSign, and Baltimore.
19What elements make up the X.500 distinguished name?
Six fields make up the X.500 distinguished name: Common Name (CN), Organizational Unit (OU), Organization (O), Locality (L), State/Province (SP), and Country (C).
20Which screen do you use to enable the use of digital certificates for device authentication during IKE Phase 1 negotiations?
The Authentication tab on the Properties page for a defined connection permits you to select between using preshared keys and digital certificates for IKE Phase 1 authentication.
Chapter 6— Do I Know This Already? 521
30Where are you asked to supply a challenge password during the enrollment process?
The enrollment of an identity certificate through SCEP requests that you enter the challenge password.
31How is the validity period of a digital certificate specified?
The validity period of a digital certificate is specified with a starting date and time and an ending date and time.
32With CRL caching disabled, how does a VPN concentrator check a certificate’s serial number against a CRL?
When caching is disabled, the VPN concentrator must request a CRL from one of the CA’s distribution points each time it needs to check a certificate’s serial number.
33SCEP has two authentication methods available between a requester and the CA. What are those two methods?
The two SCEP authentication methods are manual authentication and preshared key authentication.
Chapter 6—Do I Know This Already?
1You have a number of clients running Windows 98 and a remote VPN 3002 Hardware Client assigned to the same group. Your supervisor wants you to force everyone on this group connecting to have a firewall running on his or her machine. Can you do this?
No. The Firewall Required option cannot be used with the VPN 3002 Hardware Client.
2How is the Always On option set on the VPN Client?
The Always On option is set under the Options pull-down menu. The default setting is to have Always On disabled.
3In addition to IPSec, what tunneling protocols does the VPN Client support?
The VPN Client supports the tunneling protocols IPSec, PPTP, L2TP, and L2TP over IPSec.
4How often does the VPN Client poll the personal firewall when using Are You There (AYT)?
The VPN Client polls the personal firewall every 30 seconds when using AYT.
522 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections
5You are using BlackICE as a client firewall. You are presently connected through the VPN. What happens if you stop the service running BlackICE? Does the VPN remain connected? If so, for how long? Can you connect again if BlackICE is not running?
The answer depends on two configuration choices. The first choice is the Are You There (AYT) configuration. If AYT is off, no noticeable difference is seen.
If AYT is on, the connection reacts differently depending on other choices made. If you configure the Firewall setting as Firewall Optional or No Firewall, you do not see a noticeable difference during this connection. However, if you choose the Firewall Required option, the connection is dropped after there is no response from the concentrator’s poll. With the Firewall Required option, you cannot connect until you start BlackICE again. If you set the Firewall Optional option, you receive a message indicating that a firewall should be running when you connect.
6Which two products from Zone Labs work with the VPN Client to enable the Are You There (AYT) capability?
Zone Alarm and Zone AlarmPro are the personal firewalls that work with the Cisco VPN Client to enable the AYT capability. The other product that works with the VPN Client is BlackICE Defender from Network ICE.
7What protocols are not automatically blocked when using the Stateful Firewall (Always On) feature?
Dynamic Host Control Protocol (DHCP) and Encapsulating Security Payload (ESP) are not automatically blocked when using the Stateful Firewall (Always On) feature. Additionally, traffic from the concentrator’s network is not blocked.
8You want to have secure VPN connections to the private network of the head-end concentrator and unsecured communications to the Internet. How would you configure the VPN Client’s Stateful Firewall feature to support this split tunneling?
To enable split tunneling, you must disable the VPN Client’s Stateful Firewall feature. If enabled, the Stateful Firewall blocks all traffic coming from the Internet.
9What is another name for the Stateful Firewall client that is a part of the Cisco VPN Client?
The Stateful Firewall client that is part of the Cisco VPN Client is also called the Cisco Integrated Client (CIC).
10Where are the rules set for a client when using Central Protection Policy (CPP) with Zone AlarmPro?
Using Centralized Protection Policy (CPP) means that the concentrator controls all rules for the clients. This applies to CIC as well as Zone Alarm and Zone AlarmPro.
524 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections
17How do you allow clients to use either of two firewalls? What is the only vendor you can do this with?
To allow clients to use either of two firewalls, choose the Custom Firewall option on the Client FW tab on the Configuration | User Management | Groups | Modify screen. Enter the Vendor ID and the Product IDs separated by commas. Because Zone Labs is the only vendor with more than one product, this vendor must be used.
18On the VPN 3000 Concentrator Series devices, you configure the client firewall properties on the Client FW tab of the Configuration | User Management | Groups | Add (or Modify) screen. You can only select one firewall policy from that screen. What are the three types of firewall policies that you can choose from on the Client FW tab?
You can select to enable a Policy defined by remote firewall (AYT), a Policy Pushed (CPP), or a Policy from Server on the Client FW tab.
Chapter 6—Q&A
1You have a number of clients running Windows 98 and a remote VPN 3002 Hardware Client assigned to the same group. Your supervisor wants you to force everyone on this group connecting to have a firewall running on his or her machine. Can you do this?
No. The Firewall Required option cannot be used with the VPN 3002 Hardware Client.
2What firewalls can be used within the Custom Firewall option on the concentrator?
The acceptable firewalls are as follows:
a.CIC
b.Zone Alarm
c.Zone AlarmPro
d.Zone Labs Integrity
e.BlackICE Defender/Agent
3Where are the rules set for a client when using CPP with Zone AlarmPro?
Using CPP means that the concentrator controls all rules for the clients. This applies to CIC as well as Zone Alarm and Zone AlarmPro.
4What protocols are not automatically blocked when using the Stateful Firewall (Always On) feature?
DHCP and ESP are not automatically blocked when using the Stateful Firewall (Always On) feature. Additionally, traffic from the concentrator’s network is not blocked.
Chapter 6— Q&A 525
5Why is CPP not used with the Tunnel Everything option?
CPP is designed to be used with split tunneling because the Tunnel Everything option already blocks all nontunneled traffic.
6How often does the VPN Client poll the personal firewall when using AYT?
The VPN Client polls the personal firewall every 30 seconds.
7How is the Always On option set on the VPN Client?
The Always On option is set in the Options pull-down menu. The default setting is to have Always On disabled.
8Where is CPP configured?
CPP is configured on the Client FW tab of the Configuration | User Management | Groups | Modify screen within the VPN concentrator.
9What debug classes are used when creating a rule with the following options:
a.Drop
b.Drop and Log
c.Forward
d.Forward and Log
e.Apply IPSec
f.Apply IPSec and Log
The FILTERDBG event class is used with the Drop and Log option, the Apply IPSec and Log option, and the Forward and Log option. The other three options do not use a debug class.
10By default, what IP address and wildcard mask does VRRP use?
By default, VRRP uses 224.0.0.18/0.0.0.0.
11How do you allow clients to use either of two firewalls? What is the only vendor you can do this with?
To allow clients to use either of two firewalls, choose the Custom Firewall option on the Client FW tab on the Configuration | User Management | Groups | Modify screen. Enter the Vendor ID and the Product IDs separated by commas. Because Zone Labs is the only vendor with more than one product, this vendor must be used.
526 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Sections
12You are using CPP and pushing a policy to a firewall at the client. The client’s firewall allows FTP access. The concentrator’s policy does not allow FTP access. Is FTP access allowed?
No, FTP access is not allowed. When using CPP and pushing to a firewall, the more restrictive of the policies pertains. Therefore, because one of these limits FTP traffic, the FTP traffic is limited.
13You are using BlackICE as a client firewall. You are presently connected through the VPN. What happens if you stop the service running BlackICE? Does the VPN remain connected? If so, for how long? Can you connect again if BlackICE is not running?
The answer depends on two configuration choices. The first choice is the Are You There (AYT) configuration. If AYT is off, no noticeable difference is seen.
If AYT is on, the connection reacts differently depending on other choices made. If you configured the firewall setting as Firewall Optional or No Firewall, no noticeable difference is seen during this connection. However, if you choose the Firewall Required option, the connection is dropped after there is no response from the concentrator’s poll. With Firewall Required, you cannot connect until you start BlackICE again. If you set the Firewall Optional option, you receive a message indicating that a firewall should be running when you connect.
14On the VPN Client, where do you see the current compression used for a VPN connection?
You see the current compression used for a VPN connection under the General tab of the Connection Status dialog box on the client software. You can also view the current compression method by using the client CLI command vpnclient stat.
15While configuring a filter, you want to apply this filter to all protocols. What number do you use?
Using 255 applies the filter to all protocols.
16When using the VPN Client, what ICMP should be set?
None. The VPN Client cannot be filtered based on the ICMP protocol.
17What authentication methods are allowed with the VPN Client?
The following authentication methods are allowed with the VPN Client:
a.XAUTH (eXtended AUTHentication)
b.RADIUS with: MSCHAPv2
State/Reply message attributes (token cards) RSA SecurID
Windows NT Domain Authentication MX.509v3 digital certificates
Chapter 6— Q&A 527
18What types of key management can the VPN Client use?
The VPN Client can use the following types of key management:
a.XAUTH
b.IKE—Aggressive and Main mode (digital certificates)
c.Diffie-Hellman Groups 1, 2, and 5
d.PFS
e.Rekeying
19In addition to IPSec, what tunneling protocols does the VPN Client support?
The VPN Client supports the tunneling protocols IPSec, PPTP, L2TP, and L2TP over IPSec.
20Which two products from Zone Labs work with the VPN Client to enable the Are You There (AYT) capability?
Zone Alarm and Zone AlarmPro are the personal firewalls that work with the Cisco VPN Client to enable the AYT capability. The other product that works with the VPN Client is BlackICE Defender from Network ICE.
21You want to have secure VPN connections to the private network of the head-end concentrator and unsecured communications to the Internet. How would you configure the VPN Client’s Stateful Firewall feature to support this split tunneling?
To enable split tunneling, you must disable the VPN Client’s Stateful Firewall feature. If enabled, the Stateful Firewall blocks all traffic coming from the Internet.
22What is another name for the Stateful Firewall client that is a part of the Cisco VPN Client?
The Stateful Firewall client that is part of the Cisco VPN Client is also called the Cisco Integrated Client (CIC).
23From the VPN Client, where can you view the secured routes that are enabled to the client?
You can view a list of secured routes that are enabled to the VPN Client from the Statistics tab of the Connection Status screen.
24What is meant by the term Packets bypassed on the Statistics tab of the Connection Status screen?
The Packets bypassed field on the Statistics tab of the Connection Status screen shows the number of packets that did not need to be encrypted but which were still sent out over the wire in unencrypted form.