Exam Essentials 231
DSS verifies peers by exchanging public keys.
Diffie-Hellman establishes private and public keys that encrypt the keys used by DES and MD5.
When all of these items work together as a team, they create a very secure environment for transmitting data.
Summary
Congratulations—you made it! This chapter introduced you to many new concepts. VPNs are growing in demand, and if you want to remain relevant in today’s competitive marketplace, you positively must understand their terms and processes.
Cisco utilizes IPSec VPNs to provide a secure connection over a public network—connections that can be designed based on the business needs of your company. You can use remote-access solutions for telecommuters, site-to-site solutions for remote offices that need access to the corporate network, and extranet solutions to provide your customers and partners with the limited information they need.
Cisco provides a number of products to meet your IPSec needs. Cisco routers, CiscoSecure VPN Concentrators, and PIX Firewalls can all be used to create VPN solutions for your specific situation.
You really must have a thorough understanding of the concepts discussed in this chapter before proceeding to Chapter 8, so if you feel at all shaky on anything covered here, take the time you need to go back and review.
Exam Essentials
Explain virtual private networks. You must be able to explain how VPNs are used in the creation of secure networks. You need to understand the three different types of VPNs: site-to-site, extranet, and remote access.
List and explain the different tunneling technologies. The tunneling protocols currently available are GRE, L2F, L2TP, and PPTP. You must be able to explain how each of these protocols is used.
Explain IPSec operation. You need a solid understanding of the five steps of IPSec operation: how an IPSec process initiates, IKE phase 1, IKE phase 2, data transfer, and IPSec tunnel termination.
Explain the different key exchange methods. You must be able to list the different key exchange methods: pre-shared keys, RSA-encrypted nonces, and RSA signatures. You need to explain how each one operates and when each should be used.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
232 Chapter 7 Understanding Cisco IOS IPSec Support
Explain the Cisco IOS Cryptosystem. You must be able to explain that a cryptosystem is a combination of encryption technologies, working in harmony, that are used to encrypt data so that only the intended receiver can decrypt it. The Cisco IOS Cryptosystem uses DES, MD5, DSS, and DH.
List the Cisco equipment available for IPSec. Cisco uses their routers, VPN Concentrators, and the PIX Firewalls for IPSec VPN solutions.
Key Terms
Before you take the exam, be certain you are familiar with the following terms:
aggressive mode |
IPSec transform |
Authentication Header (AH) |
Layer 2 Forwarding (L2F) |
certificate authority (CA) |
Layer 2 Tunneling Protocol (L2TP) |
cryptosystem |
main mode |
Data Encryption Standard (DES) |
nonce |
Diffie-Hellman (DH) Agreement |
OAKLEY |
Digital Signature Standard (DSS) |
Point-to-Point Tunneling Protocol (PPTP) |
Encapsulating Security Payload (ESP) |
pre-shared keys |
encryption algorithms |
remote access VPNs |
extranet VPNs |
RSA signatures |
generic routing encapsulation (GRE) |
RSA-encrypted nonces |
hash |
security association (SA) |
Hash-Based Message Authentication |
Security Parameter Index (SPI) |
Code-Message Digest 5 (HMAC-MD5) |
|
hashing algorithm |
site-to-site VPNs |
IKE phase 1 |
transport mode |
IKE phase 2 |
Triple DES (3DES) |
Internet Security Association and Key |
tunnel mode |
Management Protocol (ISAKMP) |
|
IP Security (IPSec) |
virtual private network (VPN) |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Written Lab |
233 |
Written Lab
This section asks you 10 write-in-the-answer questions to help you understand the technology that you need to know in order to pass the SECUR exam.
1.List the two phases of IKE.
2.List the Cisco devices available for IPSec.
3.What are the two symmetric encryption algorithms that provide confidentiality for ESP?
4.How many IPSec SAs are required for a peering session?
5.List the three categories of VPNs.
6.What makes up the Cisco IOS Cryptosystem?
7.What is XAuth’s function?
8.What tunneling protocols did L2TP replace?
9.What is an IPSec transform?
10.What is a nonce?
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
234 Chapter 7 Understanding Cisco IOS IPSec Support
Review Questions
1.Which of the following participate in the Cisco IOS Cryptosystem? (Choose all that apply.)
A.DH
B.MD5
C.ESP
D.DES
2.When does DH calculate the Xa?
A.IKE phase 1
B.IKE phase 2
C.IKE phase 3
D.None of the above
3.Which of the following types of authentication requires a user to manually generate keys and then manually exchange the public keys?
A.Pre-shared keys
B.RSA-encrypted nonces
C.RSA signatures
D.None of the above
4.Which of the following is an encryption algorithm that uses one key to encrypt data, another key to decrypt, and yet another key to encrypt it again before the data is ever sent to the peer?
A.DES
B.MD5
C.3DES
D.SHA-1
5.Which IPSec mode generates a new IP header?
A.Aggressive
B.Transport
C.Main
D.Tunnel
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Review Questions |
235 |
6.What is used by Cisco IOS Cryptosystem to exchange public keys for IPSec?
A.DES
B.ESP
C.MD5
D.DSS
7.Which of the following authentication methods utilizes a CA server?
A.Pre-shared keys
B.RSA-encrypted nonces
C.RSA signatures
D.None of the above
8.Which of the following Cisco devices is best used for remote access VPN solutions?
A.CiscoSecure VPN Concentrator
B.Cisco Router
C.PIX Firewall
D.None of the above
9.Which of the following algorithms produces a 128-bit authentication value that is truncated using the first 96 bits?
A.HMAC-MD5
B.HMAC-SHA-1
C.ESP
D.3DES
10.At which of the following OSI layers does IPSec operate?
A.Network
B.Data Link
C.Physical
D.Transport
11.Which of the following are forms of VPN? (Choose all that apply.)
A.Site-to-site
B.Externet
C.Intranet
D.Remote access
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
236 Chapter 7 Understanding Cisco IOS IPSec Support
12.Which VPN solution allows a site in another city to be securely connected to the corporate network over the Internet?
A.Site-to-site
B.Extranet
C.Internet
D.None of the above
13.Which of the following assigns an “inner” IP address to a remote user that is wrapped inside of the IPSec packet?
A.IKE aggressive mode
B.IKE main mode
C.IKE quick mode
D.IKE mode configuration
14.When is an IPSec SA negotiated?
A.IKE phase 1
B.Tunnel setup
C.IKE phase 2
D.IPSec initialization
15.Which of the following tunneling protocols is L2TP backward compatible with?
A.GRE
B.L2F
C.IPSec
D.PPP
16.Which of the following are used together to uniquely identify an IPSec SA? (Choose all that apply.)
A.SAD
B.SPI
C.IP source address
D.Security protocol identifier
17.Which type of VPN is best suited for telecommuters?
A.Extranet
B.Intranet
C.Remote access
D.None of the above
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Review Questions |
237 |
18.Which of the following protocols is used by the Cisco IOS Cryptosystem to encrypt data?
A.ESP
B.DES
C.DSS
D.DH
19.Which of the following tunneling protocols did Cisco and Microsoft jointly develop?
A.L2F
B.L2TP
C.GRE
D.PPTP
20.Which of the following statements are true about AH? (Choose all that apply.)
A.AH encrypts data.
B.AH provides data integrity.
C.AH provides anti-replay.
D.AH performs an integrity check of the whole packet.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |