Добавил:
Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Securing Cisco IOS Networks Study Guide - Carl Timm.pdf
Скачиваний:
73
Добавлен:
24.05.2014
Размер:
9.74 Mб
Скачать

320 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN

Answers to Written Lab

1.Cisco Easy VPN supports DH groups 2 and 5.

2.To remove user prompts when installing the Cisco VPN 3.5 Client, you modify the oem.ini file.

3.The Cisco Easy VPN Server supports the DES and 3DES encryption algorithms.

4.A Cisco IOS router, a Cisco PIX Firewall, or a Cisco VPN Concentrator can be an Easy VPN Server.

5.Tunnel mode is the IPSec protocol supported by the Cisco Easy VPN Server.

6.You modify the *.pcf files, one per connection, when installing the Cisco VPN 3.5 Client.

7.The IPSec protocol identifiers supported by the Cisco Easy VPN Server are ESP and IPCOMP-LZS.

8.Transport mode is the IPSec protocol mode not supported by the Cisco Easy VPN Server.

9.The operating systems supported by the Cisco VPN 3.5 Client Software are Solaris (Ultra-Sparc 32-bit), Mac OS X, Windows, and Linux (Intel).

10.IPSec AH is not supported by the Cisco Easy VPN Server.

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

Answers to Review Questions

321

Answers to Review Questions

1.A, B. Pre-shared keys and RSA digital signatures are supported authentication types. DSS is not supported. DES and 3DES are encryption algorithms, not authentication types.

2.C. You must have at least 12.2(8)T to run the IOS Easy VPN Server.

3.C, F. DH groups 2 and 5 are supported. DSS, DH1, PFS, and manual keys are not supported.

4.B, C, D. An IOS router, PIX Firewall, or VPN Concentrator can act as a Cisco Easy VPN Server. The VPN 3.5 Client Software cannot.

5.A, C, D. DES, 3DES, and NULL are the three types of IPSec encryption supported by the Cisco Easy VPN.

6.C. Split Tunneling enables remote user traffic destined for the Internet to go directly to the Internet and not across the VPN tunnel.

7.B. The oem.ini file is used to remove all user prompts and force the PC to reboot when the installation is finished.

8.E. Enabling policy lookup via AAA is the first configuration task for the Easy VPN Server.

9.B, E. DH groups 2 and 5 are supported by the Cisco Easy VPN Server.

10.D. You would configure and add one .pcf file for each connection you wish to add to the VPN 3.5 Client.

11.A. Tunnel mode is supported by the Cisco Easy VPN Server; transport mode is not.

12.D. Initial contact allows Cisco VPN devices to clear existing connections when devices attempt to establish new connections.

13.C. You would modify the vpnclient.ini file to pre-configure global profiles.

14.A. DH group 1 (DH1) is not supported by the Cisco Easy VPN Server.

15.E. Any of these can be used as Cisco Easy VPN Remotes.

16.C, D, F, G. The Cisco VPN 3.5 Client Software is available for Linux (Intel), Mac OS X, Windows, and Solaris (Ultra-Sparc 32-bit).

17.C. The oem.ini, vpnclient.ini, and .pcf files are placed in the same directory as the setup.exe file.

18.A, B, E. The VPN 3.5 Client supports DH groups 1, 2, and 5.

19.B. DPD (Dead Peer Detection) allows Cisco VPN devices to identify connections where the communications peer has “died” and to recover the allocated resources.

20.C, D. ESP and IPCOMP-LZS are the IPSec protocol identifiers supported by the Cisco Easy VPN Server. IPSec AH is not supported. DH2 and DES are not IPSec protocol identifiers.

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

Appendix Introduction to the

PIX Firewall

A

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

This appendix is by no means meant to be a comprehensive guide to the installation and configuration of PIX Firewalls. Instead, it gives you an introduction to the information covered in the CCSP

PIX exam, including the features and basic configuration of PIX Firewalls. (Please go to www

.sybex.com for information about Sybex’s Study Guides on the CCSP exams.) Here are some of the topics covered in this appendix:

The advantages of using a PIX Firewall to protect your network

How a firewall passes traffic from one interface to another and the rules that traffic must follow

The basics of configuring a PIX Firewall: how to navigate the different modes, how to configure interfaces, and how to save configurations

How you can influence the traffic between interfaces, that is, how you can control exactly which traffic crosses the firewall

How to enable AAA on PIX Firewalls

Some of the advanced features available on the PIX Firewall

Be prepared—there are a lot of configuration details, and many new commands and syntax will be introduced.

The Cisco Packet Internet eXchange (PIX)

Firewall

The PIX Firewall is a tool used to prevent unauthorized access between any two (or more) networks. The PIX Firewall uses a secure, real-time, embedded operating system.

Many other competing firewalls run on top of another operating system such as Unix or Windows NT. The problem with this is that Unix and Windows NT (or even Cisco’s IOS) have wellknown security issues. This means that potential intruders can attack the operating system of the box your firewall is running using commonly available information! So much for the firewall….

Since the PIX Firewall uses a proprietary operating system (called Finesse), it is much more difficult to attack. There is no source code floating around that a potential hacker might use to break into your PIX Firewall.

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com