Module 8: Implementing Virtual Private Networks and Implementing the Cisco Adaptive Security Appliance Flashcards
A computer network concept that masks your IP address so your online actions are virtually untraceable.
virtual private network
It gives you online privacy and anonymity by creating a private network from a public internet connection.
virtual private network
What are the benefit of virtual private network?
- cost savings
- security
- scalability
- compatibility
What are the different types of virtual private network?
- remote-access virtual private network
- site-to-site virtual private network
A type of VPN where remote employees can log on to your office network from anywhere — home, traveling, or in transit.
remote-access virtual private network
A type of VPN where a company can securely connect its corporate network with its remote offices to communicate and share resources with them as a single network.
site-to-site virtual private network
A type of VPN that is are frequently used by companies with multiple offices in different geographic locations that need to access and use the corporate network on an ongoing basis.
site-to-site virtual private network
A type of VPN that creates a virtual tunnel between an employee’s device and the company’s network.
remote-access virtual private network
A component of remote-access VPN that requires the user to provide valid credentials to sign in to the VPN.
network access server
Components of Site-to-Site VPN
- Virtual private gateway
- Transit gateway
- Customer gateway device
- Customer gateway
What are algorithms used for confidentiality under the IPSec framework?
- data encryption standard
- triple data encryption standard
- advanced encryption standard
- software-optimized encryption algorithm
What are the algorithms used for the integrity of a network?
- message digest algorithm (MD5)
- secure hash algorithm (SHA)
What are the algorithms used for the authentication of a network?
- Pre-Shared Key (PSK)
- RSA algorithm (Rivest-Shamir-Adleman)
A group of protocols that are used together to set up encrypted connections
between devices.
IPsec (internet protocol security)
It is a group of protocols which is used to set up VPNs, and it works by encrypting IP packets, along with authenticating the source where the packets come from.
IPsec (internet protocol security)
An IPSec protocol that verifies any message passed from one router to another was not modified during transit.
authentication header
An IPSec protocol where IP packet encryption conceals the data payload and the identities of the ultimate source and destination.
encapsulating security payload
A concept in computer network that refers to the accuracy and completeness of data.
integrity
It is an algorithm where it common application is to encrypt password.
Secure Hash Algorithm
It is a family of cryptographic functions designed to keep data secured.
secure hash algorithm
It is an algorithm designed to be one-way functions, meaning that once they’re transformed into their respective hash values, it’s virtually impossible to transform them back into the original data.
secure hash algorithm
a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length digest value to be used for authenticating the original message.
message digest-5
It is a hash function that was originally designed for use as a secure cryptographic hash algorithm for authenticating digital signatures.
message digest-5
A client authentication method that uses a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters, to generate unique encryption keys for each wireless client.
Pre-Shared Key (PSK)
It is a public-key cryptosystem that is a relatively slow algorithm and is not commonly used to directly encrypt user data.
rivest-shamir-adleman
It is a protocol that authenticates IP headers and their payloads, with the exception of certain header fields that can be legitimately changed in transit, such as the Time To Live (TTL) field.
authentication header
An IPSec protocol that is used when confidentiality is not required or permitted.
authentication header
It is a protocol that provides data encryption and authentication.
encapsulating security payload
It is a protocol that authenticates only the IP datagram portion of the IP packet.
encapsulating security payload
It is a protocol that authenticates the entire IP packet, including the outer IP header.
authentication header
An ESP mode that encrypts the whole packet and is used for the establishment of site-to-site VPN tunnels, when securing communication between VPN gateway devices.
tunnel mode
A mode of AH and ESP that can be applied to any mix of end systems and intermediate systems, such as security gateways.
tunnel mode
A mode of AH and ESP where the original packet is encapsulated in another IP header.
tunnel mode
An ESP mode that provides security for the entire original IP packet, protecting the headers and payload.
tunnel mode
An ESP mode that protects the payload of the packet and the higher layer protocols.
transport mode
An ESP mode that is commonly used between two different workstations running VPN software.
transport mode
It is the protocol used to set up a secure, authenticated communications channel between two parties.
internet key exchange
It is part of the Internet Security Protocol which is responsible for negotiating security associations.
internet key exchange
It is a set of mutually agreed-upon keys and algorithms to be used by both parties trying to establish a VPN connection/tunnel.
security association
It defines how to establish, negotiate, modify and delete Security Associations containing the information required for execution of various network security services.
internet security association and key management protocol
In phase 1, IKE creates an authenticated, secure channel between the two IKE peers using __________.
Diffie-Hellman key agreement protocol
Typically deployed when two or more autonomous systems wish to communicate with each other over an untrusted media when confidential exchange of data is required.
Site-to-site IPsec VPN
A protocol for encapsulating data packets that use one routing protocol inside the packets of another protocol.
Generic Routing Encapsulation
It is an encapsulation concept that enables the usage of protocols that are not normally supported by a network, because the packets are wrapped within other packets that do use supported protocols.
Generic Routing Encapsulation
It means wrapping one data packet within another data packet, like putting a box inside another box.
Encapsulating
It is another way to set up a direct point-to-point connection across a network by simplifying connections between separate networks.
Generic Routing Encapsulation
It means encapsulating packets within other packets
tunneling
The Cisco command to configure PSK?
crypto isakmp transform-set R1-R2 ah-md5-hmac
crypto ipsec transform-set R1-R2 ah-md5-hmac
crypto isakmp key cisco12345 address 172.30.2.2
access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp key cisco12345 address 172.30.2.2
The Cisco command to configure internet protocol security transform set?
crypto ipsec transform-set R1-R2 ah-md5-hmac
access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto map R1-R2_MAP 10 ipsec-isakmp
crypto isakmp transform-set R1-R2 ah-md5-hmac
crypto ipsec transform-set R1-R2 ah-md5-hmac
The Cisco command to apply cyrpto map to an interface?
ping ip 192.168.1.1 source 10.0.1.1
crypto ipsec sa
crypto isakmp transform-set R1-R2 ah-md5-hmac
crypto map R1-R2_MAP
crypto map R1-R2_MAP
The Cisco command to check the default ISAKMP policy?
crypto isakmp policy default
show crypto isakmp policy
show crypto isakmp default policy
show crypto isakmp default policy
The Cisco command that permits AH traffic?
access-list ADMIN permit ahp 192.168.1.0 0.0.0.255
access-list ADMIN permit udp 192.168.1.0 0.0.0.255 eq isakmp
access-list ADMIN permit esp192.168.1.0 0.0.0.255
access-list ADMIN permit ahp 192.168.1.0 0.0.0.255
The Cisco command to configure ISAKMP policy to default ?
crypto isakmp policy 1 default
show crypto isakmp default policy
show crypto isakmp policy
crypto isakmp policy 1 default
The Cisco command that permits ISAKMP traffic?
access-list ADMIN permit ahp 192.168.1.0 0.0.0.255
access-list ADMIN permit esp192.168.1.0 0.0.0.255
access-list ADMIN permit udp 192.168.1.0 0.0.0.255 eq isakmp
access-list ADMIN permit udp 192.168.1.0 0.0.0.255 eq isakmp
A concept where ASA is divided into multiple virtual standalone firewalls and each virtual standalone firewall acts and behaves as an independent firewall with its own configuration, interfaces, Security Policies, routing table and etc.
Adaptive security appliance (ASA) Virtualization
What are the features of advanced ASA firewall?
- Adaptive security appliance (ASA) Virtualization
- high availability
- Identity-based firewall
- adaptive security appliance (ASA) threat control
A feature of ASA firewall that relies on a number of different triggers and statistics.
adaptive security appliance threat control
A feature of ASA firewall that provides firewall administrators with the necessary tools to identify, understand, and stop attacks before they reach the internal network infrastructure.
adaptive security appliance threat control
A feature of ASA firewall that can be used in environments where an IPS is not available to provide an added layer of protection to the core functionality of ASA.
adaptive security appliance threat control
What are failover modes supported by ASA?
- active/active failover
- active/standby failover
A feature of ASA firewall that enhances the existing access control and security policy mechanisms by allowing users or groups to be specified in place of source IP addresses.
identity firewall
A feature of ASA firewall where it can be configured to access rules and security policies based on user names and user groups name rather than through source IP addresses.
identity firewall
A feature of ASA firewall where it applies the security policies based on an association of IP addresses to Windows Active Directory login information and reports events based on the mapped user names.
identity firewall
A feature of ASA firewall that provides more granular access control based on users’ identities.
identity firewall
What are the ASA firewall modes of operation?
- routed mode
- transparent mode
An ASA firewall modes of operation where ASA is considered to be a router hop in the network.
routed mode
An ASA firewall modes of operation where each interface that you want to route between is on a different subnet.
routed mode
An ASA firewall modes of operation where Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.
transparent mode
ASA Security Level Controls
- Network Access
- Inspection Engines
- Application Filtering
An ASA security level control that is a numbered between 0 to 100 that defines the trustworthiness of the network that the interface is connected to
Network Access
An ASA security level control which is required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports.
Inspection Engine
An ASA security level control where you can look inside the traffic and prevent applications that are unacceptable for your network.
Application Filtering
A computer network concept that may contain a single object (such as a single IP address, network, or subnet) or multiple objects such as a combination of multiple IP addresses, networks, or subnets.
object group
An ASA basic configuration command that sets the passphrase between 8 and 128 characters long.
key config-key password-encryption
An ASA basic configuration command used for generating the encryption key.
key config-key password-encryption
An ASA basic configuration command that provides legal notification and configures the system to display a message-of-the-day banner when connecting to the ASA
banner motd
An ASA basic configuration command that sets the default domain name
domain-name
An ASA basic configuration command that enables password encryption and encrypts all user passwords.
password encryption aes
It allows a group of users to have access only to a specific group of servers.
access control entry (ACE)
It is a set of rules that is usually used to filter network traffic.
access control list
It allows you to evaluate
only the source IP address of a packet
standard access lists
It allow you to evaluate the source and destination IP addresses, the type of Layer 3 protocol, source and destination port, and other parameters.
extended access lists
A type of NAT wherein there is a consistent mapping between a real and mapped IP address.
static network address translation
It is a computer network concept that replaces a private IP address with a public IP address, translating the private addresses in the internal private network into legal, routable addresses that can be used on the public Internet.
network address translation
It is a computer network concept that enables private IP networks to connect to the Internet.
network address translation
A type of address translation where a remote host on the destination network can initiate a connection to the translated host if an access rule allows it.
Dynamic Port Address Translation
A type of NAT where only the real host can initiate traffic.
dynamic network address translation
A type of NAT that allows bidirectional traffic initiation, both to and from the host (if an access rule exists that allows it).
static network address translation
A computer network concept that provides a consistent and flexible way to configure security appliance features.
modular policy framework
A component or step in MPF that specifies where to apply the policy.
service policy
A component or step in MPF that specifies what action the ASA should take against the traffic identified by the Class Map.
policy map
A component or step in MPF that is used to identify the type of traffic.
class map