Module 8: VPN and IPsec Concepts

Question 1

True or False? A site-to-site VPN must be statically set up.

Answer 1

True

Question 2

Which two technologies provide enterprise-managed VPN solutions?

Answer 2

Site-to-site VPN and Remote access VPN

Question 3

Which two technologies provide service provider managed VPN solutions?

Answer 3

Layer 2 MPLS VPN and Layer 3 MPLS VPN

Question 4

What algorithm is used with IPsec to provide data confidentiality?

Answer 4

AES

Question 5

What algorithms are used with IPsec to provide data integrity?

Answer 5

SHA and MD5

Question 6

What algorithm is used with IPsec to provide authentication?

Answer 6

RSA

Question 7

What algorithm is used with IPsec to provide key exchange?

Answer 7

Diffie-Hellman (DH)

Question 8

Which protocol creates a virtual point-to-point connection to tunnel unencrypted traffic between Cisco routers from a variety of protocols?

Answer 8

Generic Routing Encapsulation (GRE)

Question 9

What is the function of the Hashed Message Authentication Code (HMAC) algorithm in setting up an IPsec VPN?

Answer 9

Guarantees message integrity

Question 10

Which IPsec security function provides assurance that the data received via a VPN has not been modified in transit?

Answer 10

Integrity

Question 11

Which statement describes a VPN?

Answer 11

VPNs use virtual connections to create a private network through a public network.

Question 12

How is “tunnelling” accomplished in a VPN?

Answer 12

New headers from one or more VPN protocols encapsulate the original packets.

Question 13

Which type of VPN involves a nonsecure tunnelling protocol being encapsulated by IPsec?

Answer 13

GRE over IPsec

Question 14

Which two types of VPNs are examples of enterprise-managed remote access VPNs?

Answer 14

Client-based IPsec VPNs and clientless SSL VPNs

Question 15

In a static NAT configuration, what NAT address type will Internet hosts use to reach an internal web server?

Answer 15

Outside Local address of the web server

Question 16

Which type of VPN is used to connect a mobile user?

Answer 16

Remote-access

Question 17

Which VPN benefit uses advanced encryption and authentication protocols to protect data from unauthorized access?

Answer 17

Security

Question 18

Which VPN benefit allows an enterprise to easily add more users to the network?

Answer 18

Scalability

Question 19

Which VPN benefit allows an enterprise to increase the bandwidth for remote sites without necessarily adding more equipment or WAN links?

Answer 19

Cost savings

Question 20

Which VPN solutions are typically managed by an enterprise?

Answer 20

IPsec, SSL, DMVPN

Question 21

How does SSL/TLS authenticate peers?

Answer 21

Public Key Infrastructure (PKI) and digital certificates

Question 22

True or False?
SSL/TLS VPNs are more complex to set up than IPsec?

Answer 22

False.

Question 23

True or False?
IPsec is less secure than SSL/TLS VPN

Answer 23

False.

Question 24

True or False?
IPsec is the preferred method of configuring a VPN over SSL/TLS

Answer 24

False, both options are valid.

SSL/TLS VPNs are less complex and have more extensive connection options as they work with any device with a web browser.

IPsec is more secure and and supports all IP-based applications, not just

Question 25

Site-to-Site VPNs use what terminating devices?

Answer 25

VPN Gateways

Question 26

Site-to-Site VPNs are typically created and secured using what technology?

Answer 26

IPsec

Question 27

When might Dynamic Multipoint VPN (DMVPN) might be useful?

Answer 27

If you have more than a few sites that need securely connecting, such as in a large enterprise.

Question 28

What type of topology does DMVPN use for configuration?

Answer 28

Hub-and-Spoke

Question 29

True or False?
Once DMVPN connections are made between sites, all traffic must be routed through the hub site?

Answer 29

False.
Once configuration is established, DMVPN allows for a full-mesh between all sites.

Question 30

IPsec VTI maps to what type of interface?

Answer 30

A virtual interface, rather than static physical interfaces.

Question 31

True or False?
IPsec VTI can send both unicast and multicast encrypted traffic, therefore supporting routing protocols automatically.

Answer 31

True.
It does so without the need to configure GRE tunnels.

Question 32

True or False?
IPsec VTI can only be configured between sites.

Answer 32

False.
It can also be configured in a Hub-and-Spoke tpology.

Question 33

What two types of MPLS VPNs are available?

Answer 33

Layer 2, where customer routers effectively belong to the same multiaccess network.

Layer 3, where the service provider establishes routing between the customer’s routers and the provider’s router.

Question 34

What type of VPN enables an enterprise to rapidly scale secure access across the organization?

Answer 34

DMVPN

Question 35

What type of VPN enables an enterprise to emulate an Ethernet multiaccess LAN with remote sites?

Answer 35

MPLS VPN

Question 36

What type of protocol is GRE?

Answer 36

Carrier protocol

Question 37

What type of VPN only requires a web browser on the host?

Answer 37

SSL/TLS VPNs

Question 38

What type of VPN can be established with a web browser using HTTPS?

Answer 38

Clientless VPN

Question 39

In IPsec, what provides authentication for the data origin, integrity, and protection against replay attacks?

Answer 39

Authentication Header (AH)

Question 40

In IPsec, what provides encryption for data confidentiality and authentication?

Answer 40

Encapsulating Security Payload (ESP)

Question 41

In IPsec, what provides negotiation of security associations and keys?

Answer 41

• ISAKMP (Internet Security Association and Key Management Protocol) sets the ‘blueprint’ for the authentication
• IKE (Internet Key Exchange) implements the blueprint
• DH (Diffie-Hellman) performs the secure key exchange

Question 42

IPsec cam protect traffic in which four OSI layers?

Answer 42

Layer 4, 5, 6, and 7

Question 43

Which IPsec function uses pre-shared passwords, digital certificates, or RSA certificates?

Answer 43

Authentication

Question 44

True or false?
The IPsec framework must be updated each time a new standard is developed?

Answer 44

False

Question 45

Which two choies are packet encapsulation options supported by IPsec?

Answer 45

AH, ESP

Question 46

Which three choices provide for the Confidentiality function in the IPsec framework?

Answer 46

3DES, AES, SEAL

Question 47

Which two choices provide for the Integrity function in the IPsec framework?

Answer 47

MD5, SHA

Question 48

Which choices are available for the Authentication function in the IPsec framework?

Answer 48

Pre-Shared Key (PSK) and RSA

Question 49

Which Diffie-Hellman group choices are no longer recommended?

Answer 49

DH groups 1, 2, and 5.

Question 50

What is the purpose of a remote access VPN and what is typically required for the hosts?

Answer 50

To allow secure connections by remote useres to the company network over the internet. It typically requires client software on the hosts.

Question 51

The use of 3DES within the IPsec framework is an example of which of the give IPsec building blocks?

Answer 51

Confidentiality

Question 52

Which type of VPN may require VPN Client software?

Answer 52

Remote access VPN

Question 53

Which technique is necessary to ensure a private transfer of data using a VPN?

Answer 53

Encryption

Question 54

What are the two fundamental Dynamic Multipoint VPN tunnel types?

Answer 54

Spoke-to-spoke and hub-to-spoke

Question 55

What are two reasons a company would use a VPN?

Answer 55

• To connect remote users to the network.
• To allow suppliers access to the network.

Question 56

True or false?
All VPNs securely transmit clear text across the internet.

Answer 56

False.

Question 57

Which solution allows workers to telecommute effectively and securely?

Answer 57

Remote-access VPN

Question 58

Which VPN type is a service provider managed VPN?

Answer 58

Layer 3 MPLS VPN

Question 59

Which IPsec framework protocol provides data integrity and data authentication, but does not provide data confidentiality?

Answer 59

Authentication Header (AH)

Question 60

What algorithm is used to provide data integrity of a message through the use of a calculated hash value?

Answer 60

Hashed Message Authentication Code (HMAC)

Question 61

What is the advantage of a longer encryption key length?

Answer 61

The longer the key, the more key possibilities exist.

Question 62

What is a type of VPN that is generally transparent to the end user?

Answer 62

Site-to-site