Remote Network Access

Question 1

Remote Access Policy

Answer 1

• Restricts access to defined users and groups
• Defined access during days and times
• Access to only parts of network
• Auditing all logons and attempted logons

Question 2

Tunneling

Answer 2

• Source and destination hosts are on same logical network but connected via different physical networks

Question 3

PPP

Answer 3

Point-to-Point Protocol

• encapsulation that works at layer 2
• Used for IP packets for transmission over serial digital lines
• no security, so much be used with other protocols to create secure tunnel

Question 4

GRE

Answer 4

Generic Routing Encapsulation

• Works at layer 3
• Encapsulates IP packet as its payload
• Outer packet is on protocol number 47 and has own IP source and header fields
• Each hop only inspects outer packet to determine forwarding destination
• At final destination, router decapsulates payload and forwards inner destination
• Has no authentication methods so often used with other protocols for VPNs

Question 5

IPSec

Answer 5

IP Security

• Can be used to secure IPv4 and IPv6 communications on local networks or as a remote access protocol
• Operates on layter 3
• Encrypted packets passing over any network
• Often used with other protocols, but is increasingly used as native VPN protocol

Question 6

TLS

Answer 6

Transport Layer Security

• Can be used to encapsulate frams and IP packets
• Because it already operates at session layer, inner and outer packets can add overhead

Question 7

Client to Site VPN

Answer 7

• Allows connection to VPN gateway on edge of local network over public internet

Question 8

SSL/TLS VPN

Answer 8

• Uses certificates to secure tunnel
• SSTP (Secure Socket Tunneling Protocol) is example
• L2TP ( Layer 2 Tunneling Protocol) also widely used with IPSec
• Require client software to operate
• Most use EAP or AAA/Radius to authenticate users and devices

Question 9

Split Tunnel

Answer 9

• Client on VPN access internet directly usings its native IP configuration and DNS servces
• Clients browsing uses local internet connection

Question 10

Full Tunnel

Answer 10

• Internet access is made through corporate tunnel
• Alters clients IP address and may use a proxy
• Offers better securiy, but NATing and DNS operatinos may cause problems with websites and cloud services
• More data is also channeled through tunnel

Question 11

Remote Host Access

Answer 11

• Operating computer without local terminal

Question 12

RDP

Answer 12

Remote Desktop Protocol

- Useds to access physical machine on a one-to-one basis

Question 13

Clientless VPN

Answer 13

• HTML5 VPN
• Allows ordinary browser software to connect to remote desktop or VPN
• Uses Protocol called WebSockets, which enables bidirectional messages to be sent between server and client without overhead of separate HTTP requests

Question 14

Site-Site VPN

Answer 14

• Configured to operate automatically
• Hosts do not need to be configured with information about VPN
• Also referred to as compulsory tunneling

Question 15

Hub and Spoke VPN

Answer 15

• Site to site vpn
• Involves multiple remote sites connecting to hub
• VPN router needs to be powerful to handle traffic volumes
• Router referred to as VPN Headend
• They are normally installed in groups for load balancing and fault tolerance

Question 16

DMVPN

Answer 16

Dynamic Multipoint VPN

• Allows VPNS to be set up dynamically for traffic requirments and demand
• Allows for dynamic mesh topology between remote sites
• Sets up multiple direct vpns, rather than using a hub
• Each sites router is still connected to hub using IPSec tunnel
• Direct VPNs can be negotiated by hub router
• Can be more efficient and reduce jitter and latency

Question 17

IPsec Policy

Answer 17

• Sets the authetication method and protocols to create secure connection on local network or as remote access
• Each host must be able to match at least one method
• Two main protocols, Authentication Header and Encapsulation Security Payload

Question 18

AH

Answer 18

Authentication Header

• Performs hash on whole packet, including header plus a shared key and adds secret in header as ICV ( Integrity check value)
• Recipient performs same function to confirm packet has not been modified
• Does not encrypt packet
• Not often used

Question 19

ESP

Answer 19

Encapsulating Security Payload

• Provided confidentiality authentication and integrity
• Attaches three fields to packet: A header, a trailer (providing padding to cryptographic function) and an integrity check value.
• Unlink AH, ESP excludes the IP Header when calculating the ICV

Question 20

IKE

Answer 20

Internet Key Exchange Protocol

- Handles authentication and key exchange for things like IPSec

Question 21

IPSec Transport Mode

Answer 21

• Used to secure communications between hosts on private network
• When ESP is applied, IP Header is not encrypted, just payload data

Question 22

IPSEC Tunnel Mode

Answer 22

• Used for VPN gate communication
• Whole packet, Header and payload is encrypted with ESP
• Then encapsulated as datagram with new IP Header

Question 23

RAS

Answer 23

Remote Access Server
- Should be accompanied by documentation describing the uses of the service, security risks and countermeasures and authorized users of the service

Question 24

Console Port

Answer 24

• Interface for managing appliance
• Requires connection running terminal emulator(like a laptop) using a special cable
• Emulator then uses CLI (command line interface)

Question 25

AUX Port

Answer 25

• Means to access appliances management interface
• Connects to analog modem and provides access via a dial-up link
• Remote host can connect to appliance CLI using emulators like HyperTerminal or PuTTy

Question 26

Management Port

Answer 26

• Mean of configuring virtual network interface via one of the normal ethernet ports
• Port must be enabled for management
• Using Telnet or SSH to connect remotely over management interface is referred to as virtual terminal