CCNA Cyber Ops FAQ: Introduction to Virtual Private Networks (VPNs)

CCNA Cyber Ops FAQ: Introduction to Virtual Private Networks (VPNs)

Q1. Which of the following are examples of protocols used for VPN implementations?
A. TCP
B. Secure Sockets Layer (SSL)
C. UDP
D. Multiprotocol Label Switching (MPLS)
E. Internet Protocol Security (IPsec)

Answer: B, D, E. MPLS, IPsec, SSL, PPTP, and GRE are examples of protocols used for VPN implementations.

Q2. Which of the following VPN protocols do not provide data integrity, authentication, and data encryption?
A. L2TP
B. GRE
C. SSL
D. IPsec
E. MPLS

Answer: A, B, E. L2TP, GRE, and MPLS VPNs do not provide data integrity, authentication, and data encryption.

Q3. VPN implementations are categorized into which of the following two general groups?
A. Encrypted VPNs
B. Non-encrypted VPNs
C. Site-to-site (LAN-to-LAN) VPNs
D. Remote-access VPNs

Answer: C and D. VPN implementations are categorized into two general groups: Site-to-site VPNs, which enable organizations to establish VPN tunnels between two or more network infrastructure devices in different sites so that they can communicate over a shared medium such as the Internet, and remote-access VPNs, which enable users to work from remote locations such as their homes, hotels, and other premises as if they were directly connected to their corporate network.

Q4. Which of the following is an example of a remote-access VPN client?
A. Cisco Encrypted Tunnel Client
B. Cisco Any Connect Secure Mobility Client
C. Cisco ASA Client
D. Cisco Firepower Client

Answer: B. The Cisco Any Connect Secure Mobility Client is an example of a remote-access VPN client..

Q5. Which of the following attributes are exchanged in IKEv1 phase 1?
A. Encryption algorithms
B. Hashing algorithms
C. Diffie-Hellman groups
D. Vendor-specific attributes

Answer: A, B, C, D. Encryption algorithms, hashing algorithms, Diffie-Hellman groups, the authentication method, and vendor-specific attributes are all exchanged in IKEv1 phase 1.

Q6. Which of the following hashing algorithms are used in IPsec?
A. AES 192
B. AES 256
C. Secure Hash Algorithm (SHA)
D. Message Digest Algorithm 5 (MD5)

Answer: C and D. SHA and MD5 are hashing algorithms used in IPsec. AES 192 and AES 256 are not hashing algorithms; they are encryption algorithms.

Q7. In IKEv1 phase 2, each security association (SA) is assigned which of the following?
A. A unique security parameter index (SPI) value
B. An IP address
C. The DNS server IP address
D. A public key

Answer: A. Each SA is assigned a unique security parameter index (SPI) value—one by the initiator and the other by the responder.

Q8. Which of the following statements is true about clientless SSL VPN?
A. The client must use a digital certificate to authenticate.

B. The remote client needs only an SSL-enabled web browser to access resources on the private network of the security appliances.

C. Clientless SSL VPNs do not provide the same level of encryption as client-based SSL VPNs.

D. Clientless SSL VPN sessions expire every hour

Answer: B. In the clientless mode, the remote client needs only an SSL-enabled web browser to access resources on the private network of the security appliances.

Q9. Which of the following are some of the commonly used SSL VPN technologies?
A. Tor browser
B. Reverse proxy technology
C. Port-forwarding technology and smart tunnels
D. SSL VPN tunnel client (such as the AnyConnect Secure Mobility Client)

Answer: B, C, D. Reverse proxy technology, port-forwarding technology and smart tunnels, and an SSL VPN tunnel client (such as the AnyConnect Secure Mobility Client) are some of the commonly used SSL VPN technologies.

Q10. Why can’t ESP packets be transferred by NAT devices?
A. Because ESP packets are too big to handle.
B. Because the ESP protocol does not have any ports like TCP or UDP.
C. Because ESP packets are encrypted.
D. ESP is supported in NAT devices.

Answer: B. ESP packets cannot be successfully translated (NATed) because ESP does not have any ports.

Q11. What is the difference between IPsec tunnel and transport mode?
A. Tunnel mode uses encryption and transport mode uses TCP as the transport protocol.

B. Tunnel mode uses encryption and transport mode uses UDP as the transport protocol.

C. Transport mode protects upper-layer protocols, such as UDP and TCP, and tunnel mode protects the entire IP packet.

D. Tunnel mode protects upper-layer protocols, such as UDP and TCP, and transport mode protects the entire IP packet.

Answer: C. IPsec transport mode protects upper-layer protocols, such as UDP and TCP, and tunnel mode protects the entire IP packet.

Q12. Which of the following is true about Diffie-Hellman?
A. Diffie-Hellman is a key agreement protocol that enables two users or devices to authenticate each other’s preshared keys without actually sending the keys over the unsecured medium.

B. Diffie-Hellman is an encapsulation protocol that enables two users or devices to send data to each other.

C. Diffie-Hellman is a part of the RSA encryption suite.

D. Diffie-Hellman has three phases, and the second and third are used to encrypt data.

Answer: A. Diffie-Hellman is a key agreement protocol and it enables users or devices to authenticate each other using preshared keys without actually sending the keys over the unsecured medium.

Q13. Which of the following is not true about SSL VPNs?
A. SSL VPNs are used in Cisco IOS routers as a site-to-site VPN solution.
B. SSL VPNs are used in Cisco IOS routers as a remote access VPN solution.
C. SSL VPNs are used in Cisco ASA firewalls as a remote access VPN solution.
D. SSL VPNs can be client based or clientless.

Answer: A. SSL is not supported for Cisco site-to-site VPN tunnels.

Q14. Which of the following is not true about IKEv2?
A. IKEv1 Phase 1 has two possible exchanges: main mode and aggressive mode. There is a single exchange of a message pair for IKEv2 IKE_SA.

B. IKEv2 has a simple exchange of two message pairs for the CHILD_SA. IKEv1 uses an exchange of at least three message pairs for Phase 2.

C. IKEv1 has a simple exchange of two message pairs for the CHILD_SA. IKEv2 uses an exchange of at least three message pairs for Phase 2.

D. IKEv2 is used in VPN technologies such as FlexVPN.

Answer: C. IKEv1 has a simple exchange of two message pairs for the CHILD_SA. IKEv2 uses an exchange of at least three message pairs for Phase 2.

Q15. Which of the following encryption protocols is the most secure?
A. DES
B. 3DES
C. 4DES
D. AES

Answer: D. AES is more secure than DES and 3DES. 4DES does not exist.

Q16. Which of the following is not an SSL VPN technology or feature?
A. Reverse proxy features
B. Port-forwarding technology and smart tunnels
C. NAT Traversal
D. SSL VPN tunnel client (AnyConnect Secure Mobility Client)

Answer: C. NAT Traversal is an IPsec feature and specification.

Q17. Which browser is used by individuals to maintain anonymity on the Internet and to surf the dark web?
A. OnionBrowser
B. Tor
C. Chrome
D. Firefox

Answer: B. The Tor browser is used by individuals to keep themselves anonymous on the Internet and it is also used to browse the dark web.

Q18. Which of the following are reasons why an attacker might use VPN technology?
A. Attackers cannot use VPN technologies without being detected.

B. To exfiltrate data.

C. To encrypt traffic between a compromised host and a command and control system.

D. To evade detection

Answer: B, C, D. Attackers use VPN to exfiltrate data, encrypt traffic between a compromised host and a command and control system, and to evade detection.

Q19. Which of the following are hashing algorithms?
A. RSA
B. MD5
C. AES
D. SHA

Answer: B and D. MD5 and SHA are hashing algorithms. RSA and AES are encryption algorithms.

More Resources

About the author

Scott

Leave a Comment