Q1. Your organization has just opened a new office in Detroit. You have existing offices in Phoenix, San Diego, and Albuquerque that are tied together using VPN technology. What physical or logical changes should you add to support the VPN connection to the new office? A. No new interfaces are needed. The VPN configuration needs only to be applied to the router. B. No new interfaces are needed. You need to communicate with the ISP to provision a new DLCI. C. A new serial interface needs to be added to the router to support the new connection. The encapsulation should be set to match the service provider’s requirements. D. A new Fast Ethernet interface needs to be added to the router to support the new connection. You must communicate with the service provider to provision the new circuit.
Answer: A. A big advantage of VPN connections is their flexibility and scalability. If you need to add a new office, all you need to do is apply the necessary configuration to the router, allowing it to connect through the Internet to the new office. No new interfaces are necessary to accomplish this.
Q2. Which of the following is not a valid benefit of using VPN technology? A. Lower costs B. More flexibility when configuring site-to-site connections C. The ability to support telecommuters D. Lower network overhead
Answer: D. VPN solutions offer many benefits, but lower network overhead is not one of them. Because the VPN forms a tunnel through the public network, new IP headers must be generated and applied to the packet. This increases the network overhead for this type of connection.
FIGURE: Remote-access VPN technology.
Q3. What is needed to support an SSL VPN connection? A. The router should be configured to support SSL VPN connections. The client can connect using a standard web browser. B. The router should be configured to support SSL VPN connections. The client must use the Cisco VPN client when connecting. C. The router should be configured to support SSL VPN connections. The client must use a third-party thin client to connect. D. The router does not need to be configured to support SSL VPN connections. The client platform delivers all configuration when it connects.
Answer: A. SSL VPN connections allow you to deploy a VPN solution without installing a client on the enduser PC. To connect to the VPN, the user opens a web page hosted by the router or ASA device and authenticates. The web page then becomes a VPN portal. This is why SSL VPNs are often called WebVPNs.
Q4. What platforms can support site-to-site and remote-access VPNs? (Choose two) A. Cisco IOS B. Cisco IPS Appliance C. Cisco Catalyst 3550 D. Cisco ASA 5500
Answer: A, D. Specific feature sets of the Cisco IOS (used on routers) can support site-to-site and remoteaccess VPNs. Cisco also manufactures the ASA 5500 series security appliance, which is specifically designed to support VPN solutions.
Q5. Which of the following is not a component of the IPsec framework? A. ESP B. SHA-1 C. TCP D. MD5 E. AES
Answer: C. The TCP protocol fits into the TCP/IP protocol suite rather than the IPsec protocol suite. All other protocols listed are either encryption, authentication, or IPsec core protocols.
Q6. Which of the following represent data integrity algorithms? (Choose two) A. AES B. MD5 C. DES D. 3DES E. SHA-1
Answer: B, E. The two data integrity algorithms are MD5 (128-bit hash) and SHA-1 (160-bit hash).
Q7. Which of the following are symmetric encryption algorithms? (Choose two) A. DH B. SHA-1 C. DES D. AES
Answer: C, D. The two encryption algorithms are DES (offering 56-bit encryption) and AES (offering 128-, 192-, and 256-bit encryption).
Q8. You have just finished proposing a new VPN solution to your organization’s upper management. They have approved the solution, provided that you use the strongest level of encryption possible. What algorithm will you choose? A. 3DES B. AES C. SHA-1 D. MD5
Answer: B. AES currently offers the strongest levels of encryption possible for symmetric encryption. It can reach up to 256-bit encryption.
Q9. You would like to implement IPsec over your LAN network. You are not as interested in encryption features, because they can cause tremendous overhead, but you would like to implement authentication and data integrity features. What IPsec protocol will you use? A. AH B. DH C. ESP D. SHA-1
Answer: A. The Authentication Header (AH) is the older of the two IPsec core protocols. It supports only authentication and data integrity features. The Encapsulating Security Payload (ESP) adds encryption.
Q10. What process passes data through a mathematical algorithm to generate a 128- or 160-bit result? A. Encryption B. Diffie-Hellman C. Hashing D. ESP
Answer: C. Hashing features pass data through a mathematical algorithm to generate a hash used for data integrity. Passing data through an algorithm to scramble it is called encryption.
Q11. What are the three benefits of using VPN connectivity over private lines?
Answer: VPN connectivity is more cost-effective and scalable than leased-line connections. In addition, it provides the capability for remote-access connections (such as telecommuters or mobile workers).
Q12. Describe the two types of VPN implementations. What would be an ideal use of each?
Answer: VPN connections can be either site-to-site or remote-access. Site-to-site is the direct replacement for a leased line and acts as a permanent connection between offices. Remote-access connections allow users to connect to the corporate network from a remote location, such as a home or motel.
Q13. The three primary security techniques used over VPN connections are encryption, authentication, and data integrity. Briefly describe the purpose of each.
Answer: Encryption is designed to scramble data before it is sent and descramble it at the remote end. This keeps people from intercepting and interpreting data that is communicated over a network. Authentication ensures that the devices sending and receiving data are really who they say they are. Data integrity ensures that data does not change when it is sent across the network.
Q14. What are the differences between asymmetric and symmetric encryption?
Answer: Asymmetric encryption uses a public and private key system. Each key is the reverse of the other (the public key can decrypt what the private key encrypts, and vice versa). This encryption type is very processor-intensive. Symmetric encryption uses the same key to encrypt and decrypt data. It is much more processor-efficient than asymmetric encryption.
Q15. Briefly describe how SSL can securely send an encryption/decryption key over a public network.
Answer: SSL can secure communication over a public network between two devices. The devices first exchange public keys and use the opposite device’s public key to encrypt a session key. The encrypted session key is then exchanged between the devices and is decrypted using the private key. After this, the session key is used to encrypt and decrypt all communication between the two devices.
Q16. Which of the following terms refers to a VPN that uses the Internet to connect the sites of a single company, rather than using leased lines or Frame Relay? a. Intranet VPN b. Extranet VPN c. Access VPN d. Enterprise VPN
Answer: A. Extranet VPNs connect sites in different but cooperating companies. Access VPNs provide access to individual users, typically from home or while traveling. The term “enterprise VPN” is not generally used to describe a type of VPN.
Q17. Which of the following are not considered to be desirable security goals for a site-tosite VPN? a. Message integrity checks b. Privacy (encryption) c. Antivirus d. Authentication
Answer: C. Antivirus software is an important security function, but it is not a function provided by the VPN itself.
Q18. Which of the following functions could be performed by the IPsec IP Authentication Header? (Choose two answers.) a. Authentication b. Encryption c. Message integrity checks d. Anti-reply
Answer: A and C. Encapsulating Security Payload (ESP) headers support all four of the functions listed in the answers, whereas the Authentication Header (AH) only supports authentication and message integrity.
Q19. Which of the following is considered to be the best encryption protocol for providing privacy in an IPsec VPN as compared to the other answers? a. AES b. HMAC-MD5 c. HMAC-SHA-1 d. DES e. 3DES
Answer: A. Of these answers, only Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES) are encryption tools for encrypting the entire packet. AES provides better encryption and less computation time among the three options.
Q20. Which three of the following options would be the most commonly used options for newly purchased and installed VPN components today? (Choose three answers.) a. ASA b. PIX firewall c. VPN concentrator d. Cisco router e. Cisco VPN client
Answer: A, D, and E. All the devices and software listed in the answers can be used to terminate a VPN tunnel. However, ASAs have replaced PIX firewalls and VPN concentrators in the Cisco product line.
Q21. When using the Cisco Web VPN solution, with the client using a normal web browser without any special client software, which of the following are true? (Choose two answers.) a. The user creates a TCP connection to a Web VPN server using SSL. b. If the user connects to a normal web server inside the enterprise, and that server only supports HTTP and not SSL, those packets pass over the Internet unencrypted. c. The Web VPN server connects to internal web servers on behalf of the Web VPN client, translating between HTTP and SSL as need be. d. The Web VPN client cannot connect without at least thin-client SSL software installed on the client.
Answer: A and C. The client always uses Secure Socket Layer (SSL) to connect to the Web VPN server, so all Internet communications are encrypted. One major advantage of Web VPN is that the client does not need to have any client software, just the built-in SSL capabilities of typical web browsers.