IPsec

¡Supera tus tareas y exámenes ahora con Quizwiz!

DH group number _ at ____ bits of key strength is the most compatible DH group number.

2, 1024

Encapsulating Security Payload is included in RFC ____, ____ et. al.

2460, 4303

Transport mode is used to secure any layer _ or above protocol set.

4

Authentication Header protocol was established with RFC ____.

4301

ESP is included in IP Protocol __

50

IKE runs on TCP Port ___

500

AH in included in IP Protocol __.

51

Tunnel mode is utilized for the creation of ___ connections.

VPN

PFS is more _____ but _____ establishing a connection

secure, slower

In cryptography, a _______ __________ is a one way set of security information used to facilitate a logical connection between nodes

security association

Without PFS, the IPsec SA ______ ___ is derived from the IKE phase 1 key

session key

AH ensures a packet is not _______ or _______.

spoofed, munged

Both nodes must agree on the _______ of interest

traffic

Perfect Forward Security (PFS) performs a new DH _________ to create the IPsec SA session key

transaction

An IPsec ________ defines the set of cryptographic tools used by IPsec

transform

PIX/ASA implementations of IPsec refer to crypto tools as _______ ____

transform sets

___ security associations are required for duplex communication.

two

The two modes of IPsec operation are __________ and ______

Transport, Tunnel

IPsec reduces the need for __________ layer security

Application

The two protocols utilized in IPsec are the ____________ _______ protocol, and the ____________ _______ _______.

Authentication Header, Encapsulating Security Payload

IPsec supports many block ciphers using ______ _____ _______ (CBC)

Cipher Block Chaining

Negotiated cryptographic key length is determined by __ _____ _____

DH group number

Transforms that can be performed in IPsec include ___/__, ______ with key, and ___ with key

ESP/AH, Cipher, MAC

T/F ESP is the equivalent of adding encryption to AH

F

T/F A security association is a two way set of security information used to facilitate a logical connection between nodes.

F (One way)

T/F IPsec security associations are usually manually configured

F (Rarely done, as it is less secure than automatic)

T/F Main mode protects the identities of peers during negotiation, but is inflexible in implementation

F (actually allows greater flexibility)

T/F IPsec does not require the communication endpoint to be the cryptographic endpoint.

F (comm endpoint must be cryptographic endpoint)

T/F IPsec does not support filtering

F (it does)

T/F All systems support all DH groups.

F (not all systems support all groups)

T/F ESP allows implementation of authentication and encryption, but neither have to be enabled when configuring IPsec.

F (one must be specified, otherwise why enable it to begin with)

T/F The authentication header can be used for encryption of network traffic.

F (only authentication)

T/F IPsec will filter all traffic across the network at all times.

F (some traffic is handled natively by IP/TCP/UDP, etc)

T/F Even when using Authentication Headers, the source address could be spoofed.

F (theoretically the source address cannot be spoofed)

Main or Aggressive Mode applies to ___ ____ _ negotiations

IKE phase 1

IKE is the _______ protocol used for IPsec

ISAKMP

IKE stands for

Internet Key Exchange

ISAKMP stands for

Internet Security Association Key management protocol

____ mode is preferred for maximum security in IKE phase 1 negotiations.

Main

ISAKMP dynamically creates __ and ______ keys

SA, exchange

The _______ ________ _____ is a unique 32 bit value identifying each individual data flow.

Security Parameter Index

T/F Aggressive mode is faster to negotiate than Main mode

T

T/F An IPsec transform defines the set of cryptographic tools and traffic used by IPsec

T

T/F Authentication Headers provide an anti-replay service with optional sequence numbers.

T

T/F Before two nodes can communicate securely, they must sort out their security associations

T

T/F Both nodes must agree on the path MTU.

T

T/F Both transport and tunnel mode can work with AH and ESP.

T

T/F IKE uses the Oakley Key Agreement Protocol for keying, which uses Diffie-Hellman Key-exchange algorithms.

T

T/F IPsec AH and ESP can be used simultaneously.

T

T/F IPsec can provide a layer of security to inherently insecure application layer protocols.

T

T/F In IKE phase 1 the nodes authenticate each other and establish a secure channel for phase 2

T

T/F In IKE phase 2 and IPsec security association is negotiated

T

T/F Transport mode can be used with virtually all application layer protocols

T

T/F Tunnel mode requires an entire IP packet to be encapsulated into the IPsec data field.

T

ESP provides for ___________ and/or _________

authentication, encryption

A Security Association contains cryptographic information, including __________, _________ information, and ___ information

authenticators, Encryption, MAC

AH provides authentication of the entire IPv4 _______

datagram

Authentication Headers doe not ______ data.

encrypt

Transport mode is used to protect standard application layer data during transmission across an _______ network.

insecure

IPsec security associations are configured automatically via a ___ _______ ______

key exchange protocol

IPsec runs at a ___ layer of the operating system

low

IKE phase 2 _________ the IPsec SA, then derives a key from the _____ _ key and assigns a unique ___ to identify traffic

negotiates, phase 1, SPI

IPsec adds security to the IPv4 or IPv6 ________ layer

network

IKE Phase 1 involves an authentication of the _____, a shared session ___ and finally an IKE __ with a secure channel for phase 2.

nodes, key, SA


Conjuntos de estudio relacionados

Ecclesiastes 12 - Flashcard MC Questions - Ted Hildebrandt

View Set

The Middle Ages Warm Period - New Agricultural Technologies

View Set