Chapter 7. Introduction to Virtual Private Networks (VPNs)
Client based:
Client based: The user connects to the VPN terminating device (router, firewall, and so on) using a client. An example of a VPN client is the Cisco AnyConnect Secure Mobility Client.
Which of the following attributes are exchanged in IKEv1 phase 1? a. Encryption algorithms b. Hashing algorithms c. Diffie-Hellman groups d. Vendor-specific attributes
A, B, C, D. Encryption algorithms, hashing algorithms, Diffie-Hellman groups, the authentication method, and vendor-specific attributes are all exchanged in IKEv1 phase 1.
Which of the following VPN protocols do not provide data integrity, authentication, and data encryption? a. L2TP b. GRE c. SSL d. IPsec e. MPLS
A, B, E. L2TP, GRE, and MPLS VPNs do not provide data integrity, authentication, and data encryption.
Which of the following is true about Diffie-Hellman? a. Diffie-Hellman is a key agreement protocol that enables two users or devices to authenticate each other's preshared keys without actually sending the keys over the unsecured medium. b. Diffie-Hellman is an encapsulation protocol that enables two users or devices to send data to each other. c. Diffie-Hellman is a part of the RSA encryption suite. d. Diffie-Hellman has three phases, and the second and third are used to encrypt data.
A. Diffie-Hellman is a key agreement protocol and it enables users or devices to authenticate each other using preshared keys without actually sending the keys over the unsecured medium.
In IKEv1 phase 2, each security association (SA) is assigned which of the following? a. A unique security parameter index (SPI) value b. An IP address c. The DNS server IP address d. A public key
A. Each SA is assigned a unique security parameter index (SPI) value—one by the initiator and the other by the responder.
Which of the following is not true about SSL VPNs? a. SSL VPNs are used in Cisco IOS routers as a site-to-site VPN solution. b. SSL VPNs are used in Cisco IOS routers as a remote access VPN solution. c. SSL VPNs are used in Cisco ASA firewalls as a remote access VPN solution.
A. SSL is not supported for Cisco site-to-site VPN tunnels.
Which of the following are hashing algorithms? a. RSA b. MD5 c. AES d. SHA
B and D. MD5 and SHA are hashing algorithms. RSA and AES are encryption algorithms.
Which of the following are reasons why an attacker might use VPN technology? a. Attackers cannot use VPN technologies without being detected. b. To exfiltrate data. c. To encrypt traffic between a compromised host and a command and control system. d. To evade detection.
B, C, D. Attackers use VPN to exfiltrate data, encrypt traffic between a compromised host and a command and control system, and to evade detection.
Which of the following are some of the commonly used SSL VPN technologies? a. Tor browser b. Reverse proxy technology c. Port-forwarding technology and smart tunnels d. SSL VPN tunnel client (such as the AnyConnect Secure Mobility Client)
B, C, D. Reverse proxy technology, port-forwarding technology and smart tunnels, and an SSL VPN tunnel client (such as the AnyConnect Secure Mobility Client) are some of the commonly used SSL VPN technologies.
Which of the following are examples of protocols used for VPN implementations? a. TCP b. Secure Sockets Layer (SSL) c. UDP d. Multiprotocol Label Switching (MPLS) e. Internet Protocol Security (IPsec)
B, D, E. MPLS, IPsec, SSL, PPTP, and GRE are examples of protocols used for VPN implementations.
Why can't ESP packets be transferred by NAT devices? a. Because ESP packets are too big to handle. b. Because the ESP protocol does not have any ports like TCP or UDP. c. Because ESP packets are encrypted. d. ESP is supported in NAT devices.
B. ESP packets cannot be successfully translated (NATed) because ESP does not have any ports.
Which of the following statements is true about clientless SSL VPN? a. The client must use a digital certificate to authenticate. b. The remote client needs only an SSL-enabled web browser to access resources on the private network of the security appliances. c. Clientless SSL VPNs do not provide the same level of encryption as client-based SSL VPNs. d. Clientless SSL VPN sessions expire every hour.
B. In the clientless mode, the remote client needs only an SSL-enabled web browser to access resources on the private network of the security appliances.
Which of the following is an example of a remote-access VPN client? a. Cisco Encrypted Tunnel Client b. Cisco AnyConnect Secure Mobility Client c. Cisco ASA Client d. Cisco Firepower Client
B. The Cisco AnyConnect Secure Mobility Client is an example of a remote-access VPN client.
Which browser is used by individuals to maintain anonymity on the Internet and to surf the dark web? a. OnionBrowser b. Tor c. Chrome d. Firefox
B. The Tor browser is used by individuals to keep themselves anonymous on the Internet and it is also used to browse the dark web.
Which of the following hashing algorithms are used in IPsec? a. AES 192 b. AES 256 c. Secure Hash Algorithm (SHA) d. Message Digest Algorithm 5 (MD5)
C and D. SHA and MD5 are hashing algorithms used in IPsec. AES 192 and AES 256 are not hashing algorithms; they are encryption algorithms.
VPN implementations are categorized into which of the following two general groups? a. Encrypted VPNs b. Non-encrypted VPNs c. Site-to-site (LAN-to-LAN) VPNs d. Remote-access VPNs
C and D. VPN implementations are categorized into two general groups: Site-to-site VPNs, which enable organizations to establish VPN tunnels between two or more network infrastructure devices in different sites so that they can communicate over a shared medium such as the Internet, and remote-access VPNs, which enable users to work from remote locations such as their homes, hotels, and other premises as if they were directly connected to their corporate network.
Which of the following is not true about IKEv2? a. IKEv1 Phase 1 has two possible exchanges: main mode and aggressive mode. There is a single exchange of a message pair for IKEv2 IKE_SA. b. IKEv2 has a simple exchange of two message pairs for the CHILD_SA. IKEv1 uses an exchange of at least three message pairs for Phase 2. c. IKEv1 has a simple exchange of two message pairs for the CHILD_SA. IKEv2 uses an exchange of at least three message pairs for Phase 2. d. IKEv2 is used in VPN technologies such as FlexVPN.
C. IKEv1 has a simple exchange of two message pairs for the CHILD_SA. IKEv2 uses an exchange of at least three message pairs for Phase 2.
What is the difference between IPsec tunnel and transport mode? a. Tunnel mode uses encryption and transport mode uses TCP as the transport protocol. b. Tunnel mode uses encryption and transport mode uses UDP as the transport protocol. c. Transport mode protects upper-layer protocols, such as UDP and TCP, and tunnel mode protects the entire IP packet. d. Tunnel mode protects upper-layer protocols, such as UDP and TCP, and transport mode protects the entire IP packet.
C. IPsec transport mode protects upper-layer protocols, such as UDP and TCP, and tunnel mode protects the entire IP packet.
Which of the following is not an SSL VPN technology or feature? a. Reverse proxy features b. Port-forwarding technology and smart tunnels c. NAT Traversal d. SSL VPN tunnel client (AnyConnect Secure Mobility Client)
C. NAT Traversal is an IPsec feature and specification.
Clientless:
Clientless: The user connects without a client, typically using a web browser. The major benefit of clientless SSL VPNs is that you do not need a client to be installed on your PC. One of the disadvantages is that only TCP-based applications are supported. Clientless SSL VPNs are typically used in kiosks, shared workstations, mobile devices, and when users just want to encrypt web traffic.
Which of the following encryption protocols is the most secure? a. DES b. 3DES c. 4DES d. AES
D. AES is more secure than DES and 3DES. 4DES does not exist.
IKE
IKE is a framework provided by the Internet Security Association and Key Management Protocol (ISAKMP) and parts of two other key management protocols—namely, Oakley and Secure Key Exchange Mechanism (SKEME).
IPsec
IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-to-site or remote-access VPN tunnels.
NAT Traversal (NAT-T)
Many industry vendors, including Cisco Systems, implement another feature called NAT Traversal (NAT-T). With NAT-T, the VPN peers dynamically discover whether an address translation device exists between them. If they detect a NAT/PAT device, they use UDP port 4500 to encapsulate the data packets, subsequently allowing the NAT device to successfully translate and forward the packets.
IKEv1 Phase 1
Phase 1 is used to create a secure bidirectional communication channel between the IPsec peers. This channel is known as the ISAKMP security association (SA). Within Phase 1 negotiation, several attributes are exchanged: Encryption algorithms Data Encryption Standard (DES): 64 bits long Triple DES (3DES): 168 bits long Advanced Encryption Standard (AES): 128 bits long AES 192, AES 256 Hashing algorithms Secure Hash Algorithm (SHA) Message Digest Algorithm 5 (MD5) Diffie-Hellman groups Authentication method Vendor-specific attributes
IKEv1 Phase 2
Phase 2 is used to negotiate the IPsec SAs. This phase is also known as quick mode. The ISAKMP SA protects the IPsec SAs because all payloads are encrypted except the ISAKMP header.
Remote-access VPNs:
Remote-access VPNs: Enable users to work from remote locations such as their homes, hotels, and other premises as if they were directly connected to their corporate network.
Site-to-site VPNs:
Site-to-site VPNs: Enable organizations to establish VPN tunnels between two or more network infrastructure devices in different sites so that they can communicate over a shared medium such as the Internet. Many organizations use IPsec, GRE, and MPLS VPNs as site-to-site VPN protocols.
IPsec pass-through
The security protocols (AH and ESP) are Layer 3 protocols and do not have Layer 4 port information, unlike TCP and UDP. If an IPsec peer is behind a PAT device, the ESP or AH packets are typically dropped. To work around this, many vendors, including Cisco Systems, use a feature called IPsec pass-through. The PAT device that is IPsec pass-through capable builds the translation table by looking at the SPI values on the packets.