5.5.10 PQ
A network engineer has the task of creating a remote access solution for a global enterprise. The solution should secure encrypted communication for the company's employees worldwide and detect potential security threats in real time. Which configuration should the network engineer deploy to meet these requirements? -A network equipped with a Next Generation Firewall (NGFW), a Web Application Firewall (WAF), and an intrusion prevention system (IPS) in tap/monitor mode -A Software-Defined Wide Area Network (SD-WAN) with secure access service edge (SASE) implementation, supplemented by an intrusion prevention system (IPS) -A VPN utilizing IKE and IPSec protocols, combined with an inline intrusion detection system (IDS) -A network fortified by 802.1X port security, an Extensible Authentication Protocol (EAP), and a load balancer
A VPN utilizing IKE and IPSec protocols, combined with an inline intrusion detection system (IDS) Explanation: A VPN using internet key exchange and IPSec protocols secures remote access and communication. An inline IDS detects potential security threats in real time.
A salesperson in your organization spends most of her time traveling between customer sites. After a customer visit, she must complete various managerial tasks, such as updating your organization's order database. Because she rarely comes back to your home office, she usually accesses the network from her notebook computer using Wi-Fi access provided by hotels, restaurants, and airports. Many of these locations provide unencrypted public Wi-Fi access, and you are concerned that sensitive data could be exposed. To remedy this situation, you decide to configure her notebook to use a VPN when accessing the home network over an open wireless connection. Which key steps should you take when implementing this configuration? (Select two.)
Configure the VPN connection to use IPsec Configure the browser to send HTTPS requests through the VPN connection Explanation It is generally considered acceptable to use a VPN connection to securely transfer data over an open Wi-Fi network. As long as strong tunneling ciphers and protocols are used, the VPN provides sufficient encryption to secure the connection, even though the wireless network itself is not encrypted. It is recommended that you use IPsec or SSL to secure the VPN, as these protocols are relatively secure. You should also configure the browser's HTTPS requests to go through the VPN connection. To conserve VPN bandwidth and improve latency, many VPN solutions automatically reroute web browsing traffic through the client's default network connection instead of through the VPN tunnel. This behavior would result in HTTP/HTTPS traffic being transmitted over the unsecure open wireless network instead of though the secure VPN tunnel.
Which of the following is commonly used in the first phase of Internet Key Exchange (IKE) negotiations for authenticating the identity of peers? -Passwords -Digital certificates -Biometrics -Security questions
Digital certificates Explanation: Digital certificates is the correct answer. Digital certificates are commonly used in the first phase of IKE negotiations to authenticate the identity of peers. They provide a way to exchange public keys and contain information about the entity it represents, the entity that issued the certificate, and the digital signature of the issuer.
In addition to Authentication Header (AH), IPSec is comprised of what other service? -Encryption File System (EFS) -Encapsulating Security Payload (ESP) -Advanced Encryption Standard (AES) -Extended Authentication Protocol (EAP)
Encapsulating Security Payload (ESP) Explanation: IPsec is comprised of two services. One service is named Authentication Header (AH), and the other named Encapsulating Security Payload (ESP). AH is used primarily for authenticating the two communication partners of an IPsec link. ESP is used primarily to encrypt and secure the data transferred between IPsec partners. IPSec employs ISAKMP for encryption key management.
The IT department in a large multinational corporation faces challenges managing secure communications for remote desktop connections. The increasing number of remote employees has made it essential to ensure that their remote desktop connections are secure. The IT department is considering various measures to establish secure communication. Given the challenges the corporation faces, what approach should the IT department adopt to ensure secure communications for remote desktop connections while maintaining the manageability and performance of the enterprise infrastructure? -Disable all firewall rules for remote desktop connections -Enable open access to all remote desktop connections for easy manageability -Establish VPN tunnels for all users without using any encryption protocols -Implement TLS for all remote desktop connections
Implement TLS for all remote desktop connections Explanation: Transport layer security (TLS) provides secure communication for remote desktop connections by encrypting the data transmitted between the end user and the remote desktop server, reducing the risk of data breaches.
Which VPN protocol typically employs IPsec as its data encryption mechanism? -PPP -L2TP -L2F -PPTP
L2TP Explanation: L2TP (Layer 2 Tunneling Protocol) is the VPN protocol that typically employs IPsec as its data encryption mechanism. L2TP is the recommended VPN protocol to use on dial-up VPN connections. PPTP and PPP only support CHAP and PAP for data encryption. L2F offers no data encryption.
Which VPN implementation uses routers on the edge of each site? -Host-to-host VPN -Always-on VPN -Remote access VPN -Site-to-site VPN
Site-to-site VPN Explanation: A site-to-site VPN uses routers on the edge of each site. The routers are configured for a VPN connection and encrypt and decrypt the packets being passed between the sites. With this configuration, individual hosts are unaware of the VPN.
Which VPN tunnel style routes only certain types of traffic? Host-to-host Split Site-to-site Full
Split Explanation: A VPN split tunnel routes only certain types of traffic, usually determined by destination IP address, through the VPN tunnel. All other traffic is passed through the normal internet connection. A full VPN tunnel routes all of a user's network traffic through the VPN tunnel. This can sometimes send traffic that is not necessary. A site-to-site VPN is a VPN implementation that uses routers on the edge of each site. A host-to-host VPN implementation allows an individual host connected to the internet to establish a VPN connection to another host on the internet.
A VPN is primarily used for which of the following purposes? -Support secured communications over an untrusted network -Allow remote systems to save on long-distance charges -Support the distribution of public web documents -Allow the use of network-attached printers
Support secured communications over an untrusted network Explanation: A VPN (virtual private network) is used primarily to support secured communications over an untrusted network. A VPN can be used over a local area network, across a WAN connection, over the internet, and even between a client and a server over a dial-up internet connection. All of the other items listed in this question are benefits or capabilities that are secondary to this primary purpose.
Which statement BEST describes IPsec when used in tunnel mode? -The identities of the communicating parties are not protected -Packets are routed using the original headers, and only the payload is encrypted -IPsec in tunnel mode may not be used for WAN traffic -The entire data packet, including headers, is encapsulated
The entire data packet, including headers, is encapsulated