8.4.2 Module Quiz – VPN and IPsec Concepts (Answers)

Explanation: Remote access VPNs can be used to support the needs of telecommuters and mobile users by allowing them to connect securely to company networks over the Internet. To connect hosts to the VPN server on the corporate network, the remote access VPN tunnel is dynamically built by client software that runs on the hosts.

Explanation: The IPsec framework consists of five building blocks. Each building block performs a specific securty function via specific protocols. The function of providing confidentiality is provided by protocols such as DES, 3DES, and AES.

Explanation: With a remote-access VPN, the client peer may need special VPN client software installed.

Explanation: Confidential and secure transfers of data with VPNs require data encryption.

Explanation: The two fundamental DMVPN designs include:

• Spoke-to-spoke
• Hub-to-spoke

Explanation: Organizations use VPNs to have a reliable secure method to connect remote users, branch offices, and suppliers to the company network. To implement VPNs, a VPN gateway is necessary.

Explanation: A VPN is secure (private) when encrypted traffic is sent over a public network, such as the Internet.

Explanation: Telecommuters using remote-access VPNs can securely connect to their corporate networks from anywhere by creating an encrypted tunnel, allowing them to effectively complete their work. They may connect using a variety of access technologies, including dial-up and DSL connections. These connections, however, are not secure without the use of VPN technology.​

Explanation: VPNs can be managed and deployed as:

• Enterprise VPNs – Enterprise managed VPNs are a common solution for securing enterprise traffic across the internet. Site-to-site and remote access VPNs are examples of enterprise managed VPNs.
• Service Provider VPNs – Service provider managed VPNs are created and managed over the provider network. Layer 2 and Layer 3 MPLS are examples of service provider managed VPNs. Other legacy WAN solutions include Frame Relay and ATM VPNs.

Explanation: Authentication Header (AH) is IP protocol 51 and does not provide data confidentiality. The data payload is not encrypted. Encapsulating Security Payload (ESP) is IP protocol 50 and provides data confidentiality, integrity, and authentication. The DH algorithm is used in IPsec to negotiate a shared secret key for the peers.

Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. To ensure that data is not intercepted and modified (data integrity), Hashed Message Authentication Code (HMAC) is used. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm that is used for key exchange. RSA is an algorithm that is used for authentication.

Explanation: While preventing brute-force attacks and other forced decryption concerns, the longer the key length, the harder it is to break. A 64-bit key can take one year to break with a sophisticated computer, while a 128-bit key may take 10¹⁹ years to decrypt. Different encryption algorithms will provide varying key lengths for implementation.

Explanation: With site-to-site VPNs, internal hosts have no knowledge that a VPN exists. Remote access VPNs support a client/server architecture, where the VPN client (remote host) gains secure access to the enterprise network via a VPN server device at the network edge. Public and private are not VPN types.

Explanation: A GRE IP tunnel does not provide authentication or security. A leased line is not cost-effective compared to using high-speed broadband technology with VPNs. A dedicated ISP is not required when utilizing VPNs between multiple sites.

Explanation: Site-to-site VPNs are statically defined VPN connections between two sites that use VPN gateways. The internal hosts do not require VPN client software and send normal, unencapsulated packets onto the network, where they are encapsulated by the VPN gateway.

Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. The hash message authentication code (HMAC) is a data integrity algorithm that uses a hash value to guarantee the integrity of a message.

Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two popular algorithms that are used to ensure that data is not intercepted and modified (data integrity) are MD5 and SHA. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm that is used for key exchange. RSA is an algorithm that is used for authentication.

Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two popular algorithms used to ensure that data is not intercepted and modified (data integrity and authentication) are MD5 and SHA.

Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two algorithms that can be used within an IPsec policy to protect interesting traffic are AES, which is an encryption protocol, and SHA, which is a hashing algorithm.

Explanation: Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that encapsulates multiprotocol traffic between remote Cisco routers. GRE does not encrypt data. OSPF is an open-source routing protocol. IPsec is a suite of protocols that allow for the exchange of information that can be encrypted and verified. Internet Key Exchange (IKE) is a key management standard used with IPsec.

Explanation: When a web browser is used to securely access the corporate network, the browser must use a secure version of HTTP to provide SSL encryption. A VPN client is not required to be installed on the remote host, so a clientless SSL connection is used.

Explanation: Confidentiality is a function of IPsec and utilizes encryption to protect data transfers with a key. Integrity is a function of IPsec and ensures that data arrives unchanged at the destination through the use of a hashing algorithm. Authentication is a function of IPsec and provides specific access to users and devices with valid authentication factors. Secure key exchange is a function of IPsec and allows two peers to maintain their private key confidentiality while sharing their public key.

Explanation: VPNs can be managed and deployed as either enterprise VPNs (which is a common solution for securing enterprise traffic across the internet and includes site-to-site and remote-access VPNs) or service provider VPNs (that is, VPNs created and managed over the provider network, such as Layer 2 and Layer 3 MPLS VPNS, or legacy Frame Relay and ATM VPNs).

Explanation: Enterprise managed remote-access VPNs are created dynamically when required. Remoteaccess VPNs include client-based IPsec VPNs and clientless SSL VPNs.

Explanation: Site-to-site VPNs are static and are used to connect entire networks. Hosts have no knowledge of the VPN and send TCP/IP traffic to VPN gateways. The VPN gateway is responsible for encapsulating the traffic and forwarding it through the VPN tunnel to a peer gateway at the other end that decapsulates the traffic.

Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. DH (Diffie-Hellman) is an algorithm used for key exchange. DH is a public key exchange method that allows two IPsec peers to establish a shared secret key over an insecure channel.

Explanation: In a GRE over IPsec tunnel, the term passenger protocol refers to the original packet that is to be encapsulated by GRE. The carrier protocol is the protocol that encapsulates the original passenger packet. The transport protocol is the protocol that will be used to forward the packet.

Explanation: An IPsec VTI is a newer IPsec VPN technology that simplifies the configuration required to support multiple sites and remote access. IPsec VTI configurations use virtual interfaces to send and receive IP unicast and multicast encrypted traffic. Therefore, routing protocols are automatically supported without requiring configuration of GRE tunnels.

Explanation: When a client negotiates an SSL VPN connection with the VPN gateway, it connects using Transport Layer Security (TLS). TLS is the newer version of SSL and is sometimes expressed as SSL/TLS. The two terms are often used interchangeably.

Explanation: An MPLS VPN has both Layer 2 and Layer 3 implementations. A GRE over IPsec VPN involves a nonsecure tunneling protocol encapsulated by IPsec. An IPsec VTI VPN routes packets through virtual tunnel interfaces for encryption and forwarding. An IPsec VTI VPN and GRE over IPsec VPN allows multicast and broadcast traffic over a secure site-to-site VPN. An SSL VPN uses the public key infrastructure and digital certificates.

Explanation: An SSL VPN uses the public key infrastructure and digital certificates. An MPLS VPN has both Layer 2 and Layer 3 implementations. A GRE over IPsec VPN involves a nonsecure tunneling protocol encapsulated by IPsec. An IPsec VTI VPN routes packets through virtual tunnel interfaces for encryption and forwarding. An IPsec VTI VPN and a GRE over IPsec VPN allow multicast and broadcast traffic over a secure site-to-site VPN.

Explanation: An IPsec VTI VPN routes packets through virtual tunnel interfaces for encryption and forwarding. An IPsec VTI VPN and a GRE over IPsec VPN allow multicast and broadcast traffic over a secure site-to-site VPN. An MPLS VPN has both Layer 2 and Layer 3 implementations. A GRE over IPsec VPN involves a nonsecure tunneling protocol being encapsulated by IPsec. An SSL VPN uses the public key infrastructure and digital certificates.

Explanation: A GRE over IPsec VPN involves a nonsecure tunneling protocol being encapsulated by IPsec. An IPsec VTI VPN and a GRE over IPsec VPN allow multicast and broadcast traffic over a secure site-to-site VPN. An MPLS VPN has both Layer 2 and Layer 3 implementations. An IPsec VTI VPN routes packets through virtual tunnel interfaces for encryption and forwarding. An SSL VPN uses the public key infrastructure and digital certificates.