This is an Updated CCNA VPN exam question (October 2017). You might see a different IP addressing, Port allocation and Configurations.
As usual, take time to read through the question (read TWICE or even THRICE!!..) so as to clearly understand what the question is all about.
Note: This VPN Questions are used for demonstration only, you might come across different IP addressing, configuration and Port allocation in the real CCNA exam. But it all works the same way, try and understand the question…
What are three reasons that an organization with multiple branch offices and roaming users might implement a Cisco VPN solution instead of point-to-point WAN links? (Choose three.)
A. reduced cost
B. better throughput
C. broadband incompatibility
D. increased security
F. reduced latency
One of the many advantages IPsec offer over point to point WAN links, particularly when multiple locations are involved includes reduced cost, increased security since all traffic is encrypted, and increased scalability as s single WAN link can be used to connect to all locations in a VPN, whereas a point to point link would need to be provisioned to each location.
Which IPsec security protocol should be used when confidentiality is required?
IP Security Protocol (IPsec) is designed to provide interoperable, high quality, encryption-based security for IPv4 and IPv6. There are different protocols embedded for different security purposes.
Encapsulating Security Payload (ESP) is one of them and can be used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and traffic flow confidentiality.
Which protocol is an open standard protocol framework that is commonly used in VPNs, to provide secure end-to-end communications?
IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers at the IP layer.
IP Security Protocol (IPsec) is designed to provide interoperable, high quality, encryption-based security for IPv4 and IPv6. These objectives are met through the use of two traffic security protocols, the Authentication Header (AH) and the Encapsulating Security Payload (ESP)
What must algorithm technology be used for ensuring data integrity when data flow goes over VPN tunnel? (Choose two)
Answer: D E
Data integrity ensures data has not been altered in the transmission. A data-integrity algorithm adds a hash to the message to guarantee the integrity of the message.
A Hashed Message Authentication Code (HMAC) is a data-integrity algorithm that ensures the integrity of the message. Two popular algorithms a VPN gateway uses for verifying integrity of data are HMAC-Message Digest 5 (HMAC-MD5) and HMAC-Secure Hash Algorithm 1 (HMAC-SHA1)
i. HMAC-MD5 uses a 128-bit shared-secret key of any size. The variable-length message and shared-secret key are combined and run through the HMAC-MD5 hash algorithm. It produces a 128-bit hash. The hash is attached to the original message and is forwarded to the destination.
ii. HMAC-SHA-1 uses a secret key of any size. The variable-length message and the shared-secret key are combined and run through the HMAC-SHA-1 hash algorithm. It gives out a 160-bit hash. The hash is attached to the original message and is forwarded to the destination.
Review the following items, which one offers a variety of security solutions, including firewall, IPS, VPN, antispyware, antivirus, and ant phishing features?
A. Cisco IOS router
B. Cisco PIX 500 series security appliance
C. Cisco 4200 series IPS appliance
D. Cisco ASA 5500 series security appliance
Answer : D
Cisco ASA 5500 series Adaptive Security Appliances are easy-to-deploy solutions that integrate world-class firewall, Cisco Unified Communications (voice and video) security, Secure Sockets Layer (SSL) and IPsec VPN, IPS, and content security services in a flexible, modular product family.
Which component of VPN technology ensures that data can be read only by its intended recipient?
A. data integrity
C. key exchange
Now…note the keywords”… ensures that data can be read only by its intended recipient…
OK…let review VPN terms :
Data integrity: verifying that the packet sent stays the same i.e packet was not changed as it transited the Internet
Encryption: conversion of data into an unreadable form, called a ciphertext, that cannot be easily understood by unauthorized individuals. It helps protect data from prying eyes (hackers etc)
Authentication: the process of making sure a user/individual/recipient is who or what it claims to be. Authentication can take place at both sides, the sender and the receiver.
Key exchange is any method in cryptography by which cryptographic keys are exchanged between users, allowing use of a cryptographic algorithm.
You must get the gist now…from the question we can now make out that the only authentication involves in the end user while others are about processing data D is correct.
Drag three proper statements about the IPsec protocol on the above to the list on the
When configuring Cisco IOS login enhancements for virtual connections, what is the “quiet period”?
A. The period of time in which virtual login attempts are blocked, following repeated failed login attempts
B. The period of time in which virtual logins are blocked as security services fully initialize
C. A period of time when no one is attempting to log in
D. The period of time between successive login attempts
If the configured number of connection attempts fails within a specified time period, the Cisco IOS device does not accept any additional connections for a period of time that is called the quiet period.
This feature is not enabled by default, you can enable its default settings, issue the login block-for command in global configuration mode. This feature can be used to protect the network from DoS and/or dictionary attacks.
Which of these can be used to authenticate the IPsec peers during IKE Phase 1?
A. Diffie-Hellman Nonce
B. pre-shared key
D. integrity check value
Internet Key Exchange (IKE) executes the following phases:
i. IKE Phase 1: Two IPsec peers perform the initial negotiation of Security Associations (SA). Phase 1 generates an Internet Security Association and Key Management Protocol (ISAKMP) SA, used for management traffic. Public key techniques or, alternatively, a pre-shared key, are used to mutually authenticate the communicating parties. Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers, Aggressive Mode does not.
ii. IKE Phase 2: SAs are negotiated by the IKE process ISAKMP on behalf of other services, such as IPsec, that need encryption key material for operation. IKE Phase 2 is used to build IPsec SAs, which is for passing end-user data. Additional service negotiations occur in IKE Phase 1, DPD, Mode Config, and so on
For the following items, which one acts as a VPN termination device and is located at a primary network location?
A. Broadband service
B. Headend VPN device
C. VPN access device
If an enterprise has a bunch of remote sites that connect back to the main site, then the main site is the head end. The Headend device it is mostly used for a VPN i.e. a device that is used as VPN connections from multiple VPN clients and/or branch site
Which device might be installed at a branch office to enable and manage an IPsec site-to-site VPN?
A. Cisco IOS IPsec/SSL VPN client
B. Cisco VPN Client
C. ISDN terminal adapter
D. Cisco Adaptive Security Appliance
An example of IPsec site-to-site VPN is when a corporation has branches in same or different countries which need to communicate with each other.
For these different branches to communicate securely, the solution is to use site-to-site VPN to create private networks through the Internet. As the internet has become very unsafe environment for the transfer of data; this one of the reasons we need IPsec, a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.