|
A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.
1. | You have decided to deploy IPSec in your organization because you have several departments that are doing sensitive work and communicating across the Internet and other networks with a variety of persons in various organizations. There have been a few incidents where messages were sent instructing lower-level employees to perform certain tasks, purporting to be from their managers. However, investigation revealed that the managers did not send the messages; rather, they were sent by someone else, pretending to be the manager, who was attempting to sabotage the project. This experience has pointed out the need to provide authentication for the data packets that travel across the network so that the receiver of a message can be assured that it is genuine. It is equally important to ensure that the data in these messages doesn’t get changed during transmission. Finally, you want to be sure that nobody other than the authorized recipient is able to read the message itself. You want the entire packet to be digitally signed, so that it will have maximum protection. Which of the following IPSec configuration choices will provide this?
|
|
2. | You have been hired as a consultant to help deploy IPSec for the network of a medium-size manufacturing firm that is developing a number of new products and must share sensitive data about its products over the network. As part of the planning process, you must determine the best authentication method to use with IPSec. What are the authentication methods that can be used with IPSec? (Select all that apply.)
|
|
Answers
1. | C |
2. | A, C |
3. | You are the network administrator for a company that has recently migrated some of its servers to Windows Server 2003 from Windows 2000. However, there are still a number of Windows 2000 servers and clients on the network. You want to use the enhanced security available on your network, and you have some interoperability issues you are concerned with pertaining to Windows Server 2003 and your Windows 2000 servers and clients. Which key method should you implement?
|
|
4. | You are a network administrator for a medium-sized medical office and you have recently deployed IPSec on the network in response to the physician/owner’s concerns about confidentiality of patient information. However, it appears that IPSec might not be working correctly on a particular client computer. You need to view the local routes assigned to this particular client on the network using the IPSec Policy Agent. How does the IPSec Policy Agent function in IPSec? (Select all that apply.)
|
|
Answers
3. | C |
4. | A, B, D |
5. | You are the network administrator for a large law firm. You have been tasked with the duty of deploying IP security for all network communications in the departments and divisions that handle sensitive data. You have delegated individual departments to your junior administrators. You now need to verify that IPSec has been deployed and configured properly on your Human Resources and Payroll computers. Which tools can be used to perform this function? (Select all that apply.)
|
|
6. | You have deployed IPSec on your company’s network and it has been working well, except for one thing. You’ve tried modifying some of the IPSec policy rules using netsh commands in the ipsec context, but each time you do so, the rules work only until you reboot the server, and then they seem to disappear. You want to make changes to the IPSec policy rules that are permanent and do not change when the server is rebooted. Which netsh command could you use?
|
|
Answers
5. | A, B |
6. | A |
7. | You are the network administrator for a medium-sized company that provides accounting services to a number of different clients. To avoid having clients’ financial information disclosed to the wrong parties, you are planning to implement IPSec on your network. You want your employees to be able to communicate securely both within the company and across the WAN with employees in your branch offices. You have recently hired a junior administrator who has his MCSE in Windows NT and 2000. You give him the task of implementing IPSec in your organization. The first thing he tells you is that because your smaller branch office uses NAT, that site will not be able to use IPSec. What is your response?
|
|
8. | You have been hired as network security specialist for a new startup company that has recently installed a new Windows Server 2003 network. The network was originally set up by a group of consultants, and they implemented IPSec for network communications so that communications with their secure servers could be protected. You are reviewing and evaluating the IPSec policies. Although several policies have been created, none of them seem to be effective. What do you conclude the consultants forgot to do after creating the policy?
|
|
9. | You have been tasked with the duty of implementing IPSec on your new Windows Server 2003 network to increase security. You have never worked with IPSec before and you have been reading up on it. You’ve decided that you want to use PFS, but you are concerned about the resource usage on the domain controller due to reauthentication. Which of the following types of PFS can you implement without putting an undue burden on the authenticating server?
|
|
10. | You are creating a project to implement IPSec using the IPv6 protocol. Part of your security plan states that you must maintain data confidentiality as part of your IPSec implementation. When developing your plan further, what must you remember about Microsoft’s implementation of IPv6 that is included in Windows Server 2003?
|
|
11. | You have been hired as a consultant to evaluate the IPSec deployment in a small music publishing company. Management is concerned that copyrighted material might be intercepted as it passes over the network and be stolen. You discover that the former network administrator who initially set up IPSec configured it to use the AH protocol only. You explain to the company manager that one of the things you recommend changing is to configure IPSec to use ESP. Why would you implement ESP in this situation? (Select all that apply.)
|
|
12. | You are on an IT team that is planning the deployment of IPSec throughout a large enterprise network. You have been advised that cost-effectiveness and efficient use of personnel are two priorities, because the company does not want to hire additional IT staff to support the deployment. Of the authentication methods available, which has the lowest administrative overhead and is the most efficient if you wish to support the implementation on 10,000 client machines?
|
|
Answers
7. | C |
8. | B |
9. | B |
10. | A |
11. | C, D |
12. | B |
13. | You have been hired to manage security for a medium-sized network. Your first project is to implement IPSec on the network to protect communications that travel across it. You have just assigned an IPSec policy to a client, and you need to view the precedence of IPSec policy assignments and which policies have been assigned to the client. Which logging mode would you use in RSoP?
|
|
14. | You have IPSec configured and running on your network. You want to capture some IPSec packets to ensure that the data inside cannot be viewed. You want to capture packets being sent from a remote client to a remote server, using a server in the server room. Which of the following tools will you need to use in order to capture these packets?
|
|
15. | You want to use the RSoP tool in logging mode to build some reports on the existing policy settings of one of your client computers. You have used RSoP before in planning mode, but never in logging mode. You open the RSoP Wizard from the Active Directory Users and Computers console, as you’ve done before, but you notice that there is no mechanism for selecting the mode, and only planning mode seems to be available. What is the problem?
|
|
Answers
13. | C |
14. | D |
15. | C |
|