Chapter 10: Planning, Implementing, and Maintaining Internet Protocol Security

1.

You have decided to deploy IPSec in your organization because you have several departments that are doing sensitive work and communicating across the Internet and other networks with a variety of persons in various organizations. There have been a few incidents where messages were sent instructing lower-level employees to perform certain tasks, purporting to be from their managers. However, investigation revealed that the managers did not send the messages; rather, they were sent by someone else, pretending to be the manager, who was attempting to sabotage the project. This experience has pointed out the need to provide authentication for the data packets that travel across the network so that the receiver of a message can be assured that it is genuine. It is equally important to ensure that the data in these messages doesn’t get changed during transmission. Finally, you want to be sure that nobody other than the authorized recipient is able to read the message itself. You want the entire packet to be digitally signed, so that it will have maximum protection. Which of the following IPSec configuration choices will provide this?

1. Use AH alone.

2. Use ESP alone.

3. Use AH and ESP in combination.

4. IPSec cannot provide authentication, integrity, and confidentiality simultaneously.

2.

You have been hired as a consultant to help deploy IPSec for the network of a medium-size manufacturing firm that is developing a number of new products and must share sensitive data about its products over the network. As part of the planning process, you must determine the best authentication method to use with IPSec. What are the authentication methods that can be used with IPSec? (Select all that apply.)

1. Kerberos v5

2. Perfect Forward Secrecy (PFS)

3. Shared secret

4. Diffie-Hellman groups

1.

C. Using AH and ESP in combination will provide maximum protection. AH signs the entire packet, and ESP provides the data confidentiality.

A, B, D. Answer A is incorrect because AH alone will provide authentication and integrity, and AH signs the entire packet, but does not provide data confidentiality.

Answer B is incorrect because, although ESP provides authentication, integrity, and data confidentiality, it does not sign the entire packet. Answer D is incorrect because, although neither of the protocols can do so alone, when AH and ESP are used together, IPSec can provide authentication, integrity, and data confidentiality simultaneously.

2.

A, C. Kerberos v5 (Answer A) is the default method used for IPSec authentication. A preshared key is a shared secret (Answer C) that can be used for IPSec authentication for interoperability in situations where one of the communicating computers does not support any other method, but Microsoft recommends that it be used only in testing situations and not on production networks. Digital certificates can also be used for authentication if you have a PKI that is functioning within the network.

B, D. Answer B is incorrect because PFS is used to enable the master key in IPSec. It is not used for authentication. Answer D is incorrect because Diffie-Hellman groups are used in IPSec for key management; they are not authentication methods.

3.

You are the network administrator for a company that has recently migrated some of its servers to Windows Server 2003 from Windows 2000. However, there are still a number of Windows 2000 servers and clients on the network. You want to use the enhanced security available on your network, and you have some interoperability issues you are concerned with pertaining to Windows Server 2003 and your Windows 2000 servers and clients. Which key method should you implement?

1. Rivest-Shamir-Adleman (RSA)

2. Diffie-Hellman group 1

3. Diffie-Hellman group 2

4. Diffie-Hellman group 2048

4.

You are a network administrator for a medium-sized medical office and you have recently deployed IPSec on the network in response to the physician/owner’s concerns about confidentiality of patient information. However, it appears that IPSec might not be working correctly on a particular client computer. You need to view the local routes assigned to this particular client on the network using the IPSec Policy Agent. How does the IPSec Policy Agent function in IPSec? (Select all that apply.)

1. Surveys the policy for configuration changes

2. Routes the assigned IPSec policy information to the IPSec driver

3. Uses the IP Security Policy Agent console to manage IPSec policies

4. For nondomain member clients, retrieves local IPSec policy information from the Registry

3.

C. When concerned with interoperability issues between Windows 2000 and Windows Server 2003 machines, use Diffie-Hellman group 2 (Answer C) as the keying method.

A, B, D. Answer A is incorrect because RSA is an encryption algorithm; it is not a key-agreement protocol. Answer B is incorrect because the Diffie-Hellman group 1 key method is the least secure algorithm and the question states you wish to use enhanced security. Answer D is incorrect because, when dealing with interoperability issues between Windows 2000 and Windows Server 2003, you should not implement Diffie-Hellman 2048, because although it is the strongest keying method, it is new with Windows Server 2003 machines and is not supported by previous Microsoft operating systems.

4.

A, B, D. The IPSec Policy Agent surveys the policy for configuration changes (Answer A), routes assigned IPSec policy information to the IPSec driver (Answer B), and retrieves local IPSec Registry information for nondomain member clients (Answer D).

C. Answer C is incorrect because the IPSec Policy Agent is not a console that it used to manage IPSec policy information, and it doesn’t use such a console.

5.

You are the network administrator for a large law firm. You have been tasked with the duty of deploying IP security for all network communications in the departments and divisions that handle sensitive data. You have delegated individual departments to your junior administrators. You now need to verify that IPSec has been deployed and configured properly on your Human Resources and Payroll computers. Which tools can be used to perform this function? (Select all that apply.)

1. IPSec Security Policy Monitor console

2. netsh command

3. Certificates snap-in

4. Resultant Set of Policy (RSoP)

6.

You have deployed IPSec on your company’s network and it has been working well, except for one thing. You’ve tried modifying some of the IPSec policy rules using netsh commands in the ipsec context, but each time you do so, the rules work only until you reboot the server, and then they seem to disappear. You want to make changes to the IPSec policy rules that are permanent and do not change when the server is rebooted. Which netsh command could you use?

1. netsh ipsec dynamic set config

2. netsh ipsec dynamic

3. netsh interface ip

4. netsh interface ipv6 isatap

5.

A, B. Using the IPSec Security Policy Monitor console (Answer A) will allow you to monitor IPSec on the network and to verify that computers are making the expected hard associations. The netsh utility (Answer B) can be used at the command prompt with various switches to view configurations and monitor IPSec policies.

C, D. Answer C is incorrect because the Certificates snap-in cannot be used to view IPSec policy configurations. Answer D is incorrect because RSoP is used to check Group Policy for existing policy settings that can be applied.

6.

A. The netsh ipsec dynamic set config command (Answer A) is the valid command to use to make rules permanent, relating to your IPSec even after a reboot.

B, C, D. Answer B is incorrect because the netsh ipsec dynamic command can be used to make the appropriate rule changes; however, after the IPSec service is stopped and restarted or the server is rebooted, the changes will be lost because they are not permanent changes; you must use the netsh ipsec dynamic set config option to make permanent changes. Answer C is incorrect because this command is used to change the netsh utility to the interface ip context to configure the TCP/IP protocol. Answer D is incorrect because netsh interface ipv6 isatap is used to configure the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), which is used for communications between IPv6 and IPv4 nodes in an IPv4 site. It has nothing to do with IPSec policy.

7.

You are the network administrator for a medium-sized company that provides accounting services to a number of different clients. To avoid having clients’ financial information disclosed to the wrong parties, you are planning to implement IPSec on your network. You want your employees to be able to communicate securely both within the company and across the WAN with employees in your branch offices. You have recently hired a junior administrator who has his MCSE in Windows NT and 2000. You give him the task of implementing IPSec in your organization. The first thing he tells you is that because your smaller branch office uses NAT, that site will not be able to use IPSec. What is your response?

1. You already knew this, and intend to change that site from a NAT connection to a routed connection to accommodate this.

2. He is mistaken; IPSec has been able to work with NAT since Windows 2000.

3. He is mistaken; IPSec did not work with NAT in Windows 2000 but it does in Windows Server 2003.

4. You know IPSec is not compatible with NAT “out of the box,” but you can install a third-party program that will make it compatible.

8.

You have been hired as network security specialist for a new startup company that has recently installed a new Windows Server 2003 network. The network was originally set up by a group of consultants, and they implemented IPSec for network communications so that communications with their secure servers could be protected. You are reviewing and evaluating the IPSec policies. Although several policies have been created, none of them seem to be effective. What do you conclude the consultants forgot to do after creating the policy?

1. Authorize the policy in Active Directory

2. Assign the policy in the IP Security Policy Management console

3. Edit the policy after creating it

4. Enable the policy in the IP Security Monitor console

9.

You have been tasked with the duty of implementing IPSec on your new Windows Server 2003 network to increase security. You have never worked with IPSec before and you have been reading up on it. You’ve decided that you want to use PFS, but you are concerned about the resource usage on the domain controller due to reauthentication. Which of the following types of PFS can you implement without putting an undue burden on the authenticating server?

1. You can use master key PFS.

2. You can use session key PFS.

3. You can use either or both because PFS doesn’t use any resources on the domain controller.

4. You can use neither because both types of PFS use considerable resources on the domain controller.

10.

You are creating a project to implement IPSec using the IPv6 protocol. Part of your security plan states that you must maintain data confidentiality as part of your IPSec implementation. When developing your plan further, what must you remember about Microsoft’s implementation of IPv6 that is included in Windows Server 2003?

1. IPv6 does not support data encryption.

2. IPv6 does not support authentication.

3. IPv6 does not support integrity.

4. IPv6 does not support IPSec.

11.

You have been hired as a consultant to evaluate the IPSec deployment in a small music publishing company. Management is concerned that copyrighted material might be intercepted as it passes over the network and be stolen. You discover that the former network administrator who initially set up IPSec configured it to use the AH protocol only. You explain to the company manager that one of the things you recommend changing is to configure IPSec to use ESP. Why would you implement ESP in this situation? (Select all that apply.)

1. ESP ensures data integrity and authentication.

2. ESP prevents capture of packets.

3. ESP provides confidentiality.

4. ESP encrypts the packets.

12.

You are on an IT team that is planning the deployment of IPSec throughout a large enterprise network. You have been advised that cost-effectiveness and efficient use of personnel are two priorities, because the company does not want to hire additional IT staff to support the deployment. Of the authentication methods available, which has the lowest administrative overhead and is the most efficient if you wish to support the implementation on 10,000 client machines?

1. Diffie-Hellman group 2048

2. Kerberos v5

3. Pre-shared keys

4. Digital certificates

7.

C. IPSec and NAT were not compatible in Windows 2000, but because Windows Server 2003 has added a feature called NAT traversal, you can now use IPSec (in ESP transport mode) and NAT together; therefore Answer C is correct.

A, B, D. Answer A is incorrect because Windows Server 2003’s NAT traversal allows IPSec and NAT to work together, so there is no need to change the translated connection to a routed one for this purpose. Answer B is incorrect because IPSec was not able to work with NAT in Windows 2000. Answer D is incorrect because third-party software is not necessary for Windows Server 2003’s IPSec and NAT to work together.

8.

B. A policy cannot be used until it has been assigned. To assign a policy, you must right-click it in the right pane of the IP Security Policy Management console (Answer B) and select Assign.

A, C, D. Answer A is incorrect because there is no mechanism for authorizing the policy in Active Directory. Answer C is incorrect because, although you can edit a policy after creating it, not doing so would not cause it to not be applied if you had assigned it. Answer D is incorrect because you do not assign policies in the IP Security Monitor console; it is a utility used for viewing IPSec statistics and information.

9.

B. Session key PFS (Answer B), unlike master key PFS, does not force reauthentication and does not place nearly so great a burden on the domain controller.

A, C, D. Answer A is incorrect because master key PFS forces reauthentication of the master key keying material each time a new session key is required. This process uses a considerable amount of resources to function and could adversely affect the domain controller’s performance. Answer C is incorrect because master key PFS does use considerable resources on the domain controller and therefore it is not an acceptable choice to implement when you need to take the domain controller’s performance into consideration. Answer D is incorrect because only master key PFS, not session key PFS, puts a burden on the domain controller. Both of these options would not be a choice when implementing PFS types.

10.

A. IPv6, as implemented in the Windows Server 2003 family, does not support the use of IPSec data confidentiality, which is obtained by ESP data encryption; therefore Answer A is correct.

B, C, D. Answer B is incorrect because IPv6 does support authentication as implemented with Windows Server 2003. Answer C is incorrect because IPv6 does support integrity as implemented with Windows Server 2003. Answer D is incorrect because IPv6 does support IPSec. In fact, this was one of the major design goals of version 6 of the IP protocol.

11.

C, D. If you need to have confidentiality and encryption on the packets, you should use ESP; therefore Answers C and D are correct.

A, B. Answers A and B are incorrect because ESP does not provide for data integrity and authentication, nor does it prevent packets from being captured.

12.

B. Kerberos v5 (Answer B) has the lowest administrative overhead and is the easiest to support of the authentication methods.

A, C, D. Answer A is incorrect because Diffie-Hellman is a key-exchange protocol, not an authentication method. Answer C is incorrect because pre-shared keys must be entered into each client machine manually, creating a large amount of administrative overhead. Answer D is incorrect because digital certificates require the implementation of a PKI and setup and maintenance of certification authorities. After the PKI is set up, administrative overhead is lower than that involved with pre-shared keys, but initial overhead is very high.

13.

You have been hired to manage security for a medium-sized network. Your first project is to implement IPSec on the network to protect communications that travel across it. You have just assigned an IPSec policy to a client, and you need to view the precedence of IPSec policy assignments and which policies have been assigned to the client. Which logging mode would you use in RSoP?

1. IPSec mode

2. RSoP mode

3. Logging mode

4. Planning mode

14.

You have IPSec configured and running on your network. You want to capture some IPSec packets to ensure that the data inside cannot be viewed. You want to capture packets being sent from a remote client to a remote server, using a server in the server room. Which of the following tools will you need to use in order to capture these packets?

1. Network Monitor in Windows Server 2003

2. netsh commands in the ipsec context

3. The IP Security Monitor console

4. Systems Management Server (SMS)

15.

You want to use the RSoP tool in logging mode to build some reports on the existing policy settings of one of your client computers. You have used RSoP before in planning mode, but never in logging mode. You open the RSoP Wizard from the Active Directory Users and Computers console, as you’ve done before, but you notice that there is no mechanism for selecting the mode, and only planning mode seems to be available. What is the problem?

1. The RSoP Wizard runs only in planning mode.

2. You should open the RSoP Wizard from Active Directory Sites and Services instead.

3. You should open the RSoP Wizard from the RSoP MMC instead.

4. You can select logging mode when you open the RSoP in Active Directory Users and Computers. You must have overlooked the option.

13.

C. You would use the logging mode in RSoP (Answer C) for this purpose because it will show you which policies have taken precedence over others. It also shows detailed policy information such as filters, connection types, and tunnel endpoints.

A, B, D. Answers A and B are incorrect because they do not exist as mode types for RSoP. Answer D is incorrect because the planning mode can run queries to show administrators which policies are assigned to which users, as well as the names of the target client computer name, IP address, and domain controller assignment from the Windows Management Instrumentation (WMI).

14.

D. To capture packets and view what is inside them, you need a network sniffer (protocol analyzer). The only tool in this list that will allow you to capture and view packets passing across machines on the network other than the one from which you are monitoring is the version of Network Monitor that is included in Microsoft’s SMS console software, which can place the network card in promiscuous mode so that traffic not sent or received by the local computer can still be captured. Therefore Answer D is correct.

A, B, C. Answer A is incorrect because the Network Monitor included in Windows Server 2003 can capture packets, but only those sent to or from the local computer on which the Network Monitor is installed. Answer B is incorrect because the netsh command-line utility is used to apply various IPSec policies and cannot be used to view network traffic. Answer C is incorrect because the IPSec Monitor is used to view statistics and information about IPSec connections, but it does not allow you to view inside individual packets.

15.

C. Answer C is correct. When you open the RSoP Wizard from either Active Directory Users and Computers or Active Directory Sites and Services, you can use only planning mode. To use logging mode, you must open a stand-alone RSoP MMC. This is done by selecting Start | Run, and entering mmc. Then select File from the menu, choose the Add/Remove Snap-in, then Add. Then you can scroll down the list and add the RSoP console by double-clicking the Resultant Set of Policy and selecting Add. After the console has been added, select the Close button and then select OK.

A, B, D. Answer A is incorrect because the RSoP Wizard can run in either planning or logging mode, but the available modes depend on how you open the Wizard. Answer B is incorrect because opening the Wizard from the Active Directory Sites and Services tool would not help; you would still have only planning mode available. Answer D is incorrect because there is no way to select logging mode when you use Active Directory Users and Computers to open the RSoP Wizard; only planning mode is available.