Questions and Answers

1. 

By default, how often does IPSec regenerate Main Mode keys?

1. Every hour

2. Every 4 hours

3. Every 8 hours

4. Every 24 hours

5. Weekly

2. 

Which mode would you use to protect communications between two private networks connected by the Internet?

1. Transport mode

2. Tunnel mode

3. 

Which mode would you use to protect communications between an IPSec- enabled e-mail client and an e-mail server on a private network?

1. Transport mode

2. Tunnel mode

4. 

Which of the following IPSec protocols provides encryption for network communications?

1. AH

2. ESP

3. SA

4. IKE

5. ISAKMP

1. 

c. Main Mode generates a new key every 480 minutes by default, which is equal to 8 hours.

2. 

b. You must use tunnel mode to connect two networks.

3. 

a. While you could theoretically use tunnel mode, you should always use transport mode to protect communications between two hosts that can directly communicate with IPSec.

4. 

b. Only ESP provides encryption for IPSec communications.

1. 

You are an administrator at an organization that uses Windows Server 2003 Active Directory. Which IPSec authentication method should you recommend for authenticating internal clients to an intranet Web server?

1. Kerberos authentication

2. Public key certificates authentication

3. Preshared key authentication

2. 

You need to grant employees at an external partner company access to an application server, but you want to ensure that the communications are authenticated and encrypted. Which IPSec authentication method should you recommend?

1. Kerberos authentication

2. Public key certificates authentication

3. Preshared key authentication

1. 

a. Kerberos authentication is the correct choice for authenticating internal computers when Active Directory is used.

2. 

b. Public key certificates issued from an external root CA enable IPSec to authenticate external computers.

1. 

Which of the following check boxes, when selected, will result in a performance degradation? (Choose all that apply.)

1. Master Key Perfect Forward Secrecy (PFS)

2. Use Session Key Perfect Forward Secrecy (PFS)

3. Accept Unsecured Communication, But Always Respond Using IPSec

4. Allow Unsecured Communication With Non-IPSec-Aware Computers

2. 

Which of the following command-line tools can be used to configure IPSec? (Choose all that apply.)

1. Netstat

2. Net

3. Netsh

4. Ipseccmd

5. Ipconfig

6. Ipsecpol

1. 

a and b. PFS, whether enabled for the master key or the session key, has the potential to degrade performance. Because session keys are negotiated more frequently, the performance impact is more significant.

2. 

c, e, and f. Netsh is used to configure IPSec on Windows Server 2003. Ipseccmd configures IPSec on Windows XP, and Ipsecpol can be used to configure Windows 2000.

1. 

Your CIO’s main concern is reducing the length of the merger process by allowing customers to retrieve documents electronically from your file servers. How would you propose that this be accomplished?

2. 

How can you use IPSec to reduce the costs of the private links between the three offices?

3. 

How can you use IPSec to reduce the costs of maintaining the dial-up modem bank and the long distance costs associated with remote employees dialing in?

4. 

How can you use IPSec to improve the security of communications on the internal network?

1. 

There are several ways to accomplish this. One way would be to connect your file servers to the public Internet and then configure IPSec policies for each of your customers. The IPSec policy could authenticate the customers using public key certificates issued by a third-party CA. If you used the ESP protocol, IPSec would also encrypt all network communications. Additionally, you could use the IPSec policy to implement packet filtering to restrict the file server from processing network traffic not originating from your customer’s network or your internal network.

Other than using IPSec, you could suggest using digital rights management (DRM). Microsoft Office 2003 and the Rights Management Services add-on to Windows Server 2003 encrypt Office documents and enable the document owners to specify granular permissions to documents. DRM would protect documents even after they left your network, restricting whether customers could forward, print, or even copy and paste a document’s contents.

2. 

IPSec in tunnel mode can be used to connect the three offices across the Internet. Ultimately, if testing and a pilot project proved successful, the private links could be eliminated completely. Testing is critical, however, because IPSec tunnels between offices will not perform as well as the existing private links. Additionally, the reliability might not meet Contoso, Ltd.’s needs.

3. 

If you configure an IPSec gateway on your network, you can apply IPSec policy to Contoso, Ltd.’s mobile computers so that they access the private network across an IPSec tunnel mode VPN. This provides a level of privacy that is similar to that of a dial-up link and, depending on the type of Internet access the remote employees have, might actually improve their performance. Employees who do not have access to the Internet through a customer’s network can still dial in to a local ISP, eliminating the long distances charges.

4. 

Most communications on the internal network can be protected with IPSec. This can provide data integrity validation, authentication, and encryption. Because you are using an Active Directory domain, you can use Kerberos authentication.

1. 

Why is Computer2 not responding to ping requests from Computer1?

2. 

How should you resolve the problem?

3. 

What else could have caused the problem?

1. 

Computer2 has an IPSec policy named TestFilter configured. This policy has a single active rule that uses the built-in IP filter list named All ICMP Traffic and a filter action named DropPacket that the other administrator must have created. This rule results in all ICMP traffic being dropped.

2. 

The simplest way to resolve the problem is to open the IP Security Policy Management snap-in, right-click the TestFilter policy, and then click Un-Assign. After you do this, Computer1 will immediately begin responding to ping requests.

3. 

If the same IPSec policy had been applied to Computer1, the results would have been the same because the TestFilter policy would drop ICMP traffic whether it was being sent or received. Also, ICF could have been configured on Computer2 to drop ICMP traffic.