| Question 1 |  | Which of the following is not an asset in the remote- user network? | -
A. Management server -
B. File server -
C. Firewall -
D. Router -
E. Hub |
| A1: | Answer A is correct. The remote-user network can support one individual or a small office. The office can contain a file server (answer B). Remote-user networks can have filtering and traffic separation provided by a firewall (answer C) or a router (answer D), and traffic behind this edge device can be distributed by a hub (answer E) or a switch. The management server (answer A), however, remains at the headend as part of the centralization of management of all connections. |
| Question 2 | | | The remote-user network must provide a secure operating environment to its users, as much like what they would experience in the LAN as possible. What else must it provide at the same time? | -
A. Secure communications that are flexible enough that users can modify them depending on where they might be when they need to connect -
B. Safe communications that can be configured once and then managed no more aggressively than internal (LAN) communications -
C. Strong encryption on all communications, with certification of all parties involved -
D. Secure communications that are centrally managed for configuration control and updating |
| A2: | Answer D is correct. Communications between the remote user and the headend must be secure, but it is strongly recommended to keep the configuration and management of these communications centralized at the headend, for two reasons: Users are generally not qualified to configure their end correctly, and reconfigurationas the result of a compromise of the existing configurationis more readily done from the headend, where the expertise is likely to be available when it is needed. User configuration and modification as a part of answer A rules it out. The fact that the communications traverse the public infrastructure over which you have no control (as you do your internal connections) requires that more attention be paid to remote-user connections (eliminating answer B). Although Cisco recommends strong encryption (3DES instead of DES), using certificates as a means of authentication is not always appropriate (eliminating answer C). When there are relatively few VPNs to authenticate, a CA server is overkill and preshared keys are recommended. |
| Question 3 | Which of the following is not a threat to the remote-user network? -
A. Unauthorized access -
B. Man-in-the-middle attacks -
C. IP spoofing -
D. Virus and trojan horse attacks -
E. Packet sniffers -
F. Network reconnaissance |
| A3: | Answer E is correct. The threats to the remote-user network include the following: Although some would argue that denial of service (DoS) attacks should be considered a threat to the remote-user network, Cisco does not include them. One reason is that little can be done at either end of the VPN to mitigate them; you must depend on the ISPs carrying the connection to handle that. Packet sniffers are not likely to be placed on a properly protected remote host (one on which antivirus and software maintenance are both kept current). A sniffer placed in the communications path gains nothing if the traffic is encrypted, and the VPNs in the remote-user model are all IPSec VPNs. The remote-user model does not include the headend, so a sniffer at the tunnel termination or further inside the headend is not technically a threat to the remote-user network. |
| Question 4 | Which of these devices provides the necessary ingress filtering for the remote-user network? (Choose two.) |
| A4: | Answers B and D are correct. Ingress filtering requires either routing or a stateful firewall capability. Answer A includes a router as part of the capability, but the service provider or ISP usually retains management of the access device, so you cannot count on it to provide the filtering you need. The VPN clients , both hardware (answer C) and software (answer E), are optimized for IPSec tunnel termination and do that very well. However, they do not provide any firewalling or filtering capability. |
| Question 5 | Which of these techniques best protects the remote-user network against man-in-the-middle attacks? |
| A5: | Answer B is correct. A man-in-the-middle attack is caused by someone interposing himself between the two endpoints: Instead of A communicating with B, A actually communicates with F, who communicates with B (and vice versa, in both cases). If A and B communicate over IPSec using preshared keys or certificates to authenticate each other (after which they create a shared secret key that encrypts their conversation), unless F knows the preshared key or can compromise the CA server, encryption will prevent F from injecting himself into the communications path. Ingress filtering (answer A) can mitigate IP spoofing and help mitigate unauthorized access, but it protects only the filtered end of the connection, not the part in the middle where the interloper lurks. The same is true of protocol filtering (answer D), with respect to accepting or rejecting protocol types at ingress. A strong password policy (answer C) makes unauthorized access inside the network much more difficult, but man-in-the-middle attacks occur outside that space, in a part of the communications path over which you have no control. |
| Question 6 | | | Should split tunneling ever be enabled? | -
A. Yes, with the VPN software client. -
B. Yes, with the VPN hardware client. -
C. Yes, with a stateful firewall or router. -
D. No, it should never be enabled. |
| A6: | Answer C is correct. Disabling split tunneling forces all connections, including those to the Internet or other networks, to go via the VPN and then the corporate egress. If there is no means of separating these connections at the remote user's end of the VPN, it is best to disable split tunneling, even though it consumes bandwidth and encryption/decryption resources. This is the case with both of the VPN clients (software, answer A, and hardware, answer B). However, if it is possible to logically separate the public communications from the corporate communications, which a stateful firewall does, it is worth considering enabling split tunneling so as not to waste bandwidth and the computational effort of encrypting and decrypting packets bound for Internet browsing. A router with a firewall package is a stateful firewall, only somewhat slower than the appliance because of software versus hardware performance issues. |
| Question 7 | | | Which of these is not a functionality of the corporate LAN that you need to replicate (as much as possible) in the remote-user network implementation? | -
A. A means to authenticate users -
B. A switch to direct traffic to the appropriate host -
C. A means to isolate hosts serving the public from those supporting internal users only -
D. A means to filter traffic |
| A7: | Answer A is correct. This is another question in the negative (which is not ). The functionalities present in every size secured network include these: -
A firewall and/or router for traffic filtering -
A switch to direct traffic to the correct host -
A means of authenticating traffic flows (not necessarily a means of authenticating users generating the traffic) -
Isolation of public- facing hosts from internal traffic Answer A is worded very closely to the material in the chapter, but it specifies authenticating users instead of traffic. As annoying as these little distinctions might seem, you can expect to see questions in this style on the actual exam. To be sure that they read the questions carefully enough, some people run their finger across the screen to force themselves to read the question word by word and not let their eyes (and brain) skip ahead. |
| Question 8 | Which of these is a threat to the medium network Campus module but not the remote-user network? (Select two.) |
| A8: | Answers C and D are correct. The threats in the medium network Campus include these: The threats to the remote-user network include these: |
| Question 9 | Which of the remote-user network options authenticates the user as well as the device? -
A. The software access option. -
B. The remote site firewall option. -
C. The hardware VPN client option. -
D. The remote site broadband router option. -
E. None of these is correct. |
| A9: | Answer E is correct. None of the four remote-user network options authenticates the user; they all authenticate the host at the remote tunnel terminus to the host at the headend. If user authentication is required (and it normally is), that is handled by the same process as usual (such as a Windows Domain logon). |
| Question 10 | | | What is the design goal of the remote-user network? | -
A. Connectivity as secure as possible while maintaining the same user experience as what occurs inside the LAN. -
B. Connectivity as much like the inside-the-LAN experience as possible, while being secure. -
C. A balance between user-friendly and secure connectivity. -
D. None of these is correct. |
| A10: | Answer B is correct. The goal of the remote-user network is to create a secure means of communications that is as much like being inside the LAN as possible. When there is a tradeoff to be made, the inside-the-LAN quality is sacrificed first. Because answer A puts the user experience before security (be as secure as you can while keeping the same experience), it cannot be correct. Answer C seeks a balance between user-friendliness (which the LAN experience might or might not be) and security, but the SAFE design philosophy is to design for security first at the level directed by policy. |
