| Question 1 | Which of the following are design fundamentals of the SAFE VPN Blueprint? (Choose two.) -
A. Options for nonstandard tunnels -
B. Reliability, performance, and scalability -
C. Security and attack mitigation even without IPSec -
D. Secure management |
| A1: | Answers B and D are correct. The design fundamentals are as follows : -
Secure connectivity -
Reliability, performance, and scalability -
Options for high availability -
Authentication of users and devices in the VPN -
Secure management -
Security and attack mitigation before and after IPSec Notice that answer C begins similarly to the last fundamental but winds up with quite a different meaning ("without IPSec" vs. "before and after IPSec"the latter requires the presence of IPSec, not its absence). |
| Question 2 |  | The goal of VPNs is to provide what capability or capabilities to the organization? | -
A. Private communications using public infrastructure. -
B. Encryption to reduce the chance of corporate espionage. -
C. The chance for people to work wherever they happen to be. -
D. All of these are correct. |
| A2: | Answer A is correct. The goal of VPNs is to provide an organizationwhich might or might not be a businesswith private, ubiquitous communications wherever the devices and users might be, and to do so over a public infrastructure. VPNs are available to all kinds of organizations concerned with the confidentiality and integrity of their data. Encryption, which is one of several characteristics of a VPN, can reduce the chance of corporate espionage (answer B), but that is an effect of VPN usage, not a goal of VPNs as a class. Likewise, the capability to operate as though connected on a private circuit enables people to work wherever they happen to be (answer C)this, too, is an effect, not a goal of the technology. Cisco exam questions are known to split hairs like this. It is always important to read the question and be sure to answer the question Cisco actually asks. |
| Question 3 | Split tunneling is often a good design choice for an enterprise because -
A. It does not force the corporate WAN links to carry noncorporate traffic bound for the Internet. -
B. It reduces the processor load at the headend by eliminating the decryption process for noncorporate packets. -
C. Enterprise SAFE recommends against allowing users to enable split tunneling. -
D. All of these are correct. |
| A3: | Answer D is correct. Split tunneling reduces the load at the headend (CPU processing of packets not bound for the corporate networkanswer B) and reduces utilization of the corporate WAN links for noncorporate traffic (answer A). Even though the SAFE VPN whitepaper recommends employing split tunneling for just these reasons, the Enterprise SAFE Blueprint considers it unwise to allow users to enable split tunneling (answer C). Thus, even though they seem contradictory, all three offered answers are correct. |
| Question 4 | Which of the following is not one of the SAFE VPN axioms? |
| A4: | Answer B is correct. The SAFE VPN axioms are as follows: -
Identity and IPSec access control -
IPSec -
IP addressing -
Multiprotocol tunneling -
NAT -
Single-purpose versus multipurpose devices -
Intrusion detection, network access control, trust, and VPNs -
Split tunneling -
Partially meshed, fully meshed, distributed, and hub-and-spoke networks -
Interoperability and mixed versus homogeneous networks -
Fragmentation and path MTU discovery (PMTUD) -
Network operations -
HSRP -
Compression -
Remote-access user requirements -
High availability That's a long list, but resiliency (answer B) is not on it. You might argue that HSRP and HA (the last axiom ) imply resiliency, but the other possible answers were exact, and resiliency was not. In the case of one best answer, the one that is the worst fit given the question's negative phrasing (which Cisco periodically uses) is the correct one. |
| Question 5 | Part of high availability (HA) for VPNs is load dispersion on failure. To what failure does this refer? -
A. Failure of the corporate WAN segment -
B. Failure of the AAA server that must validate logins when you are securing VPN devices -
C. Failure of a headend device -
D. Failure of a remote site device |
| A5: | Answer C is correct. You typically have multiple branches connecting to a single VPN headend device. To ensure communications, it is useful to have a primary and a secondary tunnel for each branch connection (and they must be active/active instead of active/standby). The secondary tunnels must be spread around so that if one headend device fails, the entire load does not all fall on one other headend device while the remaining device(s) picks up none of it. In fact, the entire discussion relates to failure of a headend device (answer C). No mention is made of a failure of a corporate WAN segment (answer A); a AAA server, though redundancy here is also advisable (answer B); or failure of the remote site device (answer D). |
| Question 6 | Which of the following is not one of the SAFE IPT axioms? -
A. Telephony devices don't support confidentiality. -
B. Soft phones require open access. -
C. Establishing identity is key. -
D. Networks are targets. -
E. Data and voice segmentation is highly desirable. |
| A6: | Answer E is correct. The SAFE IPT Blueprint axioms are as follows: -
Voice networks are targets. -
Data and voice segmentation are key. -
Telephony devices don't support confidentiality. -
IP phones provide access to the data-voice segments. -
Soft phones require open access. -
Soft phones are especially susceptible to attacks. -
Establishing identity is key. -
Rogue devices pose serious threats. -
Secure and monitor all voice services and segments. Notice the second one in the list: Data and voice segmentation are key , not desirable, or even highly desirable (answer E). Because two previously segregated networks are being converged , each can provide a new and exciting avenue for attacks on the other. It is critical to keep them segregated as much as possible to protect them from each other's vulnerabilities. |
| Question 7 | Which of these is not a design fundamental for the SAFE Wireless Blueprint? -
A. Wireless data confidentiality. -
B. Authentication of users to network resources. -
C. Authentication and authorization of wireless networks to wired network resources. -
D. All of these are correct design fundamentals. |
| A7: | Answer D is correct. These are the SAFE Wireless design fundamentals: -
Security and attack mitigation based on policy -
Authentication and authorization of wireless networks to wired network resources -
Wireless data confidentiality -
Access point (AP) management -
Authentication of users to network resources -
Options for HA (in large networks only) |
| Question 8 | The SAFE SMR Blueprint can be thought of as a combination of which two SAFE Blueprints? (Choose two.) -
A. Enterprise SAFE -
B. SAFE VPN -
C. SAFE IPT -
D. SAFE Wireless |
| A8: | Answers A and B are correct. The SMR SAFE is most like the Enterprise SAFE (answer A), minus the resiliency and scalability features of the latter. At the same time, it incorporates connectivity for remote usersthe whole point of SAFE VPN (answer B). You will see little to no mention of IP telephony (answer C) or wireless devices (answer D) in the SMR Blueprint. |
| Question 9 | | | Which of the following is not a design fundamental of the SAFE SMR Blueprint? | -
A. Intrusion detection for critical resources and subnets -
B. Security and attack mitigation based on policy -
C. Cost-effective deployment -
D. Resiliency to the maximum extent allowed by network scale -
E. Security and attack mitigation based on policy |
| A9: | Answer D is correct. The design fundamentals of the SAFE SMR are almost the same as those of Enterprise SAFE; the difference lies in SMR's use of "cost-effective deployment" vs. Enterprise's use of "support for emerging networked applications." Resiliency, though often cited as a design fundamental of Enterprise SAFE, is actually not in either list. The SAFE SMR design fundamentals are as follows: -
Security and attack mitigation based on policy -
Security implementation through the network (not just on specialized devices) -
Cost-effective deployment -
Secure management and reporting -
Authentication and authorization of users and administrators to critical network resources -
Intrusion detection for critical resources and subnets |
| Question 10 | The SMR medium Corporate Internet module combines the designs of which two modules? (Choose two.) -
A. Enterprise WAN module -
B. Enterprise E-Commerce module -
C. Enterprise Corporate Internet module -
D. Enterprise VPN/RA module -
E. VPN Architecture Set |
| A10: | Answers C and D are correct. The SMR medium Corporate Internet module serves the same function as that of the Enterprise Corporate Internet module (answer C): providing secure connectivity to the outside for the Campus module. At the same time, it provides a headend for the medium organization's VPNs, as the Enterprise VPN/Remote Access module does (answer D). Although the SMR medium Corporate Internet module has a DMZ, it is not there for e-commerce; the SMR model specifically does not include e-commerce (eliminating answer B). The SMR medium model has a WAN module of its own (eliminating answer A). The VPN Architecture Set (answer E) is a description of the multiple means of remote users connecting to a VPN headend; it is not a module, per se (and the question specified modules). |
| Question 11 | Which of the following is not used in the SMR small network model? -
A. Private VLANs -
B. VPN concentrator -
C. HIDs -
D. Layer 2 switch |
| A11: | Answer B is correct. The SMR small network brings in traffic from the outside through a router with a firewall and passes it via a Layer 2 switch (answer D) to the mini-DMZ or to the campus. Servers in both the mini-DMZ and the campus are protected by HIDS (answer C) and kept segregated by the use of private VLANs (answer A). A VPN concentrator (answer B) is needed only when there are more VPNs than typically are found connecting to a small network. |
| Question 12 | Why does one of the remote-user implementations require the presence of a software (personal) firewall on the host? -
A. It is used when the host is especially susceptible to theft. -
B. It is used when the host is exposed to other connections without a firewall's protection. -
C. It is used whenever an extra layer of protection is desired. -
D. All of these are correct. |
| A12: | Answer B is correct. The option that requires a software (personal) firewall on the host is the one in which there is no other firewallhardware firewall, hardware VPN client, or firewall routeravailable to protect it. Although this is likely to occur in dialup situations, it could also occur in a laptop that is allowed to connect via wireless hot spots, from a hotel room when traveling, and so on. The software firewall does nothing to protect the organization if the host is stolen (answer A), although encryption of the files stored on the host would certainly help. Extra protection may be desired (answer C), but it is not a requirement, which the question specified. |
