If you are building a 15-site VPN network and most of the traffic flows from spoke to hub, but some traffic must flow from spoke to spoke, choosing from mesh, partial mesh, and hub and spoke, which topology should you choose?


Hub and spoke is the most appropriate here because, with 15 sites, you will need 105 bidirectional IPsec tunnels to build a full mesh. If key spokes must communicate, you can consider a partial mesh to allow these sites to talk directly to one another. By using a simple hub-and-spoke design, spokes can still communicate with one another through the head end.


In which situations is routing unnecessary in an IPsec VPN?


There are a few reasons you might not need routing:

  • You have less than five sites with a small number of networks at each site.
  • You have requirements to support IPsec hardware that have no provisions for routing. (In this case, management will be difficult in larger networks.)
  • You are running only a remote user VPN and no site-to-site.

In its simplest form, how many security associations (SAs) are required to establish bidirectional communication between two IPsec peers?


Three. One bidirectional SA for IKE and two unidirectional IPsec SAs, one for each direction of traffic flow.


When might it be appropriate to use an application layer VPN instead of IPsec?


If the applications you are running are limited to a small set (23 or less), you could potentially rely on application layer security. For example, small retail stores could elect to send point-of-sale information back to HQ over an SSL/TLS tunnel instead of going through the complexity of setting up a full IPsec implementation. In most networks, though, there are a sufficient number of applications to warrant using IPsec.


If you have an IPsec VPN deployed for remote users and remote sites, is there any reason you might also deploy SSL/TLS application security?


Besides the obvious e-commerce situation, you might also use SSL/TLS when communicating with business partners if you are sharing only a single application. Likewise, you might wish to provide your employees with remote e-mail access over HTTPS when they are not at their normal workstations. It is also appropriate to use SSL/TLS tunnels for traffic within IPsec as an added layer of security. This is particularly true because current IPsec deployments often aren't from host to host; rather thye're from host to gateway or gateway to gateway and don't protect all the way to the host.


Why are you able to run transport mode IPsec when you deploy GRE + IPsec?


Because GRE encapsulates all traffic, it appears to the IPsec process as two hosts communicating with one another. This one-to-one communication makes transport mode possible.

Part I. Network Security Foundations

Network Security Axioms

Security Policy and Operations Life Cycle

Secure Networking Threats

Network Security Technologies

Part II. Designing Secure Networks

Device Hardening

General Design Considerations

Network Security Platform Options and Best Deployment Practices

Common Application Design Considerations

Identity Design Considerations

IPsec VPN Design Considerations

Supporting-Technology Design Considerations

Designing Your Security System

Part III. Secure Network Designs

Edge Security Design

Campus Security Design

Teleworker Security Design

Part IV. Network Management, Case Studies, and Conclusions

Secure Network Management and Network Security Management

Case Studies



Appendix A. Glossary of Terms

Appendix B. Answers to Applied Knowledge Questions

Appendix C. Sample Security Policies

INFOSEC Acceptable Use Policy

Password Policy

Guidelines on Antivirus Process


Network Security Architectures
Network Security Architectures
ISBN: 158705115X
EAN: 2147483647
Year: 2006
Pages: 249
Authors: Sean Convery

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net