If you are building a 15-site VPN network and most of the traffic flows from spoke to hub, but some traffic must flow from spoke to spoke, choosing from mesh, partial mesh, and hub and spoke, which topology should you choose?
Hub and spoke is the most appropriate here because, with 15 sites, you will need 105 bidirectional IPsec tunnels to build a full mesh. If key spokes must communicate, you can consider a partial mesh to allow these sites to talk directly to one another. By using a simple hub-and-spoke design, spokes can still communicate with one another through the head end.
In which situations is routing unnecessary in an IPsec VPN?
There are a few reasons you might not need routing:
In its simplest form, how many security associations (SAs) are required to establish bidirectional communication between two IPsec peers?
Three. One bidirectional SA for IKE and two unidirectional IPsec SAs, one for each direction of traffic flow.
When might it be appropriate to use an application layer VPN instead of IPsec?
If the applications you are running are limited to a small set (23 or less), you could potentially rely on application layer security. For example, small retail stores could elect to send point-of-sale information back to HQ over an SSL/TLS tunnel instead of going through the complexity of setting up a full IPsec implementation. In most networks, though, there are a sufficient number of applications to warrant using IPsec.
If you have an IPsec VPN deployed for remote users and remote sites, is there any reason you might also deploy SSL/TLS application security?
Besides the obvious e-commerce situation, you might also use SSL/TLS when communicating with business partners if you are sharing only a single application. Likewise, you might wish to provide your employees with remote e-mail access over HTTPS when they are not at their normal workstations. It is also appropriate to use SSL/TLS tunnels for traffic within IPsec as an added layer of security. This is particularly true because current IPsec deployments often aren't from host to host; rather thye're from host to gateway or gateway to gateway and don't protect all the way to the host.
Why are you able to run transport mode IPsec when you deploy GRE + IPsec?
Because GRE encapsulates all traffic, it appears to the IPsec process as two hosts communicating with one another. This one-to-one communication makes transport mode possible.
Part I. Network Security Foundations
Network Security Axioms
Security Policy and Operations Life Cycle
Secure Networking Threats
Network Security Technologies
Part II. Designing Secure Networks
General Design Considerations
Network Security Platform Options and Best Deployment Practices
Common Application Design Considerations
Identity Design Considerations
IPsec VPN Design Considerations
Supporting-Technology Design Considerations
Designing Your Security System
Part III. Secure Network Designs
Edge Security Design
Campus Security Design
Teleworker Security Design
Part IV. Network Management, Case Studies, and Conclusions
Secure Network Management and Network Security Management
Appendix A. Glossary of Terms
Appendix B. Answers to Applied Knowledge Questions
Appendix C. Sample Security Policies
INFOSEC Acceptable Use Policy
Guidelines on Antivirus Process