| Question 1 | An external supplier for your company plans to implement a VPN tunnel to your headquarters. What type of VPN does this indicate? |
| A1: | Because we are connecting to a supplier not in our company, answer B is correct. A and C are used for VPNs within our company. D is not an actual type of VPN. |
| Question 2 | Your security department plans on managing and controlling VPNs for a medium-sized business. What VPN device should they use? A. Cisco PIX 501 firewall B. Cisco 3640 IOS router C. Cisco VPN 3005 Concentrator D. Cisco PIX 515 firewall
|
| A2: | Answer D is correct. Because this is a medium-sized business and the security department is managing the VPNs, the PIX 515 is the best model to choose. A is incorrect because the PIX 501 is not a suitable device for medium-sized businesses. B and C are capable devices; however, they may not be under the control of the security department. |
| Question 3 | Which of the Diffie-Hellman groups are supported by Cisco VPN products? (Choose all that apply.) A. Group 1 B. Group 2 C. Group 3 D. Group 5 E. Group 7 F. Group 8 G. Group 9
|
| A3: | Answers A, B, D, and E are correct. Cisco VPN products can support groups 1, 2, and 7. Diffie-Hellman group 1 is 768-bit and Diffie-Hellman 2 is 1024-bit. Diffie-Hellman 5 was supported starting with software version 3.6 and is 1536-bit. Diffie-Hellman group 7 is used for mobile devices such as PDAs and IP phones. Answers C, F, and G are not supported by Cisco. |
| Question 4 | Which of the following are IKE modes? (Choose all that apply.) A. Main mode B. Fast mode C. Aggressive mode D. Quick mode E. Diffie-Hellman mode
|
| A4: | Answers A, C, and D are correct. Main mode and aggressive mode are in IKE phase 1 negotiation, and quick mode is in IKE phase 2. Answers B and E are not actual modes of IKE. |
| Question 5 | Which of the following is not a step in IPSec communications? A. IPSec encrypted data B. Interesting traffic C. IKE phase 3 D. Tunnel termination
|
| A5: | Answer C is the correct answer. IKE Phase 3 does not exist. |
| Question 6 | 
What type of Diffie-Hellman group would you expect to be utilized on a wireless device? A. Group 4 B. Group 7 C. Group 5 D. Group 3
|
| A6: | Answer B is correct. Wireless clients typically use Diffie-Hellman Group 7 for small processor devices such as wireless devices. Answers A, C, and D are incorrect because these groups would not typically be found on wireless or other small processor devices. |
| Question 7 | Which one of these encryption algorithms is asymmetric? A. DES B. 3DES C. RSA D. AES
|
| A7: | Answer C is correct. RSA utilized a private key and a public key pair for encryption. Answers A, C, and D are incorrect because AES, DES, and 3DES are symmetric algorithms, which use the same key to encrypt and decrypt. |
| Question 8 | Which one of the following is not a service provided by the IPSec protocol framework? A. Authentication B. Authorization C. Anti-Replay D. Confidentiality E. Data Integrity
|
| A8: | Answer B is correct. IPSec can provide confidentiality, data integrity, authentication, and anti-replay protection. Authorization is not a service that is provided by IPSec. |
| Question 9 | Which one of the following devices would not typically be implemented at an enterprise main office or service provider? A. Cisco 7200 Router B. VPN 3060 Concentrator C. PIX 535 Firewall D. VPN 3030 Concentrator
|
| A9: | Answer D is correct. An enterprise main office or service provider would require robust equipment to handle the throughput required at such large locations. Typical equipment for such a site would be the VPN 3060 and 3080 Concentrators, Cisco 7100 and 7200 Routers, and PIX 525 and 535 firewalls. The 3030 Concentrator is better suited at a Medium ROBO. |
| Question 10 | Which process is true regarding asymmetric encryption (Choose 2) A. Both devices use matching keys. B. Both devices use different keys. C. The sender uses the receiver's public key for encrypting the data. D. The sender uses the receiver's private key for encrypting the data.
|
| A10: | Answers B and C are correct. Asymmetric encryption is characterized by both ends utilizing different keys. The sender uses the receiver's public key to encrypt the bulk data, which is decrypted by the sender using its private key. Answer A is incorrect because that is a characteristic of symmetric encryption. Answer D is incorrect because the sender must never know the receiver's private key. |
