Exam Objectives Frequently Asked Questions | MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts.

Q.		What happens if a computer attempts to connect to another computer with the Secure Server IPSec policy and it fails to authenticate?
A.		The server will not accept connections from that host for at least one minute and as long as five minutes. This is something to be aware of when troubleshooting connectivity problems with IPSec-enabled machines.
Q.		Can I use Kerberos authentication for my users who are using an L2TP/IPSec tunnel to dial into intranet servers?
A.		VPN connections in Windows 2000 are designed to use certificate-based public key authentication, although there is a Registry hack that allows you to use preshared keys for testing purposes. In Windows XP, the interface provides an IPSec settings option that lets you use a preshared key for authentication.
Q.		Our internal network uses NAT rather than public IP addresses. Can I use L2TP/IPSec tunnels to allow remote access VPN clients to access my internal resources?
A.		No. Because of incompatibilities between NAT and IPSec, you cannot use both at the same time. L2TP over IPSec traffic is not translatable by a NAT because the UDP port number is encrypted.
Q.		What is Perfect Forward Secrecy?
A.		Perfect Forward Secrecy ensures that a key used to protect a transmission, in whichever phase, cannot be used to generate any additional keys. If the key used was derived from specific keying material, that material cannot be used to generate any other keys. This provides a high level of protection. If an intruder is able to access data and obtain a key, that key will not be valid on other packets, making the cracking process very difficult.