Self Test

1. 

Your network currently does not use IPSec to protect internal communications. An attacker could perform what sort of attack on your network to capture valuable information, such as user names and passwords?

1. Snooping

2. Spoofing

3. DoS

4. MITM

2. 

You have detected an unauthorized computer capturing all traffic between two servers on your network. You suspect that this computer has changed some or all of the transmissions that have been sent from both servers. What type of attack are you most likely experiencing?

1. Snooping

2. Spoofing

3. DoS

4. MITM

1. 

þ Answer A is correct Snooping, or sniffing, the network can be done using a software application designed for this purpose that can capture all packets transmitted on the network, not just those addressed to the network adapter being used to perform the attack.

ý Answer B is incorrect because a Spoofing attack is one in which an attacker assumes the identity of a trusted computer in order to trick other computers into giving it otherwise unauthorized access.Answer C is incorrect because a DoS attack is one in which a network or network service is targeted by a massive stream of traffic, preventing legitimate users from being able to make use of the network or network service.Answer D is incorrect because a MITM attack is one in which an attacker sits between two communicating hosts, intercepting traffic and modifying it before transmitting the traffic to the legitimate hosts. In this way, the man in the middle can change and control the conversation.

2. 

þ Answer D is correct In this case, you are most likely experiencing a MITM attack. In this type of attack, the attacker sits between two parties who believe they are communicating with each other, when in fact their entire conversation is being captured and most likely modified by the attacker.

ý Answer A is incorrect because snooping, or sniffing, the network can be done using a software application designed for this purpose that can capture all packets transmitted on the network, not just those addressed to the network adapter being used to perform the attack.Answer B is incorrect because a spoofing attack is one in which an attacker assumes the identity of a trusted computer in order to trick other computers into giving it otherwise unauthorized access. Answer C is incorrect because a DoS attack is one in which a network or network service is targeted by a massive stream of traffic, preventing legitimate users from being able to make use of the network or network service.

3. 

IPSec operates at what layer of the seven-layer open system interconnection (OSI) Model?

1. Layer 2

2. Layer 3

3. Layer 6

4. Layer 7

4. 

Jon is interested in deploying IPSec on his network. What benefits can Jon expect to gain by doing so? (Choose all that apply.)

1. Integrity of traffic on his network

2. Confidentiality of traffic on his network

3. Authentication of traffic on his network

4. Impersonation of traffic on his network

5. 

In regards to IPSec, the AH does what for you?

1. Ensures data integrity and authentication

2. Prevents capture of packets

3. Provides confidentiality

4. Encrypts the packets

6. 

What is added to a standard IP datagram when the AH is used?

1. Encryption to protect the contents of the packet

2. An AH header that provides authentication, anti-replay, and integrity for the entire packet

3. An AH header that provides assurance of delivery

4. An AH header and AH trailer that provides a checksum of the packet

7. 

Andrea is configuring a new IPSec policy for her network. What methods does she have to choose from as far as authentication? (Choose all that apply.)

1. Digital certificate

2. SNMP string

3. Shared secret

4. Kerberos

8. 

During the process of starting an IPSec communication between two computers, how many SAs are created?

1. One

2. Two

3. Three

4. Depends on the IPSec policy requirements

9. 

Chris wants to use IPSec to secure communications between her main office and a remote office over the Internet. What is this called?

1. Transport mode

2. Internet mode

3. Tunnel mode

4. Transfer mode

10. 

You are interviewing a new candidate for the position of assistant network administrator. Bruno, the candidate, is in the process of answering the question "What does message integrity mean?" Which of the following answers should Bruno give you?

1. The assurance that the message received is identical to the message that was sent.

2. The assurance that the identity of a sender or recipient is verified.

3. The assurance that the message is protected from prying eyes and is kept private.

4. The assurance that the receiving user is authorized to receive the message.

3. 

þ Answer B is correct. IPSec operates at layer 3 of the seven-layer model. Layer 3 is the network layer.

ý Answer A is incorrect because layer 2 is the transport layer.Answer C is incorrect because layer 6 is the presentation layer.Answer D is incorrect because layer 7 is the application layer.

4. 

þ Answers A, B, and C are correct. IPSec can provide Jon with integrity (assurance that the message received is identical to the message that was sent), confidentiality (keeping your private information private), and authentication (establishes the identity of a sender or recipient).

ý Answer D is incorrect because impersonation is a form of attack, such as the MITM attack. Using IPSec can prevent attacks such as this.

5. 

þ Answer A is correct The AH is one of two protocols implemented in IPSec. AH ensures data integrity and authentication of sender, thus preventing a replay type of attack.

ý Answer B is incorrect because AH does not prevent capture of packets. Packets can be captured if someone is allowed to gain access to a wired or wireless segment of the network. The capture of packets does not automatically mean, however, that the data on the network is unsafe. It does, however, pose a great risk. Answers C and D are incorrect because AH does not provide confidentiality of data or data encryption. Those functions are provided by the ESP.

6. 

þ Answer B is correct. AH is just that: a small header that is inserted into an IP datagram after the IP header and before the TCP header that provides authentication, anti-replay, and integrity. In short, AH tells you that the packet is genuine and came from where it claims to have come from.

ý Answers A, C, and D are incorrect because AH does not provide any form of encryption or confidentiality of the packet, nor does it provide delivery assurance of any kind.

7. 

þ Answers A, C, and D are correct. Andrea can use any or all of the following: certificate, shared secret or Kerberos. Kerberos is the default selection. The use of a certificate requires that a functional CA be in place on your network. Shared secrets are the least preferred because they can lead to network compromise if learned by an attacker.

ý Answer B is incorrect because SNMP is not used for configuring IPSec. SNMP is typically used for network configuration, such as routers and switches, among other items.

8. 

þ Answer C is correct. There are three total SAs created between two computers that wish to use IPSec to secure their communications. There is a Phase 1 SA and two Phase 2 SAs, one for inbound traffic and the other for outbound traffic. The Phase 1 SA involves the negotiation of the encryption algorithm and hashing algorithm to be used, followed by the actual authentication process. The Phase 2 SAs involve the negotiation of the IPSec protocol to be used (AH and/or ASP), the encryption algorithm to be used and the hashing algorithm to be used.

ý Answers A, B, and D are incorrect because there are always three SAs formed when two computers initiate an IPSec-secured communication.

9. 

þ Answer C is correct. When IPSec is used to secure a communication between two gateways, as in the case of from one office to another across the Internet, it is said to be operating in tunnel mode.

ý Answer B is incorrect because Transport mode occurs between clients on the same WAN or over a private (not the Internet) WAN link. Answers A and D are incorrect. because there is no such thing as Internet mode or Transfer mode.

10. 

þ Answer A is correct. The term integrity refers to the assurance that the message received is identical to the message that was sent.

ý Answer B is incorrect because the term authentication refers to the assurance that the identity of the sender or recipient is verified.Answer C is incorrect because the term confidentiality refers to keeping a message safe from prying eyes, thus ensuring the message is kept private.Answer D is incorrect because the assurance that a receiving user is authorized to receive the message is not a function of IPSec, but typically is the responsibility of the messaging and operating system.

11. 

You have recently configured and deployed an IPSec solution on your network between all computers in the Finance department. What can you use to verify that IPSec is in fact being used by these computers to secure their communications?

1. IP Security Policies in the Group Policy Editor

2. IP Security Monitor

3. Certificates Snap-in

4. IP Security Policy Agent

12. 

You have configured several different IPSec policies for your organization, one for each department within the organization. From where can a configured IPSec policy be selected for use on a computer? (Choose all correct answers.)

1. IP Security Policies within Group Policy

2. IP Security Monitor

3. TCP/IP Advanced Properties

4. Certificates Snap-in

11. 

þ Answer B is correct. The IP Security Monitor (IPSec Monitor) can be used to monitor IPSec on your network and verify that computers are making the desired hard associations.

ý Answer A is incorrect because the IP Security Policies in the Group Policy Editor is used to configure and create IPSec policies.Answer C is incorrect because the Certificates Snap-in is not used to monitor IPSec directly.Answer D is incorrect because the IP Security Policy Agent is used to load and refresh the applied IP Security policy, not to monitor IPSec.

12. 

þ Answers A and C are correct. The IP Security Policies folder within Group Policy can be used to configure and select IP Security policies. The TCP/IP Advanced Properties window can be used to select a preconfigured IP Security policy.

ý Answer B is incorrect because the IP Security Monitor is not used to select an IPSec policy for use. Answer D is incorrect because the Certificates Snap-in is not used to select an IPSec policy for use.

13. 

Catherine is interested in deploying IPSec on her network to increase network security. She currently uses a NAT device to translate one Public IP address for her 25 internal clients (Windows 2000 Professional and Windows 98) using DHCP. What concerns should Catherine have in this situation? (Choose all that apply.)

1. No concerns; IPSec is an ideal solution for any size network.

2. IPSec is not compatible with DHCP; she will need to manually assign the client computer IP addresses.

3. IPSec is not compatible with NAT devices; she will not be able to create IPSec connections outside of her network.

4. IPSec is not supported with legacy operating systems such as Windows 98; these computers will not be able to make secure connections or communicate with other computers that require secure communications.

14. 

You are creating a new IPSec policy for your network. You have several highly sensitive servers that you do not want to allow any unsecured connections to. You have a mix of Windows 2000 Professional and Windows NT 4.0 client computers. You need all of your client computers to be able to connect securely to these servers. What do you need to do? (Choose all that apply.)

1. Upgrade the Windows NT 4.0 computers to Windows 2000.

2. Designate that the Windows NT 4.0 computers are to be trusted for delegation.

3. Ensure that the servers have their archive bit set to false.

4. Ensure that the "Do not communicate with computers that do not support IPSec" option is selected when you make your new IPSec policy.

15. 

Hannah wants to customize the IPSec hash algorithm that is in use in her organization's IPSec policy. What are her choices? (Choose all that apply.)

1. SHA1

2. WEP

3. AES

4. MD5

13. 

þ Answers C and D are correct. IPSec cannot be used to create connections through NAT devices, thus Catherine will not be able to make IPSec secured connections outside of her network. This may or may not be a problem for her, but it is something that she should be aware of during the design and planning phase. IPSec is only supported for Windows 2000 and later operating systems, so her Windows 98 computers will not be able to communicate with any computers that require secure connections. She should consider upgrading these computers to Windows 2000 Professional.

ý Answers A and B are incorrect because while IPSec is a good solution for any size network, Catherine still has the concerns related to the NAT device and the legacy Windows 98 clients on her network. IPSec has no bearing on DHCP, nor does DHCP have any bearing on IPSec. The only thing to bear in mind is that if you require secure connections on a server providing network services such as DHCP or DNS, then you must ensure that all clients are configured properly to establish connections to the server. If not, network communications will be impossible.

14. 

þ Answers A and D are correct. You will need to upgrade the Windows NT 4.0 computers to be able to use IPSec for those machines. Selecting the "Do not communicate with computers that do not support IPSec" option will prevent any unsecured communications from occurring.

ý Answer B is incorrect because trusting a computer for delegation is not part of IPSec and cannot be done to a Windows NT 4.0 client at any rate. You might trust a computer for delegation if it were a file server and you wanted to allow people to be able to use EFS encryption on it. Answer C is incorrect because setting the archive bit to false affects how the NTBACKUP.EXE utility will handle that volume, and has no impact on IPSec in any way.

15. 

þ Answers A and D are correct. IPSec currently supports the SHA1 and MD5 hash algorithms.

ý Answer B is incorrect because Wired Equivalent Privacy (WEP) is a security encryption measure used in 802.11 wireless networks (see Chapter 7 for more discussion on WLAN issues).Answer C is incorrect because AES is an emerging encryption standard that is favored by the US Government and is likely to see inclusion in a future 802.11 standard. AES uses the Rijndael symmetric encryption algorithm and is extremely secure.