Lesson 16: Comparing WAN Links and Remote Access Methods

Question 1

What is the function of a modem?

Answer 1

A modem performs modulation of outgoing signals and demodulation of incoming data, working only at the physical layer of the OSI model

Question 2

Define modulation

Answer 2

Process of converting data into electrical signals optimized for transmission

Question 3

Define demarcation point

Answer 3

Location that represents the end of the ISPs network and therefore their responsibility for maintaining it; The demarc point is usually at the Minimum Point of Entry (MPOE)

Question 4

Define DSL (Digital Subscriber Line)

Answer 4

ISP technology to implement broadband Internet access for subscribers by transferring data over voice-grade telephone lines

Question 5

What are the types of DSL (Digital Subscriber Line)

Answer 5

1. Symmetrical DSL (SDSL)
2. Asymmetrical DSL (ADSL)

Question 6

Define Symmetrical DSL (SDSL)

Answer 6

Provides the same downlink and uplink bandwidth; typically provided as business packages, rather than to residential customers

Question 7

Define Asymmetrical DSL (ADSL)

Answer 7

Consumer version of DSL that provides a fast downlink but a slow uplink, with the latest (ADSL2+) offering downlink rates up to about 24 Mbps and uplink rates up to 3.3 Mbps

Question 8

What are the benefits of satellite?

Answer 8

Larger coverage areas, especially to rural areas

Question 9

What type of cable can be used to connect a CSU/DSU to a smartjack, assuming a maximum link distance of 1m (3 feet)?

Answer 9

straight-through RJ-45

Question 10

Define remote access

Answer 10

the user’s device does not make a direct cabled or wireless connection to the network. The connection occurs over or through an intermediate network, usually a public WAN

Question 11

What are useful policies to consider when implementing remote access?

Answer 11

• Restricting access to defined users or groups.
• Restricting access to defined times of day or particular days of the week.
• Restricting privileges on the local network
• Logging and auditing access logons and attempted logons.

Question 12

Define a VPN (Virtual Private Network)

Answer 12

Secure tunnel created between two endpoints connected via the internet

Question 13

Define Point-to-Point protocol (PPP) for VPN

Answer 13

A layer 2 tunneling protocol encapsulated in TCP/IP that creates a direct link between two points

Question 14

Define Generic Routing Encapsulation (GRE)

Answer 14

Tunneling protocol in which an unsupported data type (layer 3 protocol) is encapsulated in a GRE packet, the GRE packet is encapsulated in layer 2 packet before being forwarded to a router

Question 15

Define IP Security (IPSec)

Answer 15

Network protocol suite used to secure IPv4 and/or IPv6 communications through authentication and encryption as the data travels across the network or the Internet

Question 16

Define TLS (Transport Layer Security) in the network layer

Answer 16

Transport Layer Security (TLS) over TCP or datagram TLS (DTLS) over UDP can be used to encapsulate frames or IP packets

Question 17

What is a drawback from using TLS at the network layer?

Answer 17

TLS already operates at the session layer, the headers from the inner and outer packets add up to a significant overhead

Question 18

Define the client-to-site VPN topology

Answer 18

the VPN client connects over the public network to a VPN gateway (a VPN-enabled router) positioned on the edge of the local network (typically the VPN access server will be in a screened subnet); basic model for home/field workers

Question 19

What are the two types of client connections formed once a client is connected to a client-to-site VPN?

Answer 19

1. Split tunnel
2. Full tunnel

Question 20

Define a split tunnel VPN connection

Answer 20

VPN configuration where only traffic for the private network is routed via the VPN gateway

Question 21

Define a full tunnel VPNconnection

Answer 21

VPN configuration where all traffic is routed via the VPN gateway

Question 22

Between split tunnel and full tunnel VPN connections, which is better for security?

Answer 22

Full tunnel offers better security, but the network address translations and DNS operations required may cause problems with some websites, especially cloud services. It also means more data is channeled over the link and the connection can exhibit higher latency

Question 23

Define a clientless VPN

Answer 23

Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless) - like citrix

Question 24

How do clientless VPNs function?

Answer 24

Using a protocol called websockets, it enables server and client to communicate biderictionally without requiring separate HTTP requests

Question 25

Define a site-to-site VPN topology

Answer 25

Configured to connect two or more private networks automatically without intervention from clients through the edge router

Question 26

How can an ISP create site-to-site VPNs?

Answer 26

A WAN service provider can implement VPNs via its network by using VLAN-like technology to isolate a customer’s data from other traffic.

Question 27

Define a screened subnet and its purpose

Answer 27

An edge subnet containing a VPN gateway and an edge router to screen and isolate traffic from an internal network with its own firewall

Question 28

What is the purpose of a VPN in a local network?

Answer 28

To secure communications between departments

Question 29

Define a hub and spoke VPN topology

Answer 29

A site-to-site VPN that involves more than two sites connects the remote sites (or spokes) to a headquarters site (hub) by using static tunnels configured between the hub and each spoke

Question 30

Define a VPN headend

Answer 30

Hub of the hub and spoke topology that incorporates advanced encryption and authentication methods in order to handle a large number of VPN tunnels

Question 31

What is the best method of installation for VPN headends

Answer 31

Powerful routers installed in groups for load balancing and fault tolerance, referred to as branch office routers

Question 32

Define a dynamic multipoint VPN (DMVPN) and its purpose

Answer 32

Software-based mechanism that creates a mesh topology between multiple remote sites and allows VPNs to be built and deleted dynamically between two sites, effectively setting up direct VPNs, rather than the remote sites having to route traffic via the hub.

Question 33

How are dynamic multipoint VPNs (DMVPN) configured?

Answer 33

Each remote site’s router is still connected to the hub router using an IPSec tunnel

Question 34

How does a dynamic multipoint VPN (DMVPN) function?

Answer 34

If two remote sites (spokes) wish to communicate with one another, the spoke instigating the link informs the hub. The hub will provide the connection details for the other spoke facilitating a dynamic IPSec tunnel to be created directly between the two spokes.

Question 35

What routing and network protocols are used in dynamic multipoint VPN (DMVPN) configurations?

Answer 35

Next Hop Router Protocol (NHRP) to identify destination addresses and the GRE tunneling

Question 36

What is the purpose of GRE in dynamic multipoint VPN (DMVPN) configurations?

Answer 36

GRE encapsulates the encrypted IPSec packets

Question 37

How does traffic flow between two spokes in a dynamic multipoint VPN (DMVPN) configuration?

Answer 37

The two remote sites use the physical communications links between the two locations but all traffic flows over the temporary, encrypted VPN tunnel setup between them.

Question 38

How does IPSec function at the host/client level?

Answer 38

Each host that uses IPSec must be assigned a policy, hosts must be able to match at least one matching security method for a connection to be established

Question 39

What are the two sub-protocols used in IPSec?

Answer 39

1. Authentication Header (AH)
2. Encapsulating Security Payload (ESP)

Question 40

How does IPSec operate with the Authentication Header (AH) sub-protocol when initiating a connection?

Answer 40

Performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this secret in its header as an Integrity Check Value (ICV)

Question 41

What is the function of the Authentication Header sub-protocol?

Answer 41

provides authentication for the origin of transmitted data as well as integrity and protection against replay attacks

Question 42

How does IPSec operate with the Authentication Header (AH) sub-protocol when receiving a connection?

Answer 42

The recipient performs the same function on the packet and key and should derive the same value to confirm that the packet has not been modified

Question 43

What is the drawback to the Authentication Header (AH) sub-protocol?

Answer 43

The payload is not encrypted so this protocol does not provide confidentiality. Also, the inclusion of IP header fields in the ICV means that the check will fail across NAT gateways, where the IP address is rewritten

Question 44

What are the advantages of Encapsulating Security Payload (ESP) sub-protocol over Authentication Header (AH) sub-protocol?

Answer 44

1. Provides confidentiality and/or authentication and integrity
2. Excludes the IP header when calculating the ICV allowing the packet to transverse gateways

Question 45

How does IPSec differ between IPv4 and IPv6

Answer 45

IPSec makes use of extension headers in IPv6 while in IPv4, ESP and AH are allocated new IP protocol numbers (50 and 51), and either modify the original IP header or encapsulate the original packet, depending on whether transport or tunnel mode is used

Question 46

What does IPSec depend on for encryption and hashing?

Answer 46

IPSec depends on a shared secret between hosts that is used to authenticate communications between the two hosts

Question 47

Define a Security Association (SA)

Answer 47

A Security Association (SA) establishes that two hosts trust one another (authenticate) and agree secure protocols and cipher suites to use to exchange data

Question 48

What is the purpose of the Internet Key Exchange (IKE) protocol?

Answer 48

Creates Security Associations (SAs) between hosts and handles authentication and key exchange.

Question 49

What two modes can IPSec be utilized in?

Answer 49

1. Transport mode
2. Tunnel mode

Question 50

What is the purpose of IPSec in transport mode?

Answer 50

Used to secure communications between hosts on a private network.

Question 51

How does IPSec with Encapsulating Security Payload (ESP) sub-protocol function in transport mode?

Answer 51

When ESP is applied in transport mode, the IP header for each packet is not encrypted, just the payload data.

Question 52

How does IPSec with Authentication Header (AH) sub-protocol function in transport mode?

Answer 52

If AH is used in transport mode, it can provide integrity for the IP header.

Question 53

What is the purpose of IPSec in tunnel mode?

Answer 53

Used for communications between VPN gateways across an unsecure network (creating a VPN). This is also referred to as a router implementation.

Question 54

How does IPSec with Encapsulating Security Payload (ESP) sub-protocol function in tunnel mode?

Answer 54

With ESP, the whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header

Question 55

How does IPSec with Authentication Header (AH) sub-protocol function in tunnel mode?

Answer 55

AH has no real use case in tunnel mode, as confidentiality will usually be required

Question 56

What are different types of interfaces used to connect to a managed appliance?

Answer 56

1. Console port
2. Aux port
   3.Management port

Question 57

How does a console port/interface function?

Answer 57

Requires connecting a device running terminal emulator software (a laptop, for instance) to the device via a separate physical interface using a special console (or rollover) cable. The terminal emulator can then be used to start a command line interface (CLI)

Question 58

How does a management port/interface function?

Answer 58

Configuring a virtual network interface and IP address on the device to use for management functions. The port must be enabled for this function. Using Telnet (unsecure) or Secure Shell (SSH) to connect to a CLI remotely over the management interface in this way is referred to as a virtual terminal.

Question 59

What is in-band management?

Answer 59

An in-band management link is one that shares traffic with other communications on the “production” network.

Question 60

What is out-of-band management?

Answer 60

Accessing the administrative interface of a network appliance using a separate network from the usual data network; console port or having management port on separate physical network

Question 61

What type of client-to-site VPN ensures that any traffic from the remote node can be monitored from the corporate network while the machine is joined to the VPN?

Answer 61

Full tunnel.