Chapter 17 - Fundamentals of VPN Technology Flashcards Preview

Cisco CCNA Security (640-554) > Chapter 17 - Fundamentals of VPN Technology > Flashcards

Flashcards in Chapter 17 - Fundamentals of VPN Technology Deck (18)
Loading flashcards...

What are the two main types of VPNs?


  • Remote Access VPN - Can be over IPSec or SSL, usually for individual computers that are connecting to corporate networks.


  • Site to Site VPN - Connecting together two or more sites using IPSec over the Internet


What is one fundamental way that IPSec and SSL differ when it comes to VPN?

SSL implements security of TCP sessions at Layer 4. Can be used for remote access VPNs and for securing web traffic via HTTPS


IPSec implements security of IP packets at Layer 3 and can be used for site-to-site VPNs in addition to remote access VPNs.


What command would you use to see the MD5 digest of an IOS image file?

# verify /md5 flash:/c2800nm-mz.123-24-t4.bin



How does antireply help secure VPN traffic?

Once a VPN packet has been sent and accounted for, that exact same VPN packet is not valid the second time in the VPN session. This helps prevent anyone capturing packets from trying to build a VPN by replaying the packets over again to a remote peer.


What is a symmetrical encryption algorithm?

It is any encryption techonology that uses the same key or keys for both encryption and decryption of data.

Examples of symmetric algorithms are:

AES - Advanced Encryption Standard

DES - Digital Encryption Standard

3DES - Triple Digital Encryption Standard

IDEA - International Data Encryption Algorithm


RC2, RC4, RC5, RC6


What is the minimum key length that is considered "safe" for a symmetrical encryption algorithm?

The key length should always be at LEAST 80 bits.

128 bits is pretty standard.

More bits used = better encryption = more CPU utilization


When are Asymmetric key pairs generally used?

Asymmetric key pairs are commonly used for things such as authenticating VPN peers, or generating keying material that could be used for symmetrical algorithms.


What is a Hash?

A cryptographic hash function is a process that takes a block of data and creates a small fixed-sized hash value.

This is used for Data Integrity.


When a hash function is run on data, what is the resulting string called?

It is called either a Digest, message digest, or "the hash"


What are 3 popular types of hashes?

MD5 (message digest 5) - creates a 128-bit digest.

SHA-1 (Secure Hash Algorithm 1) - creates a 160-bit digest

SHA-2 (Secure Hash Algorithm 2) - options include hash between 224-bits and 512-bits.


What is a certificate authority (CA) used for?

A certificate authority (CA) is a trusted entity that hands out digital certificates.


What should you think of when you see the term "rsa-signatures"?

rsa-signatures are asocated with using digital certificates for authentication.


What is a keyspace?

Keyspace refers to all the possible key values for a key. The bigger the key, the more secure the algorithm will be. Extremely long keys will cause increased CPU usage for the encryption and decryption of data.


What is Diffie-Hellman key exchange?

Diffie-Hellman key exchange uses a pubic-private key pair algorithm, but creates shared secret keys that are used by symmetrical algorithms in an IPSec connection.


How is Hashed Message Authentication Code (HMAC) more secure than a standard hash?


HMAC uses keys so that a hash value can not be checked without the secret key. This way not just anyone can perform the hashing.


What is Diffie-Hellman actually used for?


DH uses a public-private key pair to asymmetrically create shared secrets (new keys) that are then used my symmetrical algorithms to pass data over a VPN quickly and with low overhead.

These keys are used by DES, 3DES, AES, IDEA


How does the MD5 Algorithm create a hash?

It takes a variable-length message and creates a 128bit message digest.


What configurations can SSL and IPSec be used for VPN's on Cisco ISR's and ASA's?

SSL clentless remote-access VPN's

SSL full-tunnel client remote-access VPN's

IPsec site-to-site VPNs

IPsec client remote-access VPNs

(NOTE: No SSL site-to-site VPNs!)