GCGA Ch. 4 Using VPNs for Remote Access

Question 1

VPN

Answer 1

Virtual private network - provides access to private networks via a public network, such as the Internet. IPsec is a common tunneling protocol used with VPNs, and it secures traffic within a tunnel. IPsec provides authentication and integrity with an Authentication Header (AH). Encapsulating Security Payload (ESP) encrypts VPN traffic and provides confidentiality, integrity, and authentication.

Question 2

IPsec Tunnel mode

Answer 2

encrypts the entire IP packet used in the internal network. Ipsec Transport mode only encrypts the payload and is commonly used in private networks, but not with VPNs. A full tunnel encrypts all traffic after a user has connected to a VPN. A split tunnel only encrypts traffic destined for the VPN’s private network.

Question 3

Site-to-site VPNs

Answer 3

provide secure access between two networks. These can be on-demand VPNs or always- on VPNs. Mobile devices can also use always-on VPNs to protect traffic when users connect to public hotspots. Other protocols used with VPNs include TLS, L2TP, and HTML5.

Question 4

NAC

Answer 4

Network access control (NAC) inspects clients for specific health conditions such as up-to-date antivirus software, and can redirect unhealthy clients to a remediation network. A permanent NAC agent (sometimes called a persistent NAC agent) is installed on the client and stays on the client. A dissolvable NAC agent is downloaded and run on the client when the client logs on and is deleted after the session ends.

Question 5

Agentless NAC system

Answer 5

will scan systems remotely instead of installing an agent on the system.

Question 6

Remote access authentication

Answer 6

used when a user accesses a private network from a remote location, such as with a VPN connection.

Question 7

PAP

Answer 7

Password Authentication Protocol - uses a password or PIN for authentication. A significant weakness is that PAP sends passwords across a network in cleartext.

Question 8

CHAP

Answer 8

Challenge Handshake Authentication Protocol - more secure than PAP and uses a handshake process when authenticating clients.

Question 9

RADIUS

Answer 9

Remote Authentication Dial-In User Service - provides central authentication for multiple remote access services. RADIUS relies on the use of shared secrets and only encrypts the password during the authentication process, by default. It can be used with EAP to encrypt the entire session.

Question 10

Cisco TACACS+

Answer 10

Terminal Access Controller Access Control System Plus - used as an alternative to RADIUS. TACACS+ uses TCP, encrypts the entire authentication process, and supports multiple challenges and responses.

Question 11

AAA protocols

Answer 11

RADIUS and TACACS+ are authentication, authorization, and accounting (AAA) protocols.