|
Question 1.
You want to be able to monitor traffic directed at the Net Screen device itself. Once you configure this option, what command will allow you to view the log information?
A. get event
B. get log self
C. get log event
D. get log traffic
Answer: B
Question 2.
Net Screen devices generate SNMP traps when which events occur? (Select three)
A. cold starts
B. traffic alarms
C. warm reboots
D. traffic log events
E. self log events occur
Answer: A, B, C
Explanation:
Simple Network Management Protocol allows remote administrators to view data statistics on a Net Screen device. It also allows a Net Screen device to send information to a central server. Net Screen firewalls support SNMPv1 and SNMPv2c. It also supports the MIB II, or Management Information Base two standard groups. The SNMP agent supports sending the following traps:
Cold Start Trap
Trap for SNMP Authentication Failure
Traps for System Alarms
Traps for Traffic Alarms
By default, the SNMP manager has no configuration. This prevents unauthorized viewing of the system based upon default parameters. To configure your Net Screen device for SNMP you must configure community strings, SNMP host addresses, and permissions. In our configuration example, we will first set up the basic system information, then we will create a new community. This can be done from both the WebUI and the CLI. You can create up to three communities with up to eight IP ranges in each. An IP range can consist of a single host or a network. If you configure a network those defined IP addresses can only poll the device and not.
Question 3.
Which three elements are required to build a route-based VPN?
A. CREATE ROUTES
B. CREATE POLICIES
C. CREATE TUNNEL INTERFACES
D. CREATE ADDRESS BOOK ENTRIES
E. BIND VPN TO TUNNEL INTERFACES
Answer: A, C, E
Explanation:
Route-based VPNs
Route-based VPNs, like policy-based VPNs, can also use either manual key or autokey IKE, but are configured and function somewhat differently. Route-based VPNs do not make reference to a tunnel object, but rather the destination address of the traffic. When the Net Screen appliance performs a route lookup to see which interface it should use to send the traffic, it sees there is a route through a tunnel interface that is bound to a VPN tunnel and uses that interface to deliver the traffic.
There are some advantages to using a route-based VPN. Using route-based VPNs is a good way to conserve system resources. Unlike policy-based VPNs, you can configure multiple policies that allow or deny specific traffic to flow through a route-based VPN, and all of these policies will use a single security association.
Route-based VPNs also offer the ability to exchange dynamic routing information, such as border gateway protocol (BGP), on the tunnel interface.
Route-based VPNs allow you to create policies that have an action of deny, unlike policy-based VPNs.
Route-based VPNs also have different limitations than policy-based VPNs. With route-based VPNs, you are limited by one of two things: the number of route entries your appliance supports, or the number of tunnel interfaces your appliance supports, whichever of the two is the least.
Question 4.
What must be configured differently for a IKE Phase 1 gateway used by a route-based VPN than an IKE Phase 1 gateway for a policy-based VPN?
A. Proposals
B. Pre-shared key
C. Remote gateway type
D. Binding the tunnel interface
E. There are no differences in building a route based IKE gateway and a Policy based IKE
gateway
Answer: E
Explanation:
Policy-based VPNs
Policy-based VPNs are VPNs that route traffic based on specific policies within a Net Screen appliance.
Policy-based VPNs can be either manual key or autokey IKE. A policy-based VPN works based on specific criteria that a packet matches as it reaches the gateway. First, before you can create a policy-based VPN you must configure the VPN tunnel. After creating the VPN tunnel you then create a policy, choose the action Tunnel, and select the VPN object you configured earlier.
The action Tunnel works very similar to the Permit option, except it requires you to select a tunnel object that you have previously created so that it can properly handle the traffic. A policy-based VPN tunnel always permits the traffic so long as it matches all the criteria of the rule. With policy-based VPNs, each separate traffic policy will create its own security association, so using multiple policy-based VPNs will result in using more system resources. This is true even if the destination tunnel is the same for multiple policies.
Policy-based VPNs are best used in the following situations:
[1] When you do not need to filter specific traffic on the tunnel.
[1] When you are not using any dynamic routing protocols.
[1] When there is no need for conserving IPSec tunnels and security associations.
[1] When you are using the VPN tunnel in conjunction with a dialup VPN client.
With policy-based VPNs, you are limited in the number of tunnels you can create, depending on the number of tunnels the device can support. A sample of a configured policy using a VPN is shown in Figure 11.5.
Creating a Policy-Based Site-to-Site VPN
Suppose your company has two offices and wants to share resources among the two via a VPN. Let's create a policy-based site-to-site VPN that does just that.
Before we can begin, we need information about the sites. Site1 uses the network 192.168.0.0/24 and has a Net Screen appliance with a static address of 4.4.4.4. Site2 uses the network 10.10.10.0/24 and has a Net Screen appliance with a static address of 5.5.5.5.We will be using autokey IKE and the pre-shared key will be dgL-I2G#U438^*gyG(6t!. We also want to use Diffie-Hellman Group 2, AES-128, and SHA-1 for our encryption. Now that we have the necessary information, we can start to build our VPN tunnel.
First and foremost, we need to define our networks at each end of the tunnel. This can be done by accessing Objects | Address | List. Select New from the top of the screen. Choose a name for the address object, such as Site2, and then add the IP address, netmask, and zone. We also need to create an address object for the local network. Let's name it Trusted LAN (192.168.0.x).
Figure 11.6 shows the configuration page for the Site1 firewall. The configuration
for Site2 would also be completed as shown here, substituting the network address for Site1's local network in for the IP address. Like Site1, Site2's firewall would also contain an address object defining the local network.
Once we have added the addresses to the address book, we can configure our VPN gateways. To do this, select VPNS | AutoKey Advanced | Gateway. Select New from the top of the screen. Enter a name for the gateway.
Choose Custom for the Security Level, since we will be using pre-g2-aes128-sha. Later, we will configure this on the Advanced page of the gateway configuration. Since we know that Site2 has a static IP address of 5.5.5.5, we choose the default setting Static IP, and enter 5.5.5.5 in the available field. Now, enter the pre shared key into the field labeled Pre shared Key. We have completed the basic configuration for this end of the VPN tunnel, but we still need to set the correct proposals to be used. Click on the Advanced button to show the Advanced configuration page. Under Phase 1 Proposal, select pre-g2-aes128-sha. Because both endpoints have static IP
addresses, we should leave our Mode set to Main.
Once you have selected the correct proposal, scroll to the bottom of the page and select Return to go back to the basic configuration page. Once back at the basic configuration page, select OK to save the new gateway.
Figures 11.7 and
11.8 show the basic and advanced configuration pages completed with our settings.
To configure Site2's VPN gateway, we would use the same steps we just completed, substituting the address 4.4.4.4 as the Static IP.
Now that we've created the VPN Gateway, we need to create an AutoKey IKE entry that uses our gateway, and configure the security proposals for phase 2.
To do this, select VPNs | Auto Key IKE and select New from the top of the screen. Let's give the VPN a descriptive name, such as VPN To Site2. Again, we choose Custom as our security level. Access the drop-down menu to the right of Remote Gateway and choose the gateway we previously configured, To Site2. Click the Advanced button to bring up the advanced options for our IKE entry. Use the Phase 2 Proposal drop-down list to select g2-esp-aes128-sha. Click the Return button to go back to the basic configuration page. Choose OK to save the new IKE entry. Figures 11.9 and 11.10 show the basic and
advanced configuration pages for creating an AutoKey IKE entry.
Once we've completed the above steps, we need to create a policy allowing traffic to use the VPN. Click Policies. At the top of the page choose the options From:Trust To: Untrust and click New. Name the policy To / From Site2. Use the Source Address drop-down list to select the local network address book entry we defined earlier. Choose Site2 as the Destination Address from the drop-down menu. Since we want to allow all traffic to flow between the two sites, we will leave the Service as ANY. Choose the action Tunnel and select the IKE entry that we created earlier, VPN to Site2. Enable the Check the box to Modify matching bidirectional VPN policy. Also enable the Position at Top option. Figure 11.11 shows what our policy should look like once completed.
Keep in mind that the configuration for the other end of our tunnel can be completed as outlined above, but using Site1's network information in place of Site2's. Once both ends of the tunnel have been configured, the two Net Screen devices will negotiate security associations and establish a VPN tunnel. To the users, this process is transparent. In fact, most users only know they can use resources located at the order site; they have no clue as to what process allows them to do so.
Question 5.
Which statement is most correct in explaining weights and their use in this redundant VPN configuration?
Member 1 weight 3
Member 2 weight 2
Member 3 weight 1
A. Weight is not a valid configuration option for Redundant VPNs.
B. Weight is a distribution factor, Member 2 will carry 10 times the traffic of Member .
C. Weight is used to determine which VPN in the Group carries traffic, Member 2 will carry the
traffic.
D. Weight is used to determine which VPN in the group carries traffic, member 1 will carry the
traffic.
E. Weight is distribution value, Member 1 will carry the most traffic, while member 2 will carry 1/10
that amount.
Answer: D
Question 6.
You notice an unusually high number of emergency, alert and critical events being handled inefficiently.
You want the Net Screen device to send an email sent to three managers anytime a message of this level occurs.
What statement best reflects how you can accomplish your goals?
A. You can only configure a single e-mail recipient on the Net Screen device.
You cannot achieve your goal.
B. You can only configure two e-mail recipients on the Net Screen device.
You cannot achieve your goal.
C. You can configure up to five e-mail recipients on the Net Screen device.
You can achieve your goal.
D. You can only configure two e-mail recipients on the Net Screen device. If one of the names is a
distribution list on the e-mail server you can have all people contacted and achieve your goal.
Answer: D
Explanation:
E-mail and Log Settings E-mail messages can be used to alert administrators when an event is taking place
on a Net Screen device. In order to configure e-mail settings through the WebUI,
access Configuration | Report Settings | E-mail
Enable E-mail Notification for Alarms Enable this option to turn on support for e-mail alarms.
Include Traffic Log Traffic log information can also be sent to an email address.
SMTP Server Name The hostname or address of the SMTP (Simple Mail Transfer Protocol) server
that will be used to send alerts.
E-mail Address 1 and 2 Two addresses can be added for users to be notified.
The following example configures the options displayed in Figure 15.7 using
the command line.
set admin mail alert
set admin mail server-name mail.test.local
set admin mail mail-addr1 admin@test.local
So , we can only input 2 email addresses in email setting .
Question 7.
What two statements are correct when manage-ip and manager-ip setting are configured properly?
A. manage-ip is configured for each zone
B. manager-ip is configured for each zone
C. manage-ip limits who can manage a Net Screen device
D. manager-ip limits who can manage a Net Screen device
E. manage-ip is never used as a source address for traffic imitated by the Net Screen device
Answer: D, E
Question 8.
You suspect that there has been an increase in the number of multiple user authentication failures.
What Severity level would you search for in the logs to see this event?
A. Alert
B. Critical
C. Warning
D. Emergency
E. Notifications
Answer: A
Explanation:
Security Levels:
Emergency Includes attacks like SYN Attacks, Ping of Death, and Teardrop attacks.
Alert Multiple user authentication errors and attacks not classified as emergency.
Critical Traffic alarms, changes to high availability status, blocked URLs (Uniform Resource Locators).
Error Events like admin name and password changes.
Warning Logon failures, authentication failures, administrators that have logged on.
Notification Changes to link status and traffic logs.
Information Events not included in other categories.
Debugging Logs associated with debugging.
www.syngress.com
Question 9.
You suspect you are having encryption problems with an IKE VPN.
Which commands will allow you to see failed encryption attempts?
A. get counter screen
B. get counter flow interface
C. get counter policy
D. get counter statistics interface
Answer: B, D
Question 10.
What three steps should be taken to secure management access to the Net Screen device?
A. Set ping off
B. Enable SSH/SSL
C. Define Permitted IP
D. Set WebAuth values
E. Change name and password on the root administrator account
Answer: B, C, E
Explanation:
Management Services:
Web UI: Select this option to enable management through the Web user interface (WebUI).
SNMP: Select this option to enable the use of SNMP. The Net Screen device supports the SNMPv1 protocol (described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.
Telnet: Select this option to allow management through a terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control a network device.
SSL: Select this option to allow the interface to receive HTTPS traffic for secure management of the Net Screen device via the WebUI.
SSH: Select this option to enable management using a secure command shell (SCS). You can administer the Net Screen device from an Ethernet connection or a dial-in modem using SCS (which is SSH-compatible). To do this, you must have an SCS client that is compatible with Version 1.5 of the SSH protocol. These clients are available for Windows 95, Windows 98, Windows NT, Linux, and UNIX. The Net Screen device communicates with the SCS client through its built-in SCS server, which provides device configuration and management services.
NSM: Select this option to allow the interface to receive Net Screen-Security Manager 2004 (NSM) traffic.
Other Services:
Ping: Select this option to allow the Net Screen device to respond to ICMP echo requests, or "pings". Ping is a utility that determines whether a specific IP address is accessible or not.
Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, they send the request again. While the request is processing, there is no user access. An ident-reset restores access that has been blocked by an unacknowledged identification request.
Web Auth: (Appears only when you enter and save a static IP address and net mask.) Select this option to enable Web Auth authentication through this interface. Enter the IP address of the Web Auth server performing the authentication.
Question 11.
Your VPN device has a dynamic address, and does not use an FQDN.
Which three do you need to configure on your device for a successful Phase I connection to your peer?
A. DNS
B. Peer id
C. Local id
D. Main mode
E. Aggressive mode
F. Static-ip of remote IKE peer
Answer: A, C, E
Explanation:
Dynamic Peers
Situations arise when a remote site does not have a static IP address (typical for home or small office sites). As a result, it is not possible to define the remote gateway's IP address for the purpose of VPN tunnel establishment. Net Screen firewalls provide a solution for this through the use of local and peer IDs.
By configuring a local ID on the initiating device with the dynamic IP address, the device presents this information to the recipient device when attempting to establish Phase 1 negotiation. The recipient device is configured to recognise this through a peer ID, and as a result, can accept the initiators current IP address.
! The Phase 1 mode of VPNs with Dynamic Peers must be set to aggressive.
Question 12.
Which two statements regarding Certificate Revocation Lists are correct?
A. The CRL is time stamped to identify revoked certificates
B. CRLs are maintained by independent agents to insure accuracy
C. A CRL contains the names and IP addresses of Certificates that have been revoked by the CA
D. New CRLs are issued on a regular, periodic basis, which could be hourly, daily, weekly
Answer: A, D
Question 13.
Which parameter is exchanged during Phase 2 negotiations?
A. Proxy-id
B. Certificates
C. Pre shared key
D. NAT-Transversal Data
E. Asymmetric Private Keys
Answer: A
Explanation:
Proxy-IDs
One of the most important yet overlooked aspects of a successful VPN setup is the proxy-ID. The proxy-ID determines which networks and services are permitted through the VPN. A proxy-ID is made up of the local network, remote network and service. Both end points of the VPN exchange their proxy-ID which needs to match for the Phase 2 negotiation to be complete. A proxy-ID can be extracted from a security policy if a Policy-based VPN is being used as the necessary proxy-ID information resides in the policy (source, destination and service). When a Route-based VPN is configured, a policy may not be necessary, and if so, may not necessarily contain the correct information in which to create the proxy-ID. As a result, the proxy-ID must always be manually entered when configuring Route-based VPNs.
!! Manually specifying a proxy-ID in a Policy-based VPN scenario will overwrite the proxy-ID automatically obtain from the security policy.
Phase 1
From our previous discussion you already know that phase 1 negotiations consist of exchanging proposals on how to authenticate and secure the communications channel. Phase 1 exchanges can be done in two modes: main mode or aggressive mode.
In main mode, three two-way exchanges, or six total messages, are exchanged. During a main mode conversation, the following is accomplished:
_ First exchange Encryption and authentication algorithms for communications are proposed and accepted.
_ Second exchange A Diffie-Hellman exchange is done. Each party exchanges a randomly generated number, or nonce.
_ Third exchange Identities of each party are exchanged and verified.
Note:
In the third exchange, identities are not passed in the clear. The identities are protected by the encryption algorithm agreed upon in the exchange of the first two sets of messages.
In aggressive mode, the same principle objectives are completed, but are done so in a much shorter conversation. Phase 1 negotiations in aggressive mode only require that two exchanges be made, and that a total of three messages are exchanged. An aggressive mode conversation follows the following pattern:
_ First message The initiating party proposes the security association, starts a Diffie-Hellman exchange, and sends its nonce and IKE identity to the intended recipient.
_ Second message During the second message, the recipient accepts the proposed security association, authenticates the initiating party, sends its generated nonce, IKE identity, and its certificate if certificates are being used.
_ Third message During the third message, the initiator authenticates the recipient, confirms the exchange, and if using certificates, sends its certificate.
In an aggressive mode exchange, the identities of communicating parties are not protected. This is because the identities are sent during the first two messages exchanged prior to the tunnel being secured. It is also important to note that a dialup VPN user must use aggressive mode to establish an IKE tunnel.
Notes from the Underground...
What is Diffie-Hellman?
The Diffie-Hellman (DH) key exchange protocol, invented in 1976 by Whitfield Diffie and Martin Hellman, is a protocol allowing two parties to generate shared secrets and exchange communications over an insecure medium without having any prior shared secrets. The Diffie-Hellman protocol is consists of five groups of varying strength modulus. Most VPN gateways support DH Groups 1 and 2. Net Screen appliances, however, support groups 1, 2, and 5. The Diffie-Hellman protocol alone is susceptible to man-in-the-middle attacks, however. Although the risk of an attack is low, it is recommended that you enable Perfect Forward Secrecy (PFS) as added security when defining VPN tunnels on your Net Screen appliance.
For more information on the Diffie-Hellman protocol, see
www.rsasecurity.com/rsalabs/node.asp?id=2248 and RFC 2631
at ftp://ftp.rfc-editor.org/in-notes/rfc2631.txt
Phase 2
Once phase 1 negotiations have been completed and a secure tunnel has been established, phase 2 negotiations begin. During phase 2, negotiation of security associations of how to secure the data being transmitted across the tunnel is completed.
Phase 2 negotiations always involve the exchange of three messages.
Phase 2 proposals include encryption and authentication algorithms, as well as a security protocol. The security protocol can either be ESP or AH. Phase 2 proposals can also specify whether or not to use PFS and a Diffie-Hellman group to employ. PFS is a method used to derive keys that have no relation to any previous keys.Without PFS, phase 2 keys are generally derived from the phase 1 SKEYID_d key. If an attacker was to acquire the SKEYID_d key, all keys derived from this key could be compromised. During phase 2 each side also offers its proxy ID. Proxy IDs are simply the local IP, the remote IP, and the service. Both proxy IDs must match. For example, if 1.1.1.1 and 2.2.2.2 are using the SMTP (Simple Mail Transfer Protocol) service, then
the proxy ID for 1.1.1.1 would be 1.1.1.1-2.2.2.2-25 and for 2.2.2.2 it would be 2.2.2.2-1.1.1.1-25.
Damage & Defense...
Key Lifetime - Short vs Long and PFS
When planning your VPN deployment, consideration should be given to the key lifetime and perfect forward secrecy in relation to security. Since enabling PFS requires additional processing time and resources some administrators choose not to use it, instead opting for a shorter key lifetime. This, however, can be a bad practice. If a successful man-in-the-middle attack were able to discover the SKEYID_d key, all keys derived from this key could be compromised. Enabling PFS, even with a longer key life, is actually a more secure practice than having a short key life with no PFS.
Question 14.
Exhibit:
Based on the exhibit, Net Screen A is using a route-based VPN configuration.
What two things are “required” on Net Screen A to successfully establish a VPN?
(Both device have static IP addresses)
A. Proxy-ID
B. Peer address of 1.1.2.5
C. Local ID of 1.1.1.1
D. IKE Phase 1 aggressive mode
E. Tunnel interface with an address in the 1.1.2.0/24 subnet
Answer: A, B
Question 15
When using a route-based VPN, what is the default proxy-id for the source address?
A. 0.0.0.0/0
B. 0.0.0.0/32
C. The source address of the first packet through the VPN
D. The source address of the final Phase 2 packet from the initiator
Answer: A
Question 16.
Which is a valid Phase 2 IKE proposal?
A. pre-g1 –des-md5
B. rsa-g2 3des-sha
C. g2-esp-3des-md5
D. g2-esp-aes120-md5
Answer: C
|
Question 1. Digital identities for logging onto SaaS solutions should be issued by all the following EXCEPT: A. A third-party identity provider. B. The customer organization. C. The SaaS provider. D. A user. Answer: D Explanation: Question 2. Why is it important to consider the cloud ecosystem when developing applications? A. Cloud providers will do application development. B. The development process needs to change. C. The role of the IT department will change. D. This can speed up the development process. Answer: D Explanation: Question 3. Which of the following actions should a company take if a cloud computing provider ceases to uphold their contract? A. Consult the company's exit plan. B. Move the company data to the backup provider that was selected earlier. C. Re-host all critical applications on the company's internal servers. D. Evaluate the company's strategic options for an alternative provider Answer: A Explanation: Question 4. Which of the following consequences does IT outsourcing and cloud computing have in common? A. Involvement of external staff B. Improved flexibility C. Reduced expense D. Shorter time to market Answer: A Explanation: Question 5. Which of the following is an important new skill for an IT organization to develop in the context of cloud computing? A. Provisioning services B. Incident management C. Technology upgrade monitoring D. Security and risk management Answer: A Explanation: Question 6. Which of the following is the function of orchestration services? A. Assemble functional requirements for application development B. Configure application clusters with Web services C. Enable and disable load balancers D. Manage the starting and stopping of application server clusters Answer: D Explanation: Question 7. Which of the following is a reason for business users lo be interested in cloud computing? A. Desire for vendor lock-in reduction B. Desire for improved security C. Desire for improved user experience D. Desire for reducing compliance issues Answer: C Explanation: Question 8. Which of the following is important to standardize? A. Information standards and applications B. User names and hardware providers C. Virtual machine images and applications D. Virtual machine images and identity information standards Answer: D Explanation: Question 9. Cloud computing _____________capital cost to variable cost. A. increases B. reduces C. shifts D. equates Answer: C Explanation: Question 10. Privacy is the right of________ to selectively disclose information about _________ and restrict the further use of that information by any party. A. companies, others B. companies, themselves C. individuals, others D. individuals, themselves Answer: D Explanation:
Copyright © 2004 CertsBraindumps.com Inc. All rights reserved.