CISSP PRACTICE QUESTIONS – 20200802

Effective CISSP Questions

You’re implementing IPsec to protect data in transit. Which of the following is the least feasible through IPsec? (Source: Wentz QOTD)
A. Build a virtual data link over frame relay to connect two remote offices
B. Secure TFTP traffic that updates the firmware of network devices
C. Protect traffic between browsers and the enterprise information portal over LAN
D. Authenticate security gateways that establish the tunnel between two remote offices


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Build a virtual data link over frame relay to connect two remote offices.

Top Level IPsec Processing Model_V2

IPsec provides security to Internet communications at the IP layer. In other words, it works at the network layer or layer 3. Frame relay is a packet-switching network that can connect multiple locations to shape an enterprise network through PVC or SVC. It works at the data link layer or layer 2. There is no need to implement IPsec as VPN to connect enterprise branches. However, if security is at priority, intranet supported by frame relay can implement IP and IPsec.

There are three common application scenarios of IPsec:

  1. Gateway-to-gateway: site-to-site VPN that connects two locations
  2. Host-to-gateway: dial-up VPN that connects a remote user to an enterprise network
  3. Host-to-host: end-to-end security that protects traffic among hosts (client/server)

Host-to-host IPsec

  • It’s common to download and update firmware through TFTP. In some organizations where security is a concern, the TFTP traffic can be protected by IPsec.
  • HTTP traffic can be protected IPsec as well.

As noted above, two types of SAs are defined: transport mode and tunnel mode. IKE creates pairs of SAs, so for simplicity, we choose to require that both SAs in a pair be of the same mode, transport or tunnel.

Internet Key Exchange (IKE)

IPsec establishes a pair of one-way security associations (SA), IKE SA and IPsec SA (or Child SA), to communicate with peer hosts or gateway. IKEv1 establishes SAs in two phases:

  • Phase 1 establishes the IKE SA so that Phase 2 can proceed securely.
  • Phase 2 establishes the IPsec SA (Child SA)

Transport Mode

A transport mode SA is an SA typically employed between a pair of hosts to provide end-to-end security services.

When security is desired between two intermediate systems along a path (vs. end-to-end use of IPsec), transport mode MAY be used between security gateways or between a security gateway and a host.

  • In the case where transport mode is used between security gateways or between a security gateway and a host, transport mode may be used to support in-IP tunneling (e.g., IP-in-IP [Per96] or Generic Routing Encapsulation (GRE) tunneling [FaLiHaMeTr00] or dynamic routing [ToEgWa04]) over transport mode SAs.
  • To clarify, the use of transport mode by an intermediate system (e.g., a security gateway) is permitted only when applied to packets whose source address (for outbound packets) or destination address (for inbound packets) is an address belonging to the intermediate system itself.

The access control functions that are an important part of IPsec are significantly limited in this context, as they cannot be applied to the end-to-end headers of the packets that traverse a transport mode SA used in this fashion. Thus, this way of using transport mode should be evaluated carefully before being employed in a specific context. (RFC 4301)

Reference


您正在實施IPsec以保護傳輸中的數據。 通過IPsec,以下哪一項最不可行?
A. 通過Frame Realy建立虛擬鏈接,以連結兩個遠程辦公室
B. 驗證在兩個遠程辦公室之間提供隧道的安全閘道器
C. 保護在LAN上的瀏覽器與企業入口網站(EIP)之間的流量
D. 保護用以更新網絡設備韌體的TFTP流量


A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

 

 

 

1 thought on “CISSP PRACTICE QUESTIONS – 20200802

  1. Answer? Guessing Protect traffic between browsers and the enterprise information portal over LAN, as browsers don’t operate at layer 2.

Leave a Reply