CISSP PRACTICE QUESTIONS – 20210617

Effective CISSP Questions

To mitigate the impact of the pandemic of COVID-19, your company decides to have half of the employees work from home (WFH), who have to connect to the VPN server using L2TP/IPsec to access the intranet resources securely. Which of the following is the best configuration required to support the WFH initiative? (Wentz QOTD)
A. AH
B. ESP
C. Tunnel mode
D. Network Address Translation-Traversal (NAT-T)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. ESP.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.

IPSec Protocols and Modes
IPSec Protocols and Modes

All four options in this question are essential to provision IPsec services, but we have to select the best and required configuration. As our security objective is to access intranet resources securely, we have to enforce confidentiality, integrity, and availability. ESP enforces confidentiality and integrity of data in transit; specifically, ESP not only encrypts but also signs packets.

IPsec is a framework upon which a suite of protocols is collaborating to provide security services., e.g., AH, ESP, IKE, etc. AH basically enforce integrity but not confidentiality; it’s not a mandatory requirement to IPsec implementations. In other words, AH signs but doesn’t encrypt packets.

Either tunnel mode or transport mode is about encapsulating packets. Even though tunnel mode is commonly implemented, it doesn’t protect data in transit. Moreover, it’s feasible for enterprises to implement a Virtual desktop infrastructure (VDI) server that is hardened to provide VPN service and can be accessed through transport mode.

NAT devices are ubiquitous. Network Address Translation-Traversal (NAT-T) is crucial and should be supported at both sides of the VPN peers. However, this question focuses on the server configuration and doesn’t mention if the VPN server is deployed behind a NAT device.

Reference


為了減輕 COVID-19 大流行的影響,您的公司決定讓一半的員工在家工作 (WFH),他們必須使用 L2TP/IPsec 連接到 VPN 服務器才能安全地訪問內網資源。 以下哪一項是支持該 WFH 計畫所必需的最佳組態?(Wentz QOTD)
A. AH
B. ESP
C. Tunnel mode
D. Network Address Translation-Traversal (NAT-T)


Leave a Reply