The following terms were introduced in this chapter or have special significance to the topics within this chapter.
antireplay A security service where the receiver can reject old or duplicate packets to protect itself against replay attacks. IPSec provides this optional service by use of a sequence number combined with the use of data authentication.
Cisco Unified Client Framework A consistent connection, policy, and key management method across Cisco routers, security appliances, and VPN Clients.
data authentication Process of verifying that data have not been altered during transit (data integrity), or that the data came from the claimed originator (data origin authentication).
data confidentiality A security service where the protected data cannot be observed.
data flow A grouping of traffic, identified by a combination of source address/mask, destination address/mask, IP next protocol field, and source and destination ports, where the protocol and port fields can have the values of any. In effect, all traffic matching a specific combination of these values is logically grouped together into a data flow. A data flow can represent a single TCP connection between two hosts, or it can represent all the traffic between two subnets. IPSec protection is applied to data flows.
Elliptic Curve Cryptography (ECC) A public-key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys.
ECC generates keys through the properties of the elliptic curve equation instead of using the traditional method of generation as the product of large prime numbers. The technology can be used in conjunction with most public-key encryption methods, such as RSA and Diffie-Hellman.
peer In the context of this document, a router, firewall, VPN concentrator, or other device that participates in IPSec.
Perfect Forward Secrecy (PFS) A cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys.
Scalable Encryption Processing (SEP) Cisco VPN 3000 Series Concentrator modules that enable users to easily add capacity and throughput.
Security Association (SA) An IPSec security association (SA) is a description of how two or more entities use security services in the context of a particular security protocol (AH or ESP) to communicate securely on behalf of a particular data flow. It includes things such as the transform and the shared secret keys to be used for protecting the traffic.
Security Parameters Index (SPI) This is a number that, together with an IP address and security protocol, uniquely identifies a particular security association. When using IKE to establish the security associations, the SPI for each security association is a pseudo-randomly derived number. Without IKE, the SPI is manually specified for each security association.
transform A transform lists a security protocol (AH or ESP) with its corresponding algorithms. For example, one transform is the AH protocol with the HMAC-MD5
authentication algorithm; another transform is the ESP protocol with the 56-bit DES encryption algorithm and the HMAC-SHA authentication algorithm.
tunnel In the context of this document, a secure communication path between two peers, such as two routers. It does not refer to using IPSec in Tunnel mode.
Q&A
As mentioned in Chapter 1, these questions are more difficult than what you should experience on the CCSP exam. The questions do not attempt to cover more breadth or depth than the exam;
however, the questions are designed to make sure you know the answer. Rather than allowing you to derive the answer from clues hidden inside the question itself, your understanding and recall of the subject are challenged. Questions from the “Do I Know This Already?” quiz from the beginning of the chapter are repeated here to ensure that you have mastered the chapter’s topic areas. Hopefully, these questions will help limit the number of exam questions on which you narrow your choices to two options and guess!
1 What are the Cisco hardware product families that support IPSec VPN technology?
2 What are the two IPSec protocols?
3 What are the three major VPN categories?
4 What is an SEP module used for?
5 What are the primary reasons cited for choosing VPN technology?
6 Why are remote access VPNs considered ubiquitous?
7 What types of VPNs are typically built across service provider shared network infrastructures?
8 Which type of VPNs use a combination of the same infrastructures that are used by the other two types of VPNs?
9 What hardware would you use to build intranet and extranet VPNs?
10 Which Cisco routers provide support for Cisco EzVPN Remote?
11 Which Cisco router series supports VAMs?
12 Which Cisco router series supports ISMs?
13 Which of the Cisco PIX Firewall models are fixed-configuration devices?
14 Which Cisco PIX Firewall models offer a failover port for high availability and support VACs?
15 Which series of Cisco hardware devices are purpose-built remote access VPN devices?
16 Which of the Cisco VPN 3000 Series Concentrators is a fixed-configuration device?
17 Which of the Cisco VPN 3000 Series Concentrators can accept SEP modules?
18 What feature of the Cisco Unity Client makes it scalable?
19 Which of Cisco’s VPN clients can be used with any operating system that communicates in IP?
20 What protocol enables IP-enabled wireless devices such as PDAs and Smart Phones to participate in VPN communications?
21 What are the three phases of Cisco Mobile Office?
22 What is the distinctive characteristic of Cisco VPN Device Manager?
23 What is Cisco’s AAA server, and what AAA systems does it support?
24 Which web-based management tool can display a physical representation of each managed device?
25 What are the current RFCs that define the IPSec protocols?
26 What are three shortcomings of IPSec?
27 What message encryption protocols does IPSec use?
28 What message integrity protocols does IPSec use?
29 What methods does IPSec use to provide peer authentication?
30 What methods does IPSec use for key management?
31 What is the key element contained in the AH or ESP packet header?
32 Which IPSec protocol does not provide encryption services?
33 What is the triplet of information that uniquely identifies a Security Association?
34 What is an ICV?
35 What IPSec protocol must you use when confidentiality is required in your IPSec communications?
36 What is the primary difference between the mechanisms used by AH and ESP to modify an IP packet for IPSec use?
37 What are the two modes of operation for AH and ESP?
38 Which IPSec protocol should you use if your system is using NAT?
39 You can select to use both authentication and encryption when using the ESP protocol.
Which is performed first when you do this?
40 How many SAs does it take to establish bidirectional IPSec communications between two peers?
41 Which encryption protocol was considered unbreakable at the time of its adoption?
42 What process does 3DES use to obtain an aggregate 168-bit key?
43 What is a message digest?
44 What does HMAC-MD5-96 mean?
45 What does HMAC-SHA1-96 mean?
46 How are preshared keys exchanged?
47 What does the Diffie-Hellman key agreement protocol permit?
48 Why is D-H not used for symmetric key encryption processes?
49 What is a CRL?
50 What are the five parameters required by IKE Phase 1?
51 What are the valid AH authentication transforms?
52 What transform set would allow for SHA-1 authentication of both AH and ESP packets and would also provide 3DES encryption for ESP?
53 What steps should you take before you begin the task of configuring IPSec on a Cisco device?
54 What are the five steps of the IPSec process?
55 What is the difference between the deny keyword in a crypto ACL and the deny keyword in an access ACL?
Exam Topics Discussed in This Chapter
This chapter covers the following topics, which you need to master in your pursuit of certification as a Cisco Certified Security Professional:
5 Overview of the Cisco VPN 3000 Concentrator Series 6 Cisco VPN 3000 Concentrator Series models
7 Benefits and features of the Cisco VPN 3000 Concentrator Series 8 Cisco VPN 3000 Concentrator Series Client support