Читаем CISSP Practice полностью

160. a. The IP payload compression protocol (IPComp) is a part of an Internet Protocol security (IPsec) implementation, not a primary component. Authentication header (AH), encapsulating security payload (ESP), and Internet key exchange (IKE) protocol are incorrect because they are primary components of IPsec.

161. The transport mode of an authentication header (AH) of Internet Protocol security (IPsec) is used in which of the following virtual private network (VPN) architectures?

a. Gateway-to-gateway

b. Host-to-gateway

c. Contractor-to-company

d. Host-to-host

161. d. Authentication header (AH) has two modes: tunnel and transport. In tunnel mode, AH creates a new IP header for each packet. In transport mode, AH does not create a new IP header. This is because transport mode cannot alter the original IP header or create a new IP header. Transport mode is generally used in host-to-host architectures. AH is not used in the other three choices.

162. The encapsulating security payload (ESP) mode of Internet Protocol security (IPsec) cannot be used to provide which of the following?

a. Only encryption

b. Integrity protection at the outermost IP header

c. Encryption and integrity protection

d. Only integrity protection

162. b. Encapsulating security payload (ESP) can be used to provide only encryption, encryption and integrity protection, or only integrity protection. In the second version of IPsec, ESP became more flexible. It can perform authentication to provide integrity protection, although not for the outermost IP header. Also, ESP’s encryption can be disabled through the Null Encryption Algorithm.

163. Which of the following is not an example of block cipher encryption algorithms used by the encapsulating security payload (ESP) mode of Internet Protocol security (IPsec)?

a. AES-Cipher block chaining (AES-CBC)

b. Hash message authentication code (HMAC)

c. AES Counter mode (AES-CTR)

d. Tripe DES (3DES)

163. b. The authentication header (AH) of IPsec uses HMAC. ESP uses symmetric cryptography to provide encryption for IPsec packets. When an endpoint encrypts data, it divides the data into small blocks and then performs multiple sets of cryptographic operations (known as rounds) using the data blocks and key. Encryption algorithms that work in this way are known as block cipher algorithms. Examples of encryption algorithms used by ESP are AES-CBC, AES-CTR, and 3DES.

164. Which of the following is the most important feature when evaluating Internet Protocol security (IPsec) client software for hosts?

a. Encryption

b. Authentication

c. Split tunneling

d. Compression

164. c. The most important Internet Protocol security (IPsec) client software feature is the capability to prevent split tunneling. Split tunneling occurs when an IPsec client on an external network is not configured to send all its traffic to the organization’s IPsec gateway. Requests with a destination on the organization’s network are sent to the IPsec gateway, and all other requests are sent directly to their destination without going through the IPsec tunnel. Prohibiting split tunneling can limit the potential impact of a compromise by preventing the attacker from taking advantage of the IPsec connection to enter the organization’s network; the attacker could connect only to the compromised system when it is not using IPsec. Hosts should be configured so that only the network interface used for IPsec is enabled when IPsec is in use. Encryption, authentication, and compression are important features but not as important as the split tunneling, due to the risk it poses.

165. Which of the following Internet Protocol security (IPsec) components is compatible with network address translation (NAT) implementations?

a. AH tunnel mode

b. ESP transport mode

c. ESP tunnel mode

d. AH transport mode