CompTIA Security Plus Mock Test Q189

A security administrator must implement a firewall rule to allow remote employees to VPN onto the company network. The VPN concentrator implements SSL VPN over the standard HTTPS port. Which of the following is the MOST secure ACL to implement at the company’s gateway firewall?

A. PERMIT TCP FROM ANY 443 TO 199.70.5.25 443
B. PERMIT TCP FROM ANY ANY TO 199.70.5.23 ANY
C. PERMIT TCP FROM 199.70.5.23 ANY TO ANY ANY
D. PERMIT TCP FROM ANY 1024-65535 TO 199.70.5.23 443

Correct Answer: D
Section: Network Security

Explanation:
The default HTTPS port is port 443. When configuring SSL VPN you can change the default port for HTTPS to a port within the 1024-65535 range. This ACL will allow traffic from VPNs using the 1024-65535 port range to access the company network via company’s gateway firewall on port 443.

Incorrect Answers:
A: This This ACL will only allow traffic from VPNs using port to access the company network via company’s gateway firewall on port 443.
B: This ACL is not secure because it will allow all traffic through the company’s gateway firewall.
C: This is not a valid ACL format.

References:
http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-4/user/guide/CSMUserGuide_wrapper/ravpnbas.html

CompTIA Security Plus Mock Test Q131

A company has implemented PPTP as a VPN solution. Which of the following ports would need to be opened on the firewall in order for this VPN to function properly? (Select TWO).

A. UDP 1723
B. TCP 500
C. TCP 1723
D. UDP 47
E. TCP 47

Correct Answer: C,D
Section: Network Security

Explanation:
A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage a second GRE tunnel to the same peer. The PPTP GRE packet format is non-standard, including an additional acknowledgement field replacing the typical routing field in the GRE header. However, as in a normal GRE connection, those modified GRE packets are directly encapsulated into IP packets, and seen as IP protocol number 47.

Incorrect Answers:
A, E: PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
B: TCP port 500 is used by the Internet Security Association and Key Management Protocol (ISAKMP)

References:
http://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Comptia Security Plus Mock Test Q96

A network engineer is designing a secure tunneled VPN. Which of the following protocols would be the MOST secure?

A. IPsec
B. SFTP
C. BGP
D. PPTP

Correct Answer: A
Section: Network Security

Explanation:
Layer 2 Tunneling Protocol (L2TP) came about through a partnership between Cisco and Microsoft with the intention of providing a more secure VPN protocol. L2TP is considered to be a more secure option than PPTP, as the IPSec protocol which holds more secure encryption algorithms, is utilized in conjunction with it. It also requires a pre-shared certificate or key. L2TP’s strongest level of encryption makes use of 168 bit keys, 3 DES encryption algorithm and requires two levels of authentication.
L2TP has a number of advantages in comparison to PPTP in terms of providing data integrity and authentication of origin verification designed to keep hackers from compromising the system. However, the increased overhead required to manage this elevated security means that it performs at a slower pace than PPTP.

Incorrect Answers:
B: SFTP (Secure FTP) is not a VPN tunneling protocol. It is used for transferring files using the File Transfer Protocol over a secure connection. The connection is secured by using
SSH (Secure Shell).

C: BGP (Border Gateway Protocol) is a routing protocol, not a VPN protocol.

D: Point-To-Point-Tunneling Protocol (PPTP) is the most popularly VPN protocol and is supported by the most devices. PPTP stands for point to point protocol, is by far the easiest to configure and has low overhead that makes it faster than other VPN protocols. Firewalls such as ISA Server, Cisco PIX and Sonic Wall recognize the protocol. PPTP encrypts data using a 128-bit key which puts it in the “weakest” category of VPN protocols.

References:

The Differences Between PPTP, L2TP/IPSec, SSTP and OpenVPN Connection