IPsec vs. SSL VPNs quiz answers

1.) The correct answer is: a. Transport encryption

From Crypto basics: VPNs:
VPNs are capable of encrypting two different ways: transport and tunneling. The transport encryption sets up a secure, encrypted link across the Internet wires, and it encrypts the data (payload) you are sending to the other end. This is the equivalent of the delivery truck carrying a package via the underground passageway. (I'm not using the word tunnel here because I don't want to confuse you!) The encryption is invisible to the user — other than passwords, passphrases, or a special card to plug into the computer, the user doesn't have to press a button that says "encrypt" or "decrypt." All the data in transit is protected from sight. The only drawback to transport encryption is the fact that the headers on the data are sent in the clear. In effect, that's like disguising the package and then putting a label on it that says what's inside. Maybe not the smartest thing to do considering that intruders may occasionally gain access.

<< Back to quiz

2.) The correct answer is: e. All of the above

From IPsec and SSL VPNs: Solving remote access problems:
Six Basic Requirements of an SSL VPN

  • Proxy access and protocol conversion
    • End user HTTPS to proxy; proxy HTTP[S] to resources
    • Application translation (e.g., HTTPS to SMB/CIFS)
  • Clientless (sic) Access
    • Works within the browser
    • No thick/thin client required
  • Remote-access Orientation
    • No site-to-site
    • Designed with simplicity and ease-of-use over security
  • Extranet Support
    • End-user has only a casual connection to resource
  • Highly Granular Access Controls
    • Primarily a security appliance, not an access method
  • SSL Transport

<< Back to quiz

3.) The correct answer is: a. Telecommuters coming from fixed sites, using managed corporate devices and terminating in a secure, private network on either side.

From Letting telecommuters in -- Your VPN alternatives:
The most secure VPN is the traditional arrangement with the telecommuter coming from a fixed site, ideally using a managed, corporate device and terminating in a secure, private network on either side. Quite a bit of effort can go into setting up this arrangement; you need to see that hardware, software and settings, as well as authentication, are set up perfectly and maintained on both ends, despite user changes to software, firmware and hardware, but the security can be worth the trouble. Let's throw out some protocols -- literally. There are three or four at this end of the pool. Only one from this group is secure enough to take seriously: IPSec, especially in conjunction with L2TP.

IPSec is the standard to buy; it encrypts at the packet level. PPTP has weak encryption keys, weak password hashing and unauthenticated control traffic. L2TP traffic can be read by network sniffers. However, when combined with IPSec for encryption, L2TP becomes unreadable and offers IPSec authenticated access for multiple protocols. Just be sure the device you buy supports the combined IPSec and L2TP standard.

<< Back to quiz

4.) The correct answer is: a. Layer 3

From Is IPsec on borrowed time?:
IPSec VPN is a layer 3 technology that provides a secure tunnel between a remote location and the corporate network.

<< Back to quiz

5.) The correct answer is: c. Proxy

From IPsec and SSL VPNs: Solving remote access problems:
Listed in order of simplicity and usability: From simplest and most usable to most complex and difficult
Not every SSL VPN product supports all four modes. Listed in order of support (most supported to least)

  • Proxy
  • Application Translation
  • Port Forwarding
  • Network Extension
  • << Back to quiz

    6.) The correct answer is: a. Requires host-based clients and hardware at a central location. Users have full office functionality, but there's very little granularity in access control.

    From Is IPsec on borrowed time?:
    IPSec VPN is a layer 3 technology that provides a secure tunnel between a remote location and the corporate network. It requires host-based clients and expensive hardware at a central location; ongoing configuration maintenance and account administration are heavy burdens. Users have full office functionality using IPSec VPNs, but there's very little granularity in access control. Access is generally permit or deny with most shared network resources available to any user.

    << Back to quiz

    7.) The correct answer is: b. False

    From VPN fast facts: True or false?:
    While they differ architecturally, both VPNs can be deployed securely -- or poorly. Security builds upon standards and products that implement them, but ultimately depends upon appropriate deployment and sound policy definition.

    << Back to quiz

    8.) The correct answer is: c. Both authentication of the sender and encryption of the data

    From the SearchSecurity.com Glossary:
    IPsec provides two choices of security service: Authentication Header (AH), which essentially allows authentication of the sender of data, and Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption of data as well.

    << Back to quiz

    9.) The correct answer is: d. All of the above

    From Client-side security considerations for SSL VPNs:
    Most SSL VPNs take steps to automatically clean up after each remote access session, no matter who owns the remote PC. Features to look for when considering SSL VPN products include:

    • Secure logout -- Forced session disconnection and browser window close, typically based on centrally defined inactivity or duration timeouts.
    • Credential scrubbing -- Deleting cached credentials at session end or preventing them from being cached on the client in the first place.
    • Temp file clean up -- Deleting files created during the session or blocking their creation, including cached pages, offline content and downloaded programs.
    • Cookie blocking -- Removing cookies at session end, or better yet, no personally identifiable or reusable information written to cookies during sessions.
    • Auto forms completion disabling -- Avoiding client storage of data entered in private Web page forms that might otherwise be visible to subsequent users.
    • Personal information profile disabling -- Preventing access to, and use of, user data commonly integrated with browsers, like Outlook Address Book entries.
    • Browser history removal -- Stopping VPN URLs from being used as a launch point for common Web server attacks (e.g., password-guessing, DoS floods, script injection).

    << Back to quiz

    10.) The correct answer is: a. Tunneling

    From the SearchSecurity.com glossary:
    Tunneling, also known as "port forwarding," is the transmission of data intended for use only within a private, usually corporate network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network. Tunneling is generally done by encapsulating the private network data and protocol information within the public network transmission units so that the private network protocol information appears to the public network as data. Tunneling allows the use of the Internet, which is a public network, to convey data on behalf of a private network.

    << Check your score

    This was last published in November 2005

    Dig Deeper on Network security