Chapter 7 – Securing Site-to-Site Connectivity
Study Guide
After completion of this chapter, you should be able to:








Describe benefits of VPN technology.
Describe site-to-site and remote access VPNs.
Describe the purpose and benefits of GRE tunnels.
Configure a site-to-site GRE tunnel.
Describe the characteristics of IPsec.
Explain how IPsec is implemented using the IPsec protocol framework.
Explain how the Anyconnect client and clientless SSL remote access VPN implementations support business
requirements.
Compare IPsec and SSL remote access VPNs.
1. What is a VPN? A virtual private network created via tunneling over a public network.
2. What are some of the benefits of VPN?
Cost savings, scalability, compatibility with broadband technology, security
3. Complete Activity 7.1.1.3 – Identify the benefits of VPN
4. What are some features of Site-to-Site VPNs?
A static VPN connection established between two networks (ex: Branch office to company headquarters). The
VPN Gateway encrypts/encapsulates all traffic.
5. What are some features of Remote-Access VPNs?
Supports the needs of telecommuters/mobile users, etc… allows for dynamically changing information and can
be enabled and disabled. Uses VPN client software that encapsulates and encrypts data.
6. Complete Activity 7.1.2.3 – Compare Types of VPNs
7. What is the purpose of Generic Routing Encapsulation (GRE)?
GRE is designed to manage the transportation of multiprotocol and IP multicast traffic between two or more
sites, that may only have IP connectivity.
8. What are some characteristics of GRE?
47 is used in the protocol field to indicate a GRE header will follow, supports the encapsulation of any Layer 3
protocol, stateless, does not include any strong security mechanism, the GRE header with the tunneling IP
header create an additional 24 bytes of overhead.
9. Complete Activity 7.2.1.3 – Identify GRE Characteristics
10. In a GRE configuration, what does the “tunnel source” and “tunnel destination” commands reference?
The IP addresses of the preconfigured physical interface
11. What are some advantages of GRE?
It can be used to tunnel non-IP traffic over an IP network, supports IP multicast tunneling, and it can be used to
create IPv6 over IPv4 tunnels.
12. What is the biggest disadvantage of GRE?
It does not provide encryption or any other security mechanism. Therefore, data sent across a GRE tunnel is not
secure.
13. What are some features of IPsec?
IPsec works at the network layer, protecting and authenticating IP packets between participating IPsec devices.
IPsec can protect virtually all application traffic because the protection can be implemented from layer 4-7. It is
a framework of open standards that is algorithm-independent.
14. Explain the four critical functions that IPsec security services provide:
a. Confidentiality (encryption) – the process of taking all the data that one computer is sending to another
and encoding it into a form that only the other computer will be able to decode.
b. Data Integrity – the receiver can verify that the data was transmitted through the Internet without being
changed or altered in any way.
c. Authentication – verify the identity of the source of the data that is sent.
d. Anti-Replay Protection – verifies that each packet is unique and not duplicated, helps prevent spoofing.
15. Confidentiality is achieved through the encryption of traffic as it travels through a VPN. What determines the
degree of security? The key length of the encryption algorithm
16. What are three common IPsec encryption algorithms? Of these, which one is recommended?
DES, 3DES, AES (recommended)
17. What are some features of asymmetric algorithms?
Uses public key cryptography, encryption and decryption use a different key, typically used in digital certification
and key management, RSA is an asymmetric algorithm.
18. What is the function of the Diffie-Hellman (DH) algorithm?
It is a method to securely exchange the keys that encrypt data.
19. What is the function of hashes and what are two common HMAC algorithms?
Hashes provide data integrity and authentication by ensuring that unauthorized persons do not tamer with
transmitted messages. Two common HMAC algorithms include MDF and SHA.
20. What bit values are available with the SHA hash algorithm? 160, 256, 384, and 512
21. Describe the two main IPsec protocols:
a. Authentication Header (AH) – provides data authentication but text is transported in plain text.
b. Encapsulating Security Payload (ESP) – provides confidentiality and authentication by encrypting the IP
packet.
22. Complete Activity 7.3.2.7 – Identify IPsec Terminology and Concepts
23. Describe the following SSL VPNs:
Cisco AnyConnect Secure Mobility Client with SSL


Provide authenticated users with LAN-like, full
network access to corporate resources.
Remote devices require a client application installed
on the end-user device.
Cisco Secure Mobility Clientless SSL VPN



Provide access to corporate resources even when
the remote device is not corporately-managed.
A web browser is used to establish an SSL session
with the Cisco ASA.
The user can only access some services.
24. Complete Activity 7.4.1.4 – Compare Cisco SSL VPN Solutions
25. Fill in the table below, comparing IPsec and SSL:
SSL
Application
Encryption
Web-enabled applications, file sharing,
email
Moderate to Strong
Key lengths from 40-256 bits
Authentication
Moderate
One-way or two-way authentication
Connection Complexity
Low
Requires only a web browser
Connection Options
Any device can connect
26. Complete Activity 7.4.2.5 – Identify Remote-Access Characteristics
IPsec
All IP-based applications
Strong
Key lengths from 56-256 bits
Strong
Two-way authentication using shared secrets
or digital certificates
Medium
Can be challenging to nontechnical users
Only specific devices with specific
configurations can connect