Latest 156-215.71 Real Exam Download 381-390
Your company is still using traditional mode VPN configuration on all Gateways and policies. Your manager now requires you to migrate to a simplified VPN policy to benefit from the new features. This needs to be done with no downtime due to critical applications which must run constantly. How would you start such a migration?
A. This cannot be done without downtime as a VPN between a traditional mode Gateway and a simplified mode Gateway does not work.
B. You first need to completely rewrite all policies in simplified mode and then push this new policy to all Gateways at the same time.
C. This can not be done as it requires a SIC- reset on the Gateways first forcing an outage.
D. Convert the required Gateway policies using the simplified VPN wizard, check their logic and then migrate Gateway per Gateway.
Your manager requires you to setup a VPN to a new business partner site. The administrator from the partner site gives you his VPN settings and you notice that he setup AES 128 for IKE phase 1 and AES 256 for IKE phase 2. Why is this a problematic setup?
A. All is fine as the longest key length has been chosen for encrypting the data and a shorter key length for higher performance for setting up the tunnel.
B. All is fine and can be used as is.
C. Only 128 bit keys are used for phase 1 keys which are protecting phase 2, so the longer key length in phase 2 only costs performance and does not add security due to a shorter key in phase
D. The 2 algorithms do not have the same key length and so don’t work together. You will get the error “…. No proposal chosen….”
Why are certificates preferred over pre-shared keys in an IPsec VPN?
A. Weak scalability: PSKs need to be set on each and every Gateway
B. Weak performance: PSK takes more time to encrypt than Drffie-Hellman
C. Weak security: PSKs can only have 112 bit length.
D. Weak Security: PSK are static and can be brute-forced.
Multi-Corp must comply with industry regulations in implementing VPN solutions among multiple sites. The corporate Information Assurance policy defines the following requirements:
What is the most appropriate setting to comply with these requirements?
Portability Standard Key management Automatic, external PKI Session keys changed at configured times during a connections lifetime Key length No less than 128-bit Data integrity Secure against inversion and brute-force attacks What is the most appropriate setting to comply with theses requirements?
A. IKE VPNs: SHA1 encryption for IKE Phase 1, and MD5 encryption for phase 2, AES hash
B. IKE VPNs: DES encryption for IKE phase 1, and 3DES encryption for phase 2, MD 5 hash
C. IKE VPNs: CAST encryption for IKE Phase 1, and SHA 1 encryption for phase 2, DES hash
D. IKE VPNs: AES encryption for IKE Phase 1, and AES encryption for Phase 2; SHA1 hash
What happens in relation to the CRL cache after a cpstop and cpstart have been initiated?
A. The Gateway retrieves a new CRL on startup, and discards the old CRL as invalid.
B. The Gateway continues to use the old CRL, as long as it is valid.
C. The Gateway continuous to use the old CRL even if it is not valid, until a new CRL is cashed.
D. The Gateway issues a crl_zap on startup, which empties the cache and forces certificate retrieval.
Which of the following is TRUE concerning control connections between the Security Management Server and the Gateway in a VPN Community? Control Connections are:
A. encrypted using SIC and re-encrypted again by the Community regardless of VPN domain configuration.
B. encrypted by the Community.
C. not encrypted, only authenticated.
D. encrypted using SIC.
How many times is the firewall kernel invoked for a packet to be passed through a VPN connection?
A. Three times
D. None The IPSO kernel handles it
You have traveling salesmen connecting to your VPN community from all over the world. Which technology would you choose?
A. SSL VPN: It has more secure and robust encryption schemes than IPsec.
B. IPsec: It allows complex setups that match any network situation available to the client, i.e. connection from a private customer network or various hotel networks.
C. SSL VPN: It only requires HTTPS connections between client and server. These are most likely open from all networks, unlike IPsec, which uses protocols and ports which are blocked by many sites.
D. IPsec: It offers encryption, authentication, replay protection and all algorithms that are state of the art (AES) or that perform very well. It is native to many client operating systems, so setup can easily be scripted.
You wish to configure a VPN and you want to encrypt not just the data packet, but the original header. Which encryption scheme would you select?
A. Both encrypt the data and header
B. Tunneling-mode encryption
C. In-place encryption
You wish to view the current state of the customer’s VPN tunnels, including those that are down and destroyed. Which SmartConsole application will provide you with this information?
A. SmartView Monitor
B. SmartView Status
C. SmartView Tracker
DownloadLatest Checkpoint 156-215.71 Real Free Tests , help you to pass exam 100%.