Scenario Answers
The answers provided in this section are not necessarily the only correct answers. They merely represent one possibility for each scenario. The intention is to test your base knowledge and understanding of the concepts discussed in this chapter.
Should your answers be different (as they likely will be), consider the differences. Are your answers in line with the concepts of the answers provided and explained here? If not, reread the chapter, focusing on the sections that are related to the problem scenario.
Scenario 4-1 Answers
Concentrator model? The Cisco VPN 3005 Concentrator is probably adequate for this installation. If your company were growing quickly, you might opt for the 3015. It has about the same capabilities but is expandable, all the way to a 3080, if you ever needed the additional capacity.
Type of device authentication? Because this is a chapter on preshared keys, you would opt to use preshared keys. For this small user base, the maintenance for preshared keys should not be a big concern.
Authentication? Internal authentication was one of the reasons for choosing the concentrator over the router. The internal database keeps authentication on the same device and is flexible enough to meet the needs of this application.
Address assignment? Set aside a pool of 100 IP addresses and let the VPN concentrator assign the IP addresses from the pool. You could use DHCP, but that brings another network device into the picture. Keep it simple.
Split tunneling? Yes. The R&D group is going to need the Internet for research and the 56-kbps modems are going to be killers. Eliminate the need for encryption on trivial traffic to help this group out.
Multiple IPSec groups? It would make sense to use multiple IPSec groups. Some of your users might not need split tunneling, and you could use different rules for access time, idle timeout, or maximum connect times. You might want to set up functional groups such as R&D, Sales, Engineering, Accounting, Execs, and so on. You are only constrained by the 100 combined users and groups limitation on the concentrator.
IPSec protocol? ESP. AH is authentication only with no encryption. You would want to encrypt some of these data, especially for the R&D group.
Encryption? Probably Triple-DES. You could choose DES, but the extra security does not cost that much more in performance.
Unlimited access? This would be a group-by-group decision. Does the R&D team work around the clock or just during business hours? Do you need to set aside a regular maintenance window for network upgrades? Do the execs need unlimited access?
Idle timeout and maximum connect time? You probably want to drop connections after they have been idle for 20 to 30 minutes. There is no overpowering reason to establish limits on connect time. If you close the connection when it is idle, you should not have to worry about lengthy connections.
Scenario 4-2 Answers
General tab settings for the DonutShops group:
Access Hours—No Restrictions
Simultaneous Logins—1, uncheck Inherit?
Minimum Password Length—8
Allow Alphabetic-Only Passwords—No, uncheck Inherit?
Idle Timeout—30
Maximum Connect Time— 0
Filter—None
Primary DNS—192.168.44.20, uncheck Inherit?
Secondary DNS—192.168.63.20, uncheck Inherit?
Primary WINS—192.168.44.25, uncheck Inherit?
Secondary WINS—192.168.63.25, uncheck Inherit?
SEP Card Assignment—You can leave these checked. Without SEP modules, this attribute has no effect.
Tunneling Protocols—Check only IPSec, uncheck Inherit?
Strip Realm—Leave unchecked. You will be using an external authentication service, so this field has no effect.
IPSec tab settings for the DonutShops group:
IPSec SA—ESP-3DES-MD5
IKE Peer Identity Validation—If supported by certificate
IKE Keepalives—Enabled
Reauthentication on Rekey—Enabled, uncheck Inherit?
Tunnel Type—Remote access
Group Lock—Disabled
Authentication—NT Domain, uncheck Inherit?
IPComp—None
Mode Configuration—Enabled