Q4 
What is VPN? |
|
Virtual
Private Network, a network that is constructed
by using public wires to connect nodes. For
example, there are a number of systems that
enable you to create networks using the Internet
as the medium for transporting data. These
systems use encryption and other security
mechanisms to ensure that only authorized
users can access the network and that the
data cannot be intercepted.
A software access point does not limit the
type or number of network interfaces you use.
It may also allow considerable flexibility
in providing access to different network types,
such as different types of Ethernet, Wireless
and Token Ring networks. Such connections
are only limited by the number of slots or
interfaces in the computer used for this task.
Further to this the software access point
may include significant additional features
such as shared Internet access, web caching
or content filtering, providing significant
benefits to users and administrators. |
|
|
|
| Q5
Why do I need to create a VPN tunnel? |
|
| VPN
tunnels provide secure connections for the
transfer of data across the Internet. Making
those connections without a Virtual Private
Network generally places the data at risk
of third-party interception or modification. |
|
 |
|
| Q6 What
are most common VPN protocols ?
|
|
| There
are currently three major tunneling protocols
for VPNs. They are Point-to-Point Tunneling
Protocol (PPTP), Layer 2 Tunneling Protocol
(L2TP) and Internet Protocol Security (IPSec).
VPN server supports IPSec. right now. |
|
|
|
| Q7
What is PPTP protocol?
|
|
| Point-to-Point
Tunneling Protocol, a new technology for creating
Virtual Private Networks (VPNs). A VPN is
a private network of computers that uses the
public Internet to connect some nodes. Because
the Internet is essentially an open network,
the Point-to-Point Tunneling Protocol (PPTP)
is used to ensure that messages transmitted
from one VPN node to another are secure. With
PPTP, users can dial in to their corporate
network via the Internet. |
|
|
|
| Q8
What is L2TP protocol? |
|
| Layer
Two Tunneling Protocol (L2TP) is an extension
of the Point-to-Point Tunneling Protocol (PPTP)
used by an Internet service provider (ISP)
to enable the operation of a virtual private
network (VPN) over the Internet. |
|
|
|
| Q9
What is IPSec protocol ? |
|
| IPSec
is a set of IP extensions developed by IETF
(Internet Engineering Task Force) to provide
security services compatible with the existing
IP standard (IPv.4) and also the upcoming
one (IPv.6). In addition, IPSec can protect
any protocol that runs on top of IP, for instance
TCP, UDP, and ICMP. The IPSec provides cryptographic
security services. These services allow for
authentication, integrity, access control,
and confidentiality. IPSec allows for the
information exchanged between remote sites
to be encrypted and verified. You can create
encrypted tunnels (VPNs), or just do encryption
between computers. Since you have so many
options, IPSec is truly the most extensible
and complete network security solution. For
IPsec to work, the sending and receiving devices
must share a public key. This is accomplished
through a protocol known as Internet Security
Association and Key Management Protocol/Oakley
(ISAKMP/Oakley), which allows the receiver
to obtain a public key and authenticate the
sender using digital certificates. |
|
|
|
| Q10
What secure protocols does IPSec support ?
|
|
| There
are two protocols provided by IPSec, they
are AH (Authentication Header, protocol number
51) and ESP (Encapsulated Security Payload,
protocol number 50). |
|
|
|
| Q11
What is S A ? |
|
| Security
Association (SA) is a contract between two
parties indicating what security parameters,
such as keys and algorithms they will use. |
|
|
|
| Q12
What is IKE? |
|
| IKE
is short for Internet Key Exchange. Key Management
allows you to determine whether to use IKE
(ISAKMP) or manual key configuration to set
up a VPN.
There are two phases in every IKE negotiation-
phase 1 (Authentication) and phase 2 (Key
Exchange). Phase 1 establishes an moIKE
SA and phase 2 uses that SA to negotiate
SAs for IPSec |
|
|
|
| Q13
What is Pre-Shared
Key? |
|
| Pre-shared
key identifies a communicating party during
a phase 1 IKE negotiation. It is called 'Pre-shared'
because you have to share it with another
party before you can communicate with them
over a secure connection. |
|
|
|
| Q14
What are the differences between IKE and Manual
Key VPN? |
|
| The
only difference between IKE and manual key
is how the encryption keys and SPIs are determined.
For IKE VPN, the key and SPIs are negotiated
from one VPN gateway to the other. Afterward,
two VPN gateways use this negotiated keys
and SPIs to send packets between two networks.
For manual key VPN, the encryption key,
authentication key (if needed), and SPIs
are predetermined by the administrator when
configuring the security association. IKE
is more secure than manual key, because
IKE negotiation can generate new keys and
SPIs randomly for the VPN connection. |
|
|
|
| Q15
What is Firewall? |
|
| A firewall
is considered a first line of defense in protecting
private information. It¡¦s a system designed
to prevent unauthorized access to or from
a private network. Firewalls can be implemented
in both hardware and software, or a combination
of both. Firewalls are frequently used to
prevent unauthorized Internet users from accessing
private networks connected to the Internet,
especially intranets. All messages entering
or leaving the intranet pass through the firewall,
which examines each message and blocks those
that do not meet the specified security criteria.A
firewall is a system or group of systems that
enforces an access-control policy between
two networks. It may also be defined as a
mechanism used to protect a trusted network
from an untrusted network. The firewall can
be thought of two mechanisms. One to block
the traffic, and the other to permit traffic. |
|
|
|
| Q16
What are the basic types of Firewall? |
|
Conceptually,
there are three types of firewalls:
Packet Filtering Firewall
Application-level Firewall
Stateful Inspection Firewall
Packet Filtering Firewalls generally make
their decisions based on the header information
in individual packets. These header information
include the source, destination addresses
and ports of the packets.
Application-level Firewalls generally are
hosts running proxy servers, which permit
no traffic directly between networks, and
which perform logging and auditing of traffic
passing through them. A proxy server is
an application gateway or circuit-level
gateway that runs on top of general operating
system such as UNIX or Windows NT. It hides
valuable data by requiring users to communicate
with secure systems by mean of a proxy.
A key drawback of this device is performance.
Stateful Inspection Firewalls restrict
access by screening data packets against
defined access rules. They make access control
decisions based on IP address and protocol.
They also 'inspect' the session data to
assure the integrity of the connection and
to adapt to dynamic protocols. The flexible
nature of Stateful Inspection firewalls
generally provides the best speed and transparency,
however, they may lack the granular application
level access control or caching that some
proxies support. |
|
|
|
| Q17
Why do you need a Firewall when your router
has packet filtering and NAT built-in ? |
|
| With
the spectacular growth of the Internet and
online access, companies that do business
on the Internet face greater security threats.
Although packet filter and NAT restrict access
to particular computers and networks, however,
for the other companies this security may
be insufficient, because packets filters typically
cannot maintain session state. Thus, for greater
security, a firewall is considered. |
|
|
|
| Q18
What is Denials of Service (DoS) attack? |
|
| Denial
of Service (DoS) attacks are aimed at devices
and networks with a connection to the Internet.
Their goal is not to steal information, but
to disable a device or network so users no
longer have access to network resources.
There are four types of DoS attacks:
Those that exploits bugs in a TCP/IP implementation
such as Ping of Death and
Teardrop. Those that exploits weaknesses
in the TCP/IP specification such as SYN
Flood and LAND Attacks. Brute-force attacks
that flood a network with useless data such
as Smurf attack. |
|
|
|
| Q19
What is Ping of Death
attack? |
|
| Ping
of Death uses a 'PING' utility to create an
IP packet that exceeds the maximum 65535 bytes
of data allowed by the IP specification. The
oversize packet is then sent to an unsuspecting
system. Systems may crash, hang, or reboot. |
|
|
|
| Q20
What
is Brute-force attack? |
|
| A
Brute-force attack, such as 'Smurf' attack,
targets a feature in the IP specification
known as directed or subnet broadcasting,
to quickly flood the target network with useless
data. A Smurf hacker flood a destination IP
address of each packet is the broadcast address
of the network, the router will broadcast
the ICMP echo request packet to all hosts
on the network. If there are numerous hosts,
this will create a large amount of ICMP echo
request packet, the resulting ICMP traffic
will not only clog up the 'intermediary' network,
but will also congest the network of the spoofed
source IP address, known as the 'victim' network.
This flood of broadcast traffic consumes all
available bandwidth, making communications
impossible. |
|
|
|
| Q21 What
is IP Spoofing attack? |
|
| Many
DoS attacks also use IP Spoofing as part of
their attack. IP Spoofing may be used to break
into systems, to hide the hacker's identity,
or to magnify the effect of the DoS attack.
IP Spoofing is a technique used to gain unauthorized
access to computers by tricking a router or
firewall into thinking that the communications
are coming from within the trusted network.
To engage in IP Spoofing, a hacker must modify
the packet headers so that it appears that
the packets originate from a trusted host
and should be allowed through the router or
firewall. |
|
|
|
| Q22 What
is DMZ ? |
|
| A
Demilitarized Zone is used by a company that
wants to host its own Internet services without
sacrificing unauthorized access to its private
network. The DMZ sits between the Internet
and an internal network's line of defense,
usually some combination of firewalls and
bastion hosts. Typically, the DMZ contains
devices accessible to Internet traffic, such
as Web (HTTP ) servers, FTP servers, SMTP
(e-mail) servers and DNS servers |
|
|
|
| |
