Which two statements about SSL-based VPNs are true?

Which two statements about SSL-based VPNs are true? (Choose two.)
A. Asymmetric algorithms are used for authentication and key exchange.
B. SSL VPNs and IPsec VPNs cannot be configured concurrently on the same router.
C. The application programming interface can be used to modify extensively the SSL client software for use in special applications.
D. The authentication process uses hashing technologies.
E. Both client and clientless SSL VPNs require special-purpose client software to be installed on the client machine.

SHOW ANSWERS

Correct Answer: AD
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/25/ software/user/guide/IKE.html
Add or Edit IKE Policy
Priority
An integer value that specifies the priority of this policy relative to the other configured IKE policies. Assign the lowest numbers to the IKE policies that you prefer that the router use. The router will offer those policies first during negotiations.
Encryption
The type of encryption that should be used to communicate this IKE policy. Cisco SDM supports a variety of encryption types, listed in order of security.
The more secure an encryption type, the more processing time it requires.
Note If your router does not support an encryption type, the type will not appear in the list.
Cisco SDM supports the following types of encryption:
Data Encryption Standard (DES)–This form of encryption supports 56-bit encryption. Triple Data Encryption Standard (3DES)–This is a stronger form of encryption than DES, supporting 168-bit encryption.
AES-128–Advanced Encryption Standard (AES) encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than triple DES. AES-192–Advanced Encryption Standard (AES) encryption with a 192-bit key. AES-256– Advanced Encryption Standard (AES) encryption with a 256-bit key.
Hash
The authentication algorithm to be used for the negotiation. There are two options:
Secure Hash Algorithm (SHA)
Message Digest 5 (MD5)
Authentication
The authentication method to be used.
Pre-SHARE. Authentication will be performed using pre-shared keys. RSA_SIG. Authentication will be performed using digital signatures.
D-H Group
Diffie-Hellman (D-H) Group. Diffie-Hellman is a public-key cryptography protocol that allows two routers to establish a shared secret over an unsecure communications channel. The options are as follows:
Group1–768-bit D-H Group. D-H Group 1.
Group2–1024-bit D-H Group. D-H Group 2. This group provides more security than group 1, but
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.

640-554-implementing-cisco-ios-network-security-iins_img_004
http://www.passleader.com

640-554-implementing-cisco-ios-network-security-iins_img_001
requires
more processing time.
Group5–1536-bit D-H Group. D-H Group 5. This group provides more security than group 2, but requires more processing time.
If your router does not support group5, it will not appear in the list.
Easy VPN servers do not support D-H Group 1.
Lifetime This is the lifetime of the security association, in hours, minutes and seconds. The default is one day, or 24:00:00.

Leave a Reply Cancel reply