1,VPN客户端的定义
A client might also create a connection to a site, which can generally be done from anywhere that an internet connection can be made. This is especially true when connections between sites do not use dedicated connections or circuits(leased lines, frame ralay virtual circuits, ISDN, and asynchronous calls)
When a site is connected to the Internet with a DSL or cable-modem connection, or is dialed into an internet service provider(ISP) with an analog modem, a secure connection must be established from individual workstations to a branch or corporate office. VPN client software on a PC, such as Cisco VPN client, can create an encrypted tunnel from the PC to the site where the necessary resources are located
2,连线题
data integrity:the receiver can verify that the data was not altered during transmit
data confidentiality:only entities permitted to see the data will have the capability to view the data
authentication:the receiver can determine the source of the packet and certifying the source
replay protection:the receiver can verify the correct sequence of packets as they arrive
3,名词解释
IPsec defines a new set of headers to be added to IP datagrams. These new headers are placed after the outer IP header. These new headers provide information for securing the payload of the IP packet as follows:
authentication Header(AH):This header, when added to an IP datagram, ensures the integrity and authenticity of the data, including the invariant fields in the outer IP header. It does not
provide confidentiality protection. AH uses a keyed-hash function rather than digital signatures, because digital signature technology is slow and would greatly reduce network throughput.
Encapsulating security payload(ESP):This header, when added to an IP datagram,protects the confidentiality,integrity,and authenticity of the data. If ESP is used to validata data integrity, it does not include the invariant fields in the IP header.
4,CET跟IPsec的比较
Cisco Encryption Technology(CET) is a proprietary security solution introduced in Cisco IOS Release 11.2. It provides network data encryption at the IP packet level and implements the following standards:
digital signature standard(DSS)
diffie-hellman(DH)public key algorithm
data encryption standard(DES)
IPsec is a framework of open standards developed by the internet engineering task force(IETF)
that provides security for transmission of sensitive information over unprotected networks such as the internet. It acts at the network level and implements the following standards:
IPsec
Internet Key Exchange(IKE)
Data Encryption Standard(DES)
MD5
SHA
Authentication Header(AH)
Encapsulating Security Payload(ESP)
IPsec services provice a robust security solution that is standards-based. IPsec also provides
data authentication and anti-replay services in addition to data confidentiality services,
while CET provides only data confidentiality services.
5,IKE的两个阶段
IKE Phase 1:
The basic purpose of IKE phase 1 is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges. IKE phase 1 performs the following functions:
Authenticates and protects the identities of the IPSec peers
Negotiates a matching IKE SA policy between peers to protect the IKE exchange Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys
Sets up a secure tunnel to negotiate IKE phase 2 parameters
IKE Phase 2:
The purpose of IKE phase 2 is to negotiate IPSec SAs to set up the IPSec tunnel. IKE phase 2
performs the following functions:
Negotiates IPSec SA parameters protected by an existing IKE SA
Establishes IPSec security associations
Periodically renegotiates IPSec SAs to ensure security
Optionally performs an additional Diffie-Hellman exchange
6,SA规范
IP Security(IPSec) SAs are unidrectional and are unique in each security protocol
An Internet Key Exchange(IKE) SA is used by IKE only, and unlike the IPSec SA, it is bidirectional IKE negotiates and establishes SAs on behalf of IPSec user can also establish IPSec SAs manually
7,建立反向telnet的规则
To establish a reverse Telnet session to a modem, determine the IP address of your LAN interface, then enter a telnet command to port 2000+n on the access server, where n is the line number to which the modem is connected. For example, to connect to the modem attached to line 8,enter the following command from an EXEC session on the access server:
router# telnet 192.168.1.1 2008
Trying 192.168.1.1,2008..open
8,Modem Autoconfigure的两条命令选项详解:
TYPE:This option configures modems without using modem commands, or so it is implied. The type argument declares the modem type that is defined in the modem capabilities database so that the
administrator does not have to create the modem commands
DISCOVERY:Autodiscover modem also uses the modem capabilities database, but in the case of discover, it tries each modem type in the database as it looks for the proper response to its query
9,Chat Scripts
Chat Scripts are strings of text used to send commands for modem dialing, logging onto remote systems, and initializing asynchronous devices connnected to an asychronous line. On a router, chat scripts can be configured on the auxiliary port only. A chat script must be configured to dial out on asynchronous lines. You also can configure chat scripts so that they are executed automatically for other specific events on a line, or so that they are executed manually. Each chat script is defined for a different event
10,填空题
With regards to the dialer pool, what optional keyword command can you use to resolve potential contention problems on this dialer pool?
answer:priority
阅读(1808) | 评论(0) | 转发(0) |
