Juniper Networks Certified Internet Specialist
Exam Questions, Answers,
Thanx to www.examcheats.net
for providing helpful material.Here is my contribution.
Which parameter is exchanged during Phase 2 negotiations?
C. Pre shared key
D. NAT-Trnsversal Data
E. Asymmetric Private Keys.
One of the most important yet overlooked aspects of
a successful VPN setup is the proxy-ID.
The proxy-ID determines which networks and services
are permitted through the VPN. A proxy-ID is made up
of the local network, remote network and service. Both
end points of the VPN exchange their proxy-ID which
needs to match for the Phase 2 negotiation to be complete.
A proxy-ID can be extracted from a security policy if
a Policy-based VPN is being used as the necessary proxy-ID
information resides in the policy (source, destination
and service). When a Route-based VPN is configured,
a policy may not be necessary, and if so, may not necessarily
contain the correct information in which to create the
proxy-ID. As a result, the proxy-ID must always be manually
entered when configuring Route-based VPNs.
!! Manually specifying a proxy-ID in a Policy-based
VPN scenario will overwrite
theproxy-ID automatically obtain from the security policy.
From our previous discussion you already know that phase
1 negotiations consist of exchanging proposals on how
to authenticate and secure the communications channel.
Phase 1 exchanges can be done in two modes: main mode
or aggressive mode.
In main mode, three two-way exchanges, or six total
messages, are exchanged. During a main mode conversation,
the following is accomplished:
_ First exchange Encryption and authentication algorithms
for communications are proposed and accepted.
_ Second exchange A Diffie-Hellman exchange is done.
Each party exchanges a randomly generated number, or
_ Third exchange Identities of each party are exchanged
In the third exchange, identities are not passed in
the clear. The identities are protected by the encryption
algorithm agreed upon in the exchange of the first two
sets of messages.
In aggressive mode, the same principle objectives are
completed, but are done so in a much shorter conversation.
Phase 1 negotiations in aggressive mode only require
that two exchanges be made, and that a total of three
messages are exchanged. An aggressive mode conversation
follows the following pattern:
_ First message The initiating party proposes the security
association, starts a Diffie-Hellman exchange, and sends
its nonce and IKE identity to the intended recipient.
_ Second message During the second message, the recipient
accepts the proposed security association, authenticates
the initiating party, sends its generated nonce, IKE
identity, and its certificate if certificates are being
_ Third message During the third message, the initiator
authenticates the recipient, confirms the exchange,
and if using certificates, sends its certificate.
In an aggressive mode exchange, the identities of communicating
parties are not protected.This is because the identities
are sent during the first two messages exchanged prior
to the tunnel being secured. It is also important to
note that a dialup VPN user must use aggressive mode
to establish an IKE tunnel.
Notes from the Underground...
What is Diffie-Hellman?
The Diffie-Hellman (DH) key exchange protocol, invented
in 1976 by Whitfield Diffie and Martin Hellman, is a
protocol allowing two parties to generate shared secrets
and exchange communications over an insecure medium
without having any prior shared secrets. The Diffie-Hellman
protocol is consists of five groups of varying strength
modulus. Most VPN gateways support DH Groups 1 and 2.
NetScreen appliances, however, support groups 1, 2,
and 5. The Diffie-Hellman protocol alone is susceptible
to man-in-the-middle attacks, however. Although the
risk of an attack is low, it is recommended that you
enable Perfect Forward Secrecy (PFS) as added security
when defining VPN tunnels on your NetScreen appliance.
For more information on the Diffie-Hellman protocol,
see www.rsasecurity.com/rsalabs/node.asp?id=2248 and
RFC 2631 at ftp://ftp.rfc-editor.org/in-notes/rfc2631.txt
Once phase 1 negotiations have been completed and a
secure tunnel has been established, phase 2 negotiations
begin. During phase 2, negotiation of security associations
of how to secure the data being transmitted across the
tunnel is completed.
Phase 2 negotiations always involve the exchange of
Phase 2 proposals include encryption and authentication
algorithms, as well as a security protocol.The security
protocol can either be ESP or AH. Phase 2 proposals
can also specify whether or not to use PFS and a Diffie-Hellman
group to employ. PFS is a method used to derive keys
that have no relation to any previous keys.Without PFS,
phase 2 keys are generally derived from the phase 1
SKEYID_d key. If an attacker was to acquire the SKEYID_d
key, all keys derived from this key could be compromised.
During phase 2 each side also offers its proxy ID. Proxy
IDs are simply the local IP, the remote IP, and the
service. Both proxy IDs must match. For example, if
22.214.171.124 and 126.96.36.199 are using the SMTP (Simple Mail
Transfer Protocol) service, then the proxy ID for 188.8.131.52
would be 184.108.40.206-220.127.116.11-25 and for 18.104.22.168 it would
Damage & Defense...
Key Lifetime - Short vs Long and PFS
When planning your VPN deployment, consideration should
be given to the key lifetime and perfect forward secrecy
in relation to security. Since enabling PFS requires
additional processing time and resources some administrators
choose not to use it, instead opting for a shorter key
lifetime. This, however, can be a bad practice. If a
successful man-in-themiddle attack were able to discover
the SKEYID_d key, all keys derived from this key could
be compromised. Enabling PFS, even with a longer key
life, is actually a more secure practice than having
a short key life with no PFS.
What two(2) statements are correct when manage-ip and
manager-ip seting are configured properly?
A. manage-ip is configured for each zone
B. manager-ip is configured for each zone
C. manage-ip limits who can manage a NetScreen device
D. manager-ip limits who can manage a NetScreen device.
E. manage-ip is never used as a source address for traffic
imitated by the NetScreen device
You suspect that there has been an increase in the number
of multiple user authentication failures. What Severity
level would you search for in the logs to see this event?
Emergency Includes attacks like SYN Attacks, Ping of
Death, and Teardrop attacks.
Alert Multiple user authentication errors and attacks
not classified as emergency.
Critical Traffic alarms, changes to high availability
status, blocked URLs (Uniform Resource Locators).
Error Events like admin name and password changes.
Warning Logon failures, authentication failures, administrators
that have logged on.
Notification Changes to link status and traffic logs.
Information Events not included in other categories.
Debugging Logs associated with debugging.
You suspect you are having encryption problems with
an IKE VPN. Which commands will allow you to see failed
A. get counter screen <zone>
B. get counter flow interface<name>
C. get counter policy<policy number>
D. get counter statistics interface <name>
What three(3) steps should be taken to secure management
access to the NetScreen device?
A. Set ping off
B. Enable SSH/SSL
C. Define Permitted IP
D. Set WebAuth values
E. Change name and password on the root administrator
IP Classification This option is used with virtual systems
only. If this option is selected, the firewall will
associate all traffic with this zone to a particular
WebUI(layer two zones only) Selecting this option enables
management for the WebUI on this zone.
SNMP (layer two zones only) Select this option to enable
SNMP (Simple Network Management Protocol) services on
Telnet (layer two zones only) Select this option to
enable Telnet management on this zone.
SSL (layer two zones only) Selecting this option enables
SSL WebUI management on this zone.
Secure management .
SSH (layer two zones only) Selecting this option enables
SSH management on this zone. Secure management .
NSM (layer two zones only) Selecting this option enables
NSM management on this zone.
Ping (layer two zones only) Selecting this option enables
ping from the firewall in this zone.
Ident-reset (layer two zones only) Some services such
as SMTP and FTP send an ident, or identification request.
If you have Ident-reset enabled, it will reset this
ident request and allow you access to that service.
WebAuth(layer two zones only) Selecting this option
enables web authentication when passing through the
interface that this zone is bound to.
You want to be able to monitor traffic directed at the
Netscreen device itself. Once you configure this option,
what command will allow you to view the log information?
A. get event
B. get log self
C. get log event
D. get log traffic
NetScreen devices generate SNMP traps when which events
occur? (Select three(3) answer)
A. cold starts
B. traffic alarms
C. warm reboots
D. traffic log events
E. self log events occur
Simple Network Management Protocol allowsremote administrators
to view data statistics on a NetScreen device. It also
allows a NetScreen device to send information to a central
server. NetScreen firewalls support SNMPv1 and SNMPv2c.
It also supports the MIB II, or Management Information
Base two standard groups.The SNMP agent supports sending
the following traps:
Cold Start Trap
Trap for SNMP Authentication Failure
Traps for System Alarms
Traps for Traffic Alarms
By default, the SNMP manager has no configuration.This
prevents unauthorized viewing of the system based upon
default parameters.To configure your NetScreen device
for SNMP you must configure community strings, SNMP
host addresses, and permissions. In our configuration
example we will first set up the basic system information,
then we will create a new community.This can be done
from both the WebUI and the CLI.You can create up to
three communities with up to eight IP ranges in each.
An IP range can consist of a single host or a network.
If you configure a network those defined IP addresses
can only poll the device and not
Which three (3) elements are required to build a route-based
a. CREATE ROUTES
b. CREATE POLICIES
c. CREATE TUNNEL INTERFACES
d. CREATE ADDRESS BOOK ENTRIES
e. BIND VPN TO TUNNEL INTERFACES
Route-based VPNs, like policy-based VPNs, can also use
either manual key or autokey IKE, but are configured
and function somewhat differently. Route-based VPNs
do not make reference to a tunnel object, but rather
the destination address of the traffic. When the NetScreen
appliance performs a route lookup to see which interface
it should use to send the traffic, it sees there is
a route through a tunnel interface that is bound to
a VPN tunnel and uses that interface to deliver the
There are some advantages to using a route-based VPN.
Using route-based VPNs is a good way to conserve system
resources. Unlike policy-based VPNs, you can configure
multiple policies that allow or deny specific traffic
to flow through a route-based VPN, and all of these
policies will use a single security association.
Route-based VPNs also offer the ability to exchange
dynamic routing information, such as border gateway
protocol (BGP), on the tunnel interface.
Route-based VPNs allow you to create policies that have
an action of deny, unlike policy-based VPNs.
Route-based VPNs also have different limitations than
policy-based VPNs.With route-based VPNs, you are limited
by one of two things: the number of route entries your
appliance supports, or the number of tunnel interfaces
your appliance supports, whichever of the two is the
Which statement is most correct in explaining weights
and their use in this redundant VPN configuration?
Member 1 weight 3
Member 2 weight 2
Member 3 weight 1
A. Weight is not a valid configuration option for Redundant
B. Weight is a distribution factor, Member 2 will carry
10 times the traffic of Member .
C. Weight is used to determine which VPN in the Group
carries traffic, Member 2 will carry the traffic.
D. Weight is used to determine which VPN in the group
carries traffic, member 1 will carry the traffic.
E. Weight is distribution value,Member 1 will carry
the most traffic, while member 2 will carry 1/10 that
Your VPN device has a dynamic address, and does not
use an FQDN. Which three (3) do you need to configure
on your device for a successful Phase I connection to
B. Peer id
C. Local id
D. Main mode
E. Aggressive mode
F. Static-ip of remote IKE peer
Situations arise when a remote site does not have a
static IP address (typical for home or small office
sites). As a result, it is not possible to define the
remote gateway's IP address for the purpose of VPN tunnel
establishment. NetScreen firewalls provide a solution
for this through the use of local and peer IDs.
By configuring a local ID on the initiating device with
the dynamic IP address, the device presents this information
to the recipient device when attempting to establish
Phase 1 negotiation. The recipient device is configured
to recognise this through a peer ID, and as a result,
can accept the initiators current IP address.
! The Phase 1 mode of VPNs with Dynamic Peers must be
set to aggressive.
Which two (2) statements regarding Certificate Revocation
Lists are correct?
A. The CRL is time stamped to identify revoked certificates
B. CRLs are maintained by independent agents to insure
C. A CRL ontains the names and IP addresses of Certificates
that have been revoked by the CA
D. New CRLs are issued on a regular, periodic basis,
which could be hourtly, daily, weekly