REAL QUESTIONS SUBMIT MATERIAL ADVERTISE
Braindumps

Microsoft

Cisco

Citrix

CIW

CompTia

CWNA

Apple

Adobe

HP

Legato

Exin

Filemaker

Brocade

Ericsson

TIA

Veritas

ISEB

SCP

IISFA

ISM

OMG

Apc

Mile2

Foundry

Huawei

McData

Symantec

TeraData

RedHat

Solar Winds

Blue Coat

Riverbed

 

 
 
Click on name of dumper to view the dump
 
Talbot
 
 

 

Braindumps of JN0-530
Juniper Networks Certified Internet Specialist

Exam Questions, Answers, Braindumps (JN0-530)

Thanx to www.examcheats.net for providing helpful material.Here is my contribution.

QUESTION 1
Which parameter is exchanged during Phase 2 negotiations?
A. Proxy-id
B. Certificates
C. Pre shared key
D. NAT-Trnsversal Data
E. Asymmetric Private Keys.
Answer: A
Proxy-IDs
One of the most important yet overlooked aspects of a successful VPN setup is the proxy-ID.
The proxy-ID determines which networks and services are permitted through the VPN. A proxy-ID is made up of the local network, remote network and service. Both end points of the VPN exchange their proxy-ID which needs to match for the Phase 2 negotiation to be complete. A proxy-ID can be extracted from a security policy if a Policy-based VPN is being used as the necessary proxy-ID information resides in the policy (source, destination and service). When a Route-based VPN is configured, a policy may not be necessary, and if so, may not necessarily contain the correct information in which to create the proxy-ID. As a result, the proxy-ID must always be manually entered when configuring Route-based VPNs.
!! Manually specifying a proxy-ID in a Policy-based VPN scenario will overwrite
theproxy-ID automatically obtain from the security policy.
Phase 1
From our previous discussion you already know that phase 1 negotiations consist of exchanging proposals on how to authenticate and secure the communications channel. Phase 1 exchanges can be done in two modes: main mode or aggressive mode.
In main mode, three two-way exchanges, or six total messages, are exchanged. During a main mode conversation, the following is accomplished:
_ First exchange Encryption and authentication algorithms for communications are proposed and accepted.
_ Second exchange A Diffie-Hellman exchange is done. Each party exchanges a randomly generated number, or nonce.
_ Third exchange Identities of each party are exchanged and verified.
NOTE
In the third exchange, identities are not passed in the clear. The identities are protected by the encryption algorithm agreed upon in the exchange of the first two sets of messages.
In aggressive mode, the same principle objectives are completed, but are done so in a much shorter conversation. Phase 1 negotiations in aggressive mode only require that two exchanges be made, and that a total of three messages are exchanged. An aggressive mode conversation follows the following pattern:
_ First message The initiating party proposes the security association, starts a Diffie-Hellman exchange, and sends its nonce and IKE identity to the intended recipient.
_ Second message During the second message, the recipient accepts the proposed security association, authenticates the initiating party, sends its generated nonce, IKE identity, and its certificate if certificates are being used.
_ Third message During the third message, the initiator authenticates the recipient, confirms the exchange, and if using certificates, sends its certificate.
In an aggressive mode exchange, the identities of communicating parties are not protected.This is because the identities are sent during the first two messages exchanged prior to the tunnel being secured. It is also important to note that a dialup VPN user must use aggressive mode to establish an IKE tunnel.
Notes from the Underground...
What is Diffie-Hellman?
The Diffie-Hellman (DH) key exchange protocol, invented in 1976 by Whitfield Diffie and Martin Hellman, is a protocol allowing two parties to generate shared secrets and exchange communications over an insecure medium without having any prior shared secrets. The Diffie-Hellman protocol is consists of five groups of varying strength modulus. Most VPN gateways support DH Groups 1 and 2. NetScreen appliances, however, support groups 1, 2, and 5. The Diffie-Hellman protocol alone is susceptible to man-in-the-middle attacks, however. Although the risk of an attack is low, it is recommended that you enable Perfect Forward Secrecy (PFS) as added security when defining VPN tunnels on your NetScreen appliance. For more information on the Diffie-Hellman protocol, see www.rsasecurity.com/rsalabs/node.asp?id=2248 and RFC 2631 at ftp://ftp.rfc-editor.org/in-notes/rfc2631.txt
Phase 2
Once phase 1 negotiations have been completed and a secure tunnel has been established, phase 2 negotiations begin. During phase 2, negotiation of security associations of how to secure the data being transmitted across the tunnel is completed.
Phase 2 negotiations always involve the exchange of three messages.
Phase 2 proposals include encryption and authentication algorithms, as well as a security protocol.The security protocol can either be ESP or AH. Phase 2 proposals can also specify whether or not to use PFS and a Diffie-Hellman group to employ. PFS is a method used to derive keys that have no relation to any previous keys.Without PFS, phase 2 keys are generally derived from the phase 1 SKEYID_d key. If an attacker was to acquire the SKEYID_d key, all keys derived from this key could be compromised. During phase 2 each side also offers its proxy ID. Proxy IDs are simply the local IP, the remote IP, and the service. Both proxy IDs must match. For example, if 1.1.1.1 and 2.2.2.2 are using the SMTP (Simple Mail Transfer Protocol) service, then the proxy ID for 1.1.1.1 would be 1.1.1.1-2.2.2.2-25 and for 2.2.2.2 it would be 2.2.2.2-1.1.1.1-25.
Damage & Defense...
Key Lifetime - Short vs Long and PFS
When planning your VPN deployment, consideration should be given to the key lifetime and perfect forward secrecy in relation to security. Since enabling PFS requires additional processing time and resources some administrators choose not to use it, instead opting for a shorter key lifetime. This, however, can be a bad practice. If a successful man-in-themiddle attack were able to discover the SKEYID_d key, all keys derived from this key could be compromised. Enabling PFS, even with a longer key life, is actually a more secure practice than having a short key life with no PFS.

QUESTION 2
What two(2) statements are correct when manage-ip and manager-ip seting are configured properly?
A. manage-ip is configured for each zone
B. manager-ip is configured for each zone
C. manage-ip limits who can manage a NetScreen device
D. manager-ip limits who can manage a NetScreen device.
E. manage-ip is never used as a source address for traffic imitated by the NetScreen device
Answer: D,E
QUESTION 3
You suspect that there has been an increase in the number of multiple user authentication failures. What Severity level would you search for in the logs to see this event?
A. Alert
B. Critical
C. Warning
D. Emergency
E. Notifications
Answer: A
Security Levels:
Emergency Includes attacks like SYN Attacks, Ping of Death, and Teardrop attacks.
Alert Multiple user authentication errors and attacks not classified as emergency.
Critical Traffic alarms, changes to high availability status, blocked URLs (Uniform Resource Locators).
Error Events like admin name and password changes.
Warning Logon failures, authentication failures, administrators that have logged on.
Notification Changes to link status and traffic logs.
Information Events not included in other categories.
Debugging Logs associated with debugging.
www.syngress.com
QUESTION 4
You suspect you are having encryption problems with an IKE VPN. Which commands will allow you to see failed encryption attempts?
A. get counter screen <zone>
B. get counter flow interface<name>
C. get counter policy<policy number>
D. get counter statistics interface <name>
Answer: B,D
QUESTION 5
What three(3) steps should be taken to secure management access to the NetScreen device?
A. Set ping off
B. Enable SSH/SSL
C. Define Permitted IP
D. Set WebAuth values
E. Change name and password on the root administrator account.
Answer: A,C,E
IP Classification This option is used with virtual systems only. If this option is selected, the firewall will associate all traffic with this zone to a particular virtual system.
WebUI(layer two zones only) Selecting this option enables management for the WebUI on this zone.
SNMP (layer two zones only) Select this option to enable SNMP (Simple Network Management Protocol) services on this zone.
Telnet (layer two zones only) Select this option to enable Telnet management on this zone.
SSL (layer two zones only) Selecting this option enables SSL WebUI management on this zone.
Secure management .
SSH (layer two zones only) Selecting this option enables SSH management on this zone. Secure management .
NSM (layer two zones only) Selecting this option enables NSM management on this zone.
Ping (layer two zones only) Selecting this option enables ping from the firewall in this zone.
Ident-reset (layer two zones only) Some services such as SMTP and FTP send an ident, or identification request. If you have Ident-reset enabled, it will reset this ident request and allow you access to that service.
WebAuth(layer two zones only) Selecting this option enables web authentication when passing through the interface that this zone is bound to.
QUESTION 6
You want to be able to monitor traffic directed at the Netscreen device itself. Once you configure this option, what command will allow you to view the log information?
A. get event
B. get log self
C. get log event
D. get log traffic
Answer: B
QUESTION 7
NetScreen devices generate SNMP traps when which events occur? (Select three(3) answer)
A. cold starts
B. traffic alarms
C. warm reboots
D. traffic log events
E. self log events occur
Answer: A,B,C
Simple Network Management Protocol allowsremote administrators to view data statistics on a NetScreen device. It also allows a NetScreen device to send information to a central server. NetScreen firewalls support SNMPv1 and SNMPv2c. It also supports the MIB II, or Management Information Base two standard groups.The SNMP agent supports sending the following traps:
Cold Start Trap
Trap for SNMP Authentication Failure
Traps for System Alarms
Traps for Traffic Alarms
By default, the SNMP manager has no configuration.This prevents unauthorized viewing of the system based upon default parameters.To configure your NetScreen device for SNMP you must configure community strings, SNMP host addresses, and permissions. In our configuration example we will first set up the basic system information, then we will create a new community.This can be done from both the WebUI and the CLI.You can create up to three communities with up to eight IP ranges in each. An IP range can consist of a single host or a network. If you configure a network those defined IP addresses can only poll the device and not
QUESTION 8
Which three (3) elements are required to build a route-based VPN?
a. CREATE ROUTES
b. CREATE POLICIES
c. CREATE TUNNEL INTERFACES
d. CREATE ADDRESS BOOK ENTRIES
e. BIND VPN TO TUNNEL INTERFACES
Answer: A,C,E
Route-based VPNs
Route-based VPNs, like policy-based VPNs, can also use either manual key or autokey IKE, but are configured and function somewhat differently. Route-based VPNs do not make reference to a tunnel object, but rather the destination address of the traffic. When the NetScreen appliance performs a route lookup to see which interface it should use to send the traffic, it sees there is a route through a tunnel interface that is bound to a VPN tunnel and uses that interface to deliver the traffic.
There are some advantages to using a route-based VPN. Using route-based VPNs is a good way to conserve system resources. Unlike policy-based VPNs, you can configure multiple policies that allow or deny specific traffic to flow through a route-based VPN, and all of these policies will use a single security association.
Route-based VPNs also offer the ability to exchange dynamic routing information, such as border gateway protocol (BGP), on the tunnel interface.
Route-based VPNs allow you to create policies that have an action of deny, unlike policy-based VPNs.
Route-based VPNs also have different limitations than policy-based VPNs.With route-based VPNs, you are limited by one of two things: the number of route entries your appliance supports, or the number of tunnel interfaces your appliance supports, whichever of the two is the least.
QUESTION 9
Which statement is most correct in explaining weights and their use in this redundant VPN configuration?
Member 1 weight 3
Member 2 weight 2
Member 3 weight 1
A. Weight is not a valid configuration option for Redundant VPNs.
B. Weight is a distribution factor, Member 2 will carry 10 times the traffic of Member .
C. Weight is used to determine which VPN in the Group carries traffic, Member 2 will carry the traffic.
D. Weight is used to determine which VPN in the group carries traffic, member 1 will carry the traffic.
E. Weight is distribution value,Member 1 will carry the most traffic, while member 2 will carry 1/10 that amount.
Answer: D
QUESTION 10
Your VPN device has a dynamic address, and does not use an FQDN. Which three (3) do you need to configure on your device for a successful Phase I connection to your peer?
A. DNS
B. Peer id
C. Local id
D. Main mode
E. Aggressive mode
F. Static-ip of remote IKE peer
Answer: A,C,E
Dynamic Peers
Situations arise when a remote site does not have a static IP address (typical for home or small office sites). As a result, it is not possible to define the remote gateway's IP address for the purpose of VPN tunnel establishment. NetScreen firewalls provide a solution for this through the use of local and peer IDs.
By configuring a local ID on the initiating device with the dynamic IP address, the device presents this information to the recipient device when attempting to establish Phase 1 negotiation. The recipient device is configured to recognise this through a peer ID, and as a result, can accept the initiators current IP address.
! The Phase 1 mode of VPNs with Dynamic Peers must be set to aggressive.
QUESTION 11
Which two (2) statements regarding Certificate Revocation Lists are correct?
A. The CRL is time stamped to identify revoked certificates
B. CRLs are maintained by independent agents to insure accuracy
C. A CRL ontains the names and IP addresses of Certificates that have been revoked by the CA
D. New CRLs are issued on a regular, periodic basis, which could be hourtly, daily, weekly
Answer: A,D

JN0-530


 

 

Braindumps Real exam questions and verified answers - 100% passing guarantee - cheap prices.

 

Free brain dumps Braindumps, notes, books for free

 

Braindumps and Exams - Instant download real exam questions - Passing guarantee.

Follow us on FaceBook
Braindumps on Facebook
 
 
 
 
 

CheckPoint

Linux

Novell

DB/2

Network Appliance

EC-Council

Nortel

McAfee

Juniper

ISACA

PMI

Sybase

EMC

HDI

SNIA

ISC

Sair

IBM

Lotus

Exam Express

3COM

BICSI

DeLL

Enterasys

Extreme Networks

Guidance Software

Computer Associates

Network General

SAS Institute

Alcatel Lucent

SeeBeyond

TruSecure

Polycom

Hyperion

Hitachi

Nokia

Fortinet

Vmware

Fujitsu

Tibco

Intel

PostgreSQLCE

BusinessObjects

RESSoftware

BlackBerry

AccessData

ICDL

Isilon

SAP

The Open Group

ACSM

Altiris

Avaya

Cognos

F5

Genesys

SDI

ACI

ASQ

Google

H3C

HIPAA

HRCI

SOA

IIBA

Zend