Juniper Networks Certified Internet Specialist
Exam Questions, Answers,
Thanx to www.examscheets.com
for providing helpful material.Here is my contribution.
Which parameter is exchanged during Phase 2 negotiations?
C. Pre shared key
D. NAT-Trnsversal Data
E. Asymmetric Private Keys.
One of the most important yet overlooked aspects of
a successful VPN setup is the proxy-ID.
The proxy-ID determines which networks and services
are permitted through the VPN. A proxy-ID is made
up of the local network, remote network and service.
Both end points of the VPN exchange their proxy-ID
which needs to match for the Phase 2 negotiation to
be complete. A proxy-ID can be extracted from a security
policy if a Policy-based VPN is being used as the
necessary proxy-ID information resides in the policy
(source, destination and service). When a Route-based
VPN is configured, a policy may not be necessary,
and if so, may not necessarily contain the correct
information in which to create the proxy-ID. As a
result, the proxy-ID must always be manually entered
when configuring Route-based VPNs.
!! Manually specifying a proxy-ID in a Policy-based
VPN scenario will overwrite
theproxy-ID automatically obtain from the security
From our previous discussion you already know that
phase 1 negotiations consist of exchanging proposals
on how to authenticate and secure the communications
channel. Phase 1 exchanges can be done in two modes:
main mode or aggressive mode.
In main mode, three two-way exchanges, or six total
messages, are exchanged. During a main mode conversation,
the following is accomplished:
_ First exchange Encryption and authentication algorithms
for communications are proposed and accepted.
_ Second exchange A Diffie-Hellman exchange is done.
Each party exchanges a randomly generated number,
_ Third exchange Identities of each party are exchanged
In the third exchange, identities are not passed in
the clear. The identities are protected by the encryption
algorithm agreed upon in the exchange of the first
two sets of messages.
In aggressive mode, the same principle objectives
are completed, but are done so in a much shorter conversation.
Phase 1 negotiations in aggressive mode only require
that two exchanges be made, and that a total of three
messages are exchanged. An aggressive mode conversation
follows the following pattern:
_ First message The initiating party proposes the
security association, starts a Diffie-Hellman exchange,
and sends its nonce and IKE identity to the intended
_ Second message During the second message, the recipient
accepts the proposed security association, authenticates
the initiating party, sends its generated nonce, IKE
identity, and its certificate if certificates are
_ Third message During the third message, the initiator
authenticates the recipient, confirms the exchange,
and if using certificates, sends its certificate.
In an aggressive mode exchange, the identities of
communicating parties are not protected.This is because
the identities are sent during the first two messages
exchanged prior to the tunnel being secured. It is
also important to note that a dialup VPN user must
use aggressive mode to establish an IKE tunnel.
Notes from the Underground...
What is Diffie-Hellman?
The Diffie-Hellman (DH) key exchange protocol, invented
in 1976 by Whitfield Diffie and Martin Hellman, is
a protocol allowing two parties to generate shared
secrets and exchange communications over an insecure
medium without having any prior shared secrets. The
Diffie-Hellman protocol is consists of five groups
of varying strength modulus. Most VPN gateways support
DH Groups 1 and 2. NetScreen appliances, however,
support groups 1, 2, and 5. The Diffie-Hellman protocol
alone is susceptible to man-in-the-middle attacks,
however. Although the risk of an attack is low, it
is recommended that you enable Perfect Forward Secrecy
(PFS) as added security when defining VPN tunnels
on your NetScreen appliance. For more information
on the Diffie-Hellman protocol, see www.rsasecurity.com/rsalabs/node.asp?id=2248
and RFC 2631 at ftp://ftp.rfc-editor.org/in-notes/rfc2631.txt
Once phase 1 negotiations have been completed and
a secure tunnel has been established, phase 2 negotiations
begin. During phase 2, negotiation of security associations
of how to secure the data being transmitted across
the tunnel is completed.
Phase 2 negotiations always involve the exchange of
Phase 2 proposals include encryption and authentication
algorithms, as well as a security protocol.The security
protocol can either be ESP or AH. Phase 2 proposals
can also specify whether or not to use PFS and a Diffie-Hellman
group to employ. PFS is a method used to derive keys
that have no relation to any previous keys.Without
PFS, phase 2 keys are generally derived from the phase
1 SKEYID_d key. If an attacker was to acquire the
SKEYID_d key, all keys derived from this key could
be compromised. During phase 2 each side also offers
its proxy ID. Proxy IDs are simply the local IP, the
remote IP, and the service. Both proxy IDs must match.
For example, if 22.214.171.124 and 126.96.36.199 are using the
SMTP (Simple Mail Transfer Protocol) service, then
the proxy ID for 188.8.131.52 would be 184.108.40.206-220.127.116.11-25
and for 18.104.22.168 it would be 22.214.171.124-126.96.36.199-25.
Damage & Defense...
Key Lifetime - Short vs Long and PFS
When planning your VPN deployment, consideration should
be given to the key lifetime and perfect forward secrecy
in relation to security. Since enabling PFS requires
additional processing time and resources some administrators
choose not to use it, instead opting for a shorter
key lifetime. This, however, can be a bad practice.
If a successful man-in-themiddle attack were able
to discover the SKEYID_d key, all keys derived from
this key could be compromised. Enabling PFS, even
with a longer key life, is actually a more secure
practice than having a short key life with no PFS.
What two(2) statements are correct when manage-ip
and manager-ip seting are configured properly?
A. manage-ip is configured for each zone
B. manager-ip is configured for each zone
C. manage-ip limits who can manage a NetScreen device
D. manager-ip limits who can manage a NetScreen device.
E. manage-ip is never used as a source address for
traffic imitated by the NetScreen device
You suspect that there has been an increase in the
number of multiple user authentication failures. What
Severity level would you search for in the logs to
see this event?
Emergency Includes attacks like SYN Attacks, Ping
of Death, and Teardrop attacks.
Alert Multiple user authentication errors and attacks
not classified as emergency.
Critical Traffic alarms, changes to high availability
status, blocked URLs (Uniform Resource Locators).
Error Events like admin name and password changes.
Warning Logon failures, authentication failures, administrators
that have logged on.
Notification Changes to link status and traffic logs.
Information Events not included in other categories.
Debugging Logs associated with debugging.
You suspect you are having encryption problems with
an IKE VPN. Which commands will allow you to see failed
A. get counter screen <zone>
B. get counter flow interface<name>
C. get counter policy<policy number>
D. get counter statistics interface <name>
What three(3) steps should be taken to secure management
access to the NetScreen device?
A. Set ping off
B. Enable SSH/SSL
C. Define Permitted IP
D. Set WebAuth values
E. Change name and password on the root administrator
IP Classification This option is used with virtual
systems only. If this option is selected, the firewall
will associate all traffic with this zone to a particular
WebUI(layer two zones only) Selecting this option
enables management for the WebUI on this zone.
SNMP (layer two zones only) Select this option to
enable SNMP (Simple Network Management Protocol) services
on this zone.
Telnet (layer two zones only) Select this option to
enable Telnet management on this zone.
SSL (layer two zones only) Selecting this option enables
SSL WebUI management on this zone.
Secure management .
SSH (layer two zones only) Selecting this option enables
SSH management on this zone. Secure management .
NSM (layer two zones only) Selecting this option enables
NSM management on this zone.
Ping (layer two zones only) Selecting this option
enables ping from the firewall in this zone.
Ident-reset (layer two zones only) Some services such
as SMTP and FTP send an ident, or identification request.
If you have Ident-reset enabled, it will reset this
ident request and allow you access to that service.
WebAuth(layer two zones only) Selecting this option
enables web authentication when passing through the
interface that this zone is bound to.
You want to be able to monitor traffic directed at
the Netscreen device itself. Once you configure this
option, what command will allow you to view the log
A. get event
B. get log self
C. get log event
D. get log traffic
NetScreen devices generate SNMP traps when which events
occur? (Select three(3) answer)
A. cold starts
B. traffic alarms
C. warm reboots
D. traffic log events
E. self log events occur
Simple Network Management Protocol allowsremote administrators
to view data statistics on a NetScreen device. It
also allows a NetScreen device to send information
to a central server. NetScreen firewalls support SNMPv1
and SNMPv2c. It also supports the MIB II, or Management
Information Base two standard groups.The SNMP agent
supports sending the following traps:
Cold Start Trap
Trap for SNMP Authentication Failure
Traps for System Alarms
Traps for Traffic Alarms
By default, the SNMP manager has no configuration.This
prevents unauthorized viewing of the system based
upon default parameters.To configure your NetScreen
device for SNMP you must configure community strings,
SNMP host addresses, and permissions. In our configuration
example we will first set up the basic system information,
then we will create a new community.This can be done
from both the WebUI and the CLI.You can create up
to three communities with up to eight IP ranges in
each. An IP range can consist of a single host or
a network. If you configure a network those defined
IP addresses can only poll the device and not
Which three (3) elements are required to build a route-based
a. CREATE ROUTES
b. CREATE POLICIES
c. CREATE TUNNEL INTERFACES
d. CREATE ADDRESS BOOK ENTRIES
e. BIND VPN TO TUNNEL INTERFACES
Route-based VPNs, like policy-based VPNs, can also
use either manual key or autokey IKE, but are configured
and function somewhat differently. Route-based VPNs
do not make reference to a tunnel object, but rather
the destination address of the traffic. When the NetScreen
appliance performs a route lookup to see which interface
it should use to send the traffic, it sees there is
a route through a tunnel interface that is bound to
a VPN tunnel and uses that interface to deliver the
There are some advantages to using a route-based VPN.
Using route-based VPNs is a good way to conserve system
resources. Unlike policy-based VPNs, you can configure
multiple policies that allow or deny specific traffic
to flow through a route-based VPN, and all of these
policies will use a single security association.
Route-based VPNs also offer the ability to exchange
dynamic routing information, such as border gateway
protocol (BGP), on the tunnel interface.
Route-based VPNs allow you to create policies that
have an action of deny, unlike policy-based VPNs.
Route-based VPNs also have different limitations than
policy-based VPNs.With route-based VPNs, you are limited
by one of two things: the number of route entries
your appliance supports, or the number of tunnel interfaces
your appliance supports, whichever of the two is the
Which statement is most correct in explaining weights
and their use in this redundant VPN configuration?
Member 1 weight 3
Member 2 weight 2
Member 3 weight 1
A. Weight is not a valid configuration option for
B. Weight is a distribution factor, Member 2 will
carry 10 times the traffic of Member .
C. Weight is used to determine which VPN in the Group
carries traffic, Member 2 will carry the traffic.
D. Weight is used to determine which VPN in the group
carries traffic, member 1 will carry the traffic.
E. Weight is distribution value,Member 1 will carry
the most traffic, while member 2 will carry 1/10 that
Your VPN device has a dynamic address, and does not
use an FQDN. Which three (3) do you need to configure
on your device for a successful Phase I connection
to your peer?
B. Peer id
C. Local id
D. Main mode
E. Aggressive mode
F. Static-ip of remote IKE peer
Situations arise when a remote site does not have
a static IP address (typical for home or small office
sites). As a result, it is not possible to define
the remote gateway's IP address for the purpose of
VPN tunnel establishment. NetScreen firewalls provide
a solution for this through the use of local and peer
By configuring a local ID on the initiating device
with the dynamic IP address, the device presents this
information to the recipient device when attempting
to establish Phase 1 negotiation. The recipient device
is configured to recognise this through a peer ID,
and as a result, can accept the initiators current
! The Phase 1 mode of VPNs with Dynamic Peers must
be set to aggressive.
Which two (2) statements regarding Certificate Revocation
Lists are correct?
A. The CRL is time stamped to identify revoked certificates
B. CRLs are maintained by independent agents to insure
C. A CRL ontains the names and IP addresses of Certificates
that have been revoked by the CA
D. New CRLs are issued on a regular, periodic basis,
which could be hourtly, daily, weekly