Which IPsec transform set provides the strongest protection?

Which IPsec transform set provides the strongest protection?

Which IPsec transform set provides the strongest protection?

A.
crypto ipsec transform-set 1 esp-3des esp-sha-hmac

B.
crypto ipsec transform-set 2 esp-3des esp-md5-hmac

C.
crypto ipsec transform-set 3 esp-aes 256 esp-sha-hmac

D.
crypto ipsec transform-set 4 esp-aes esp-md5-hmac

E.
crypto ipsec transform-set 5 esp-des esp-sha-hmac

F.
crypto ipsec transform-set 6 esp-des esp-md5-hmac

Explanation:
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/
security_manager/4.1/user/guide/vpipsec.html
Table 22-2 IKEv2 Proposal Dialog Box
Name The name of the policy object. A maximum of 128 characters is allowed.
Description A description of the policy object. A maximum of 1024 characters is allowed.
Priority The priority value of the IKE proposal. The priority value determines the order of the IKE
proposals compared by the two negotiating peers when attempting to find a common security
association (SA). If the remote IPsec peer does not support the parameters selected in your first
priority policy, the device tries to use the parameters defined in the policy with the next lowest
priority number.
Valid values range from 1 to 65535. The lower the number, the higher the priority. If you leave this
field blank,
Security Manager assigns the lowest unassigned value starting with 1, then 5, then continuing in
increments of 5.
Encryption Algorithm
The encryption algorithm used to establish the Phase 1 SA for protecting Phase 2 negotiations. Click
Select and select all of the algorithms that you want to allow in the VPN:
•AES—Encrypts according to the Advanced Encryption Standard using 128-bit keys.
•AES-192—Encrypts according to the Advanced Encryption Standard using 192-bit keys.
•AES-256—Encrypts according to the Advanced Encryption Standard using 256-bit keys.
•DES—Encrypts according to the Data Encryption Standard using 56-bit keys.
•3DES—Encrypts three times using 56-bit keys. 3DES is more secure than DES, but requires more
processing for encryption and decryption. It is less secure than AES. A 3DES license is required to use
this option.
•Null—No encryption algorithm.
Integrity (Hash) Algorithm

The integrity portion of the hash algorithm used in the IKE proposal. The hash algorithm creates a
message digest, which is used to ensure message integrity. Click Select and select all of the
algorithms that you want to allow in the VPN:
•SHA (Secure Hash Algorithm)—Produces a 160-bit digest. SHA is more resistant to brute-force
attacks than MD5.
•MD5 (Message Digest 5)—Produces a 128-bit digest. MD5 uses less processing time than SHA.
Prf Algorithm The pseudo-random function (PRF) portion of the hash algorithm used in the IKE
proposal. In IKEv1, the Integrity and PRF algorithms are not separated, but in IKEv2, you can specify
different algorithms for these elements. Click Select and select all of the algorithms that you want to
allow in the VPN:
•SHA (Secure Hash Algorithm)—Produces a 160-bit digest. SHA is more resistant to brute-force
attacks than MD5.
•MD5 (Message Digest 5)—Produces a 128-bit digest. MD5 uses less processing time than SHA.
Modulus Group
The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without
transmitting it to each other. A larger modulus provides higher security but requires more processing
time. The two peers must have a matching modulus group. Click Select and select all of the groups
that you want to allow in the
VPN:
•1—Diffie-Hellman Group 1 (768-bit modulus).
•2—Diffie-Hellman Group 2 (1024-bit modulus). This is the minimum recommended setting.
•5—Diffie-Hellman Group 5 (1536-bit modulus, considered good protection for 128-bit keys). Select
this option if you are using AES encryption.
Lifetime
The lifetime of the security association (SA), in seconds. When the lifetime is exceeded, the SA
expires and must be renegotiated between the two peers. As a general rule, the shorter the lifetime
(up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future
IPsec security associations can be set up more quickly than with shorter lifetimes.
You can specify a value from 120 to 2147483647 seconds. The default is 86400.
Category The category assigned to the object. Categories help you organize and identify rules and
objects.



Leave a Reply 0

Your email address will not be published. Required fields are marked *