Which of the following configurations is MOST appropriate for Jerry?

Jerry is concerned that a denial-oF. service (DoS) attack may affect his VPN Communities. He
decides to implement IKE DoS protection. Jerry needs to minimize the performance impact of
implementing this new protection. Which of the following configurations is MOST appropriate for
Jerry?

Jerry is concerned that a denial-oF. service (DoS) attack may affect his VPN Communities. He
decides to implement IKE DoS protection. Jerry needs to minimize the performance impact of
implementing this new protection. Which of the following configurations is MOST appropriate for
Jerry?

A.
Set Support IKE DoS protection from identified source to “Puzzles”, and Support IKE DoS
protection from unidentified source to “Stateless”.

B.
Set Support IKE Dos Protection from identified source, and Support IKE DoS protection from
unidentified source to “Puzzles”.

C.
Set Support IKE DoS protection from identified source to “Stateless,” and Support IKE DoS
protection from unidentified source to “Puzzles”.

D.
Set “Support IKE DoS protection” from identified source, and “Support IKE DoS protection”
from unidentified source to “Stateless”.

E.
Set Support IKE DoS protection from identified source to “Stateless”, and Support IKE DoS
protection from unidentified source to “None”.

Explanation:



Leave a Reply 2

Your email address will not be published. Required fields are marked *


buck

buck

From the R77_VPN_AdminGuide:
SmartDashboard IKE DoS Attack Protection Settings

To protect against IKE DoS attacks, configure the SmartDashboard IKE Denial of Service Protection settings, in the VPN >Advanced page of the Global Properties. IKE DoS protection is not supported for IPv6 addresses.

Support IKE DoS protection from identified source — The default setting for identified sources is Stateless. If the Security Gateway is under load, this setting requires the peer to respond to an IKE notification in a way that proves that the IP address of the peer is not spoofed. If the peer cannot prove this, the Security Gateway does not begin the IKE negotiation. If the source is identified, protecting using Puzzles is over cautious, and may affect performance. A third possible setting is None, which means no DoS protection.

Support IKE DoS protection from unidentified source — The default setting for unidentified sources is Puzzles. If the Security Gateway is under load, this setting requires the peer to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously. For unidentified sources, Stateless protection may not be sufficient because an attacker may well control all the IP addresses from which the IKE requests appear to be sent. A third possible setting is None, which means no DoS protection.

The correct answer is C

ccsa

ccsa

Q: Jerry needs to MINIMIZE the performance impact of
implementing this new protection.
Puzzle no minimize….
D – correct for this question, but in real world – C.