3 questions of interest

[Phayder]

Hi. Below are 3 questions I found interesting. Can you help me solve them?

Q1.
In VPN-1 NGX, what happens if a Distinguished Name (DN) is NOT found in
LDAP?

A. VPN-1 NGX takes the common-name value from the Certificate subject, and searches the LDAP account unit for a matching user id.
B. The Security Gateway uses the subject of the Certificate as the DN for the initial lookup.
C. If the first request fails or if branches do not match, NGX tries to map the identity to the user id attribute.
D. When users authenticate with valid Certificates, the Security Gateway tries to map the identities with user registered in the external LDAP user database.
E. VPN-1 NGX searches the internal database for the username.

Extract from CP manual:

When a Gateway requires user information for authentication purposes, it searches
for this information in three different places:
1. The first place that is queried is the internal users database.
2. If the specified user is not defined in this database, the Gateway queries the SmartDirectory (LDAP) servers defined in the Account Unit one at a time, and according to their priority. If for some reason the query against a specified SmartDirectory (LDAP) server fails, for instance the SmartDirectory (LDAP) connection is lost, the SmartDirectory (LDAP) server with the next highest priority is queried.
If there is more than one Account Unit, the Account Units
are queried concurrently. The results of the query are either taken from the first Account Unit to meet the conditions, or from all the Account Units which meet the conditions. The choice between taking the result of one Account Unit as opposed to many is a matter of Gateway configuration.
3. If the information still cannot be found, the Gateway uses the external users template to see if there is a match against the generic profile. This generic profile has the default attributes applied to the specified user.

Extract from CP manual, but Nizmo version:

cn
The entry’s name. This is also referred to as “Common Name”. For users this can be different from the uid attribute, the name used to login to the VPN-1 Pro module.
This attribute is also used to build the SmartDirectory (LDAP) entry’s distinguished name, that is, it is the RDN of the DN.

uid
The user’s login name, that is, the name used to login to the VPN-1 Pro module. This attribute is passed to the external authentication system in all authentication methods except for “Internal Password”, and must be defined for all these authentication schemes.
The login name is used by VPN-1 Pro to search the SmartDirectory (LDAP) server(s).
For this reason, each user entry should have its own unique uid value.
It is also possible to login to the VPN-1 Pro module using the full DN. The DN can be used when there is an ambiguity with this attribute or in “Internal Password” when this attribute may be missing. The DN can also be used when the same user (with the same uid) is defined in more than one Account Unit on different SmartDirectory
(LDAP) servers.

Copyright Check Point Software Technologies LTD.

Q2.
Which encryption scheme provides "In-place" encryption?

A. IKE
B. Manual IPSec
C. DES
D. SKIP
E. AES

My question is what is difference between encryption scheme and encryption algorithm? Is DES an encryption
scheme or encryption algorith?

Q3.
Pepito's main internal network 10.10.10.0/24 allows all traffic to the Internet
using Hide NAT. Pepito also has a small network 10.10-.20.0/24 behind the
internal router. Pepito wants to configure the kernel to translate the source address.Only when network 10.10.20.0 tries to access the Internet for HTTP, SMTP, and FTP services.

Which of the following configurations will allow this network to access Internet?

A. Automatic Static NAT on network 10.10.20.0/24
B. Manual Hide NAT rules for HTTP, FTP, and SMTP services for network 10.10.20.0/24.
C. Manual Static NAT rules for network 10.10.20.0/24,
D. Automatic Hide NAT for network 10.10.20.0/24.
E. No change is necessary.

Is it A or B? or maybe Pepito wants too much? :)



Best Regards,
Phayder

[auroranl]

Q2.
Which encryption scheme provides "In-place" encryption? -> DES

In-Place Encryption

A mechanism that encrypts only the data of an IP packet, while the header is not encrypted. In-place encryption leaves headers exposed, but preserves the packet’s length, in contrast to encapsulated encryption. An example of in-place encryption is Check Point FWZ-1

And an encryption algorithm is part of an encryption scheme.



Q3.

I would say B as it is the only answer which limits the services as stated in the question. With a manual NAT rule one can specify the services for which the NAT rule is used. Furthermore, you need Hide NAT as you want to hide a subnet behind one IP. With Static NAT you would need a lot of public IP's (a /24). :)

[Phayder]

Thank you for the answer auroranl.

Best Regards,
Phayder

[dew1902]

answer to ques 3 is b.

ans (a) static nat is wrong , because static nat would have been used if the source were on internet and destination in inside/dmz.Its not as if it cant be done , but it shouldnt be because its incorrect use of static nat.

[amol0009in_7]

Quote:

Extract from CP manual:

When a Gateway requires user information for authentication purposes, it searches
for this information in three different places:
1. The first place that is queried is the internal users database.
2. If the specified user is not defined in this database, the Gateway queries the SmartDirectory (LDAP) servers defined in the Account Unit one at a time, and according to their priority. If for some reason the query against a specified SmartDirectory (LDAP) server fails, for instance the SmartDirectory (LDAP) connection is lost, the SmartDirectory (LDAP) server with the next highest priority is queried.
If there is more than one Account Unit, the Account Units
are queried concurrently. The results of the query are either taken from the first Account Unit to meet the conditions, or from all the Account Units which meet the conditions. The choice between taking the result of one Account Unit as opposed to many is a matter of Gateway configuration.
3. If the information still cannot be found, the Gateway uses the external users template to see if there is a match against the generic profile. This generic profile has the default attributes applied to the specified user.

Good One! I was confused for external user profiles , now i found the sequence , it should have been mentioned in CCSA book.But one question still remains when creating
External user profile --> Match by domain name --> Omit Domain Name when authenticating users
I am unable to understand the importance of this. If we don't want the domain name to be forwarded to authentication server following are option:
1) Use *generic profile -- > means match all users
2) Use match by domain name and check the option --> Free format -->Any domain name is accetable

If someone can help me with this i will be grateful.I am studying for CCSA and need help of pplz like you and when i will become expert in return i would help others and you.