PDA

View Full Version : A question and some thoughts on the exam



Perks
2011-12-15, 16:07
Hey everyone, here is a question from the practice exam which I didn't fully understand.

Phase 2 uses ______ , if not using Perfect Forward Secrecy.

A. Sequential
B. Symmetric
C. Asymmetric
D. Conditional

Now, I don't know about you, but on my CCSA R75 course, I was never taught anything about Perfect Forward Secrecy and I don't even know what it means. And not just this question. MANY of the questions I encountered on the practice exam made me rub my eyes and wonder if I am taking the right practice exam or perhaps I attended the wrong course. What's going on here? CLI commands I never heard of, Blades I didn't study that weren't even on my syllabus, very deep "fine-tuning" down to the letter questions that made me suspect that it is quite impossible for me to pass this exam and attending it would simply mean throwing $200 to the garbage can. Not to mention that I was one of the leading students in my class.

And don't even get me started on the CCSE exam, a course which I have also taken and the practice exam looks nothing like what I took.

It seems like there's a rule of thumb here - Both on the CCSA and CCSE practice exams, questions on materials that I studied, I nailed perfectly and didn't hesitate on. But the rest of the questions were about thing I never even heard of.

And the length of my courses was double the time it takes for usual CCSA\CCSE course.

What's going on here?

northlandboy
2011-12-15, 18:29
What's going on here?

Basically, they don't want people to just do a short course and go straight to pass the exam - they like to throw in some real world questions, to see if you've used the products. I don't want to get into a debate about how much of the questions they ask are actually Real World, but that's the general idea of where they're going.

Regards VPNs, yeah, I would expect a network security engineer to have a bit of an idea about the different algorithms used. The exact level of detail required is debatable, but you should be aware of symmetric vs asymmetric, PFS, various encryption/hashing algorithms, etc. That way, when you go to set up a VPN with a third party, you understand what's going on.

I'm not sure what course you actually went on - it's been many years since I did any formal CP training, but I don't remember students being ranked, so I'm not sure how you'd know you were a "leading student" on the course?

Barry J. Stiefel
2011-12-15, 20:11
Hey everyone, here is a question from the practice exam which I didn't fully understand.

Phase 2 uses ______ , if not using Perfect Forward Secrecy.

A. Sequential
B. Symmetric
C. Asymmetric
D. Conditional

Now, I don't know about you, but on my CCSA R75 course, I was never taught anything about Perfect Forward Secrecy and I don't even know what it means. And not just this question. MANY of the questions I encountered on the practice exam made me rub my eyes and wonder if I am taking the right practice exam or perhaps I attended the wrong course. What's going on here? CLI commands I never heard of, Blades I didn't study that weren't even on my syllabus, very deep "fine-tuning" down to the letter questions that made me suspect that it is quite impossible for me to pass this exam and attending it would simply mean throwing $200 to the garbage can. Not to mention that I was one of the leading students in my class.

And don't even get me started on the CCSE exam, a course which I have also taken and the practice exam looks nothing like what I took.

It seems like there's a rule of thumb here - Both on the CCSA and CCSE practice exams, questions on materials that I studied, I nailed perfectly and didn't hesitate on. But the rest of the questions were about thing I never even heard of.

And the length of my courses was double the time it takes for usual CCSA\CCSE course.

What's going on here?I'm now going on my fifteenth year of asking Check Point to improve the quality of the exam questions and answers. I keep hoping they'll listen to their customers on this issue. Apparently, they don't see the "business case" for doing so.

I've heard from several members lately that even the most current versions of the newest exams have spelling errors, logic errors and missing words.

Despite all my years of experience with Check Point products and despite the fact that I've coached more people through Check Point exams than anyone else, I can't figure out what they're asking in that question. Sorry.

stomp442
2012-04-28, 10:50
Perks:

If I had to guess on that question, I would answer: symetric.

Why?

In the R71 courseware on page 196, second bullet point, it makes reference to "using the faster private key that was negotiated in the first phase". Then, paging backwards, to 191, the symetric key description, it says "Symmetric encryption is primarily used for faster encryption Performance." Which kinda made sense. Then I read this (http://www.internet-computer-security.com/VPN-Guide/PFS.html), and was lost.

ShadowPeak.com
2012-04-28, 16:15
Perks:

If I had to guess on that question, I would answer: symetric.


Good guess, you are correct.



Why?

In the R71 courseware on page 196, second bullet point, it makes reference to "using the faster private key that was negotiated in the first phase". Then, paging backwards, to 191, the symetric key description, it says "Symmetric encryption is primarily used for faster encryption Performance." Which kinda made sense. Then I read this (http://www.internet-computer-security.com/VPN-Guide/PFS.html), and was lost.


IKE Phase 1 creates an encrypted tunnel (I call this the "control tunnel" which is borrowing terminology from the FTP protocol) that the firewalls use to secure their subsequent Phase 2 negotiations. During IKE Phase 1 the two firewalls perform an asymmetric Diffie-Hellman calculation to derive the secret key that will be used to symmetrically encrypt data flowing through the control tunnel. So in IKE Phase 1 only asymmetric encryption (Diffie-Hellman) is being used since the IKE Phase 1 negotiation itself is in the clear.

The IKE Phase 2 negotiations occur inside the cloak of the created Phase 1 tunnel. Once Phase 2 is complete a second tunnel (IPSEC - I call this the "data" tunnel) is formed to carry the actual information to be protected. If PFS is not enabled the secret encryption key already being utilized by the Phase 1 tunnel is reused for this and all subsequent IPSEC tunnels. If PFS is enabled, Diffie-Hellman is run again during Phase 2 to calculate a unique key for each new IPSEC tunnel.

So to the exam question, the IKE Phase 2 negotiation occurs inside the cloak of the Phase 1 IKE tunnel which itself is symmetrically encrypted. So if PFS is not active Phase 2 only uses symmetric encryption. If PFS is active Phase 2 uses both symmetric and asymmetric (Diffie-Hellman) encryption techniques.