352-001 · Question #488
You are the consultant network designer for a large GET VPN deployment for a large bank with national coverage. Between 1800 and 2000 remote locations connect to the central location through four hubs
The correct answer is B. Increase the cryptographic key size. C. Reduce the SAR clock interval duration.. Tuning GET VPN to resist replay attacks and improve security requires tightening the Time-Based Anti-Replay window by reducing the SAR clock interval and increasing key strength by using larger cryptographic keys.
Question
You are the consultant network designer for a large GET VPN deployment for a large bank with national coverage. Between 1800 and 2000 remote locations connect to the central location through four hubs using an MPLS backbone and using two key servers. The bank is concerned with security and replay attacks. Which two actions should you use to tune GET VPN to meet the bank requirements? (Choose 2)
Options
- AReplace unicast rekey with multicast rekey.
- BIncrease the cryptographic key size.
- CReduce the SAR clock interval duration.
- DReduce the Dead Peer Detection periodic timer.
- EIncrease the TEK and KEK lifetime.
How the community answered
(64 responses)- A11% (7)
- B64% (41)
- D5% (3)
- E20% (13)
Why each option
Tuning GET VPN to resist replay attacks and improve security requires tightening the Time-Based Anti-Replay window by reducing the SAR clock interval and increasing key strength by using larger cryptographic keys.
Switching from unicast to multicast rekey improves rekey scalability and efficiency across many group members but does not strengthen encryption or reduce the replay attack window.
Increasing the cryptographic key size (for example, moving from 1024-bit to 2048-bit RSA or from AES-128 to AES-256) raises the computational cost of a brute-force attack against the GET VPN keys, directly addressing the bank's security concern.
GET VPN uses Time-Based Anti-Replay (TBAR), where the SAR clock interval defines the acceptable time window for packet delivery; reducing this interval shrinks the window within which a replayed packet would be accepted as valid, making replay attacks significantly harder to execute in a large-scale deployment.
Dead Peer Detection (DPD) is an IKE mechanism for detecting unresponsive peers and has no function in anti-replay protection or cryptographic key strength.
Increasing TEK (Traffic Encryption Key) and KEK (Key Encryption Key) lifetimes means the same keys are used for a longer period, which widens the exposure window and weakens overall security rather than improving it.
Concept tested: GET VPN anti-replay tuning and cryptographic hardening
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-16/sec-get-vpn-xe-16-book/sec-get-vpn.html
Topics
Community Discussion
No community discussion yet for this question.