nerdexam
Cisco

352-001 · Question #488

You are the consultant network designer for a large GET VPN deployment for a large bank with national coverage. Between 1800 and 2000 remote locations connect to the central location through four hubs

The correct answer is B. Increase the cryptographic key size. C. Reduce the SAR clock interval duration.. Tuning GET VPN to resist replay attacks and improve security requires tightening the Time-Based Anti-Replay window by reducing the SAR clock interval and increasing key strength by using larger cryptographic keys.

Designing Security

Question

You are the consultant network designer for a large GET VPN deployment for a large bank with national coverage. Between 1800 and 2000 remote locations connect to the central location through four hubs using an MPLS backbone and using two key servers. The bank is concerned with security and replay attacks. Which two actions should you use to tune GET VPN to meet the bank requirements? (Choose 2)

Options

  • AReplace unicast rekey with multicast rekey.
  • BIncrease the cryptographic key size.
  • CReduce the SAR clock interval duration.
  • DReduce the Dead Peer Detection periodic timer.
  • EIncrease the TEK and KEK lifetime.

How the community answered

(64 responses)
  • A
    11% (7)
  • B
    64% (41)
  • D
    5% (3)
  • E
    20% (13)

Why each option

Tuning GET VPN to resist replay attacks and improve security requires tightening the Time-Based Anti-Replay window by reducing the SAR clock interval and increasing key strength by using larger cryptographic keys.

AReplace unicast rekey with multicast rekey.

Switching from unicast to multicast rekey improves rekey scalability and efficiency across many group members but does not strengthen encryption or reduce the replay attack window.

BIncrease the cryptographic key size.Correct

Increasing the cryptographic key size (for example, moving from 1024-bit to 2048-bit RSA or from AES-128 to AES-256) raises the computational cost of a brute-force attack against the GET VPN keys, directly addressing the bank's security concern.

CReduce the SAR clock interval duration.Correct

GET VPN uses Time-Based Anti-Replay (TBAR), where the SAR clock interval defines the acceptable time window for packet delivery; reducing this interval shrinks the window within which a replayed packet would be accepted as valid, making replay attacks significantly harder to execute in a large-scale deployment.

DReduce the Dead Peer Detection periodic timer.

Dead Peer Detection (DPD) is an IKE mechanism for detecting unresponsive peers and has no function in anti-replay protection or cryptographic key strength.

EIncrease the TEK and KEK lifetime.

Increasing TEK (Traffic Encryption Key) and KEK (Key Encryption Key) lifetimes means the same keys are used for a longer period, which widens the exposure window and weakens overall security rather than improving it.

Concept tested: GET VPN anti-replay tuning and cryptographic hardening

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-16/sec-get-vpn-xe-16-book/sec-get-vpn.html

Topics

#GET VPN#replay attack#key size#SAR clock interval

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice