352-001 · Question #50
Your organization is working on a design solution for a new Internet-based remote access virtual private network that has 1000 remote sites. A network administrator recommends GETVPN as the model beca
The correct answer is D. GETVPN key servers would be on public, hacker-reachable space and need higher security.. GETVPN is designed for private WAN environments, and its key servers become a security liability when exposed on the public internet.
Question
Your organization is working on a design solution for a new Internet-based remote access virtual private network that has 1000 remote sites. A network administrator recommends GETVPN as the model because the network of today uses DMVPN, which results in a lot of background NHRP control traffic. What is a potential problem with using GETVPN for this design solution?
Options
- AGETVPN would require a high level of background traffic to maintain its IPsec SAs.
- BGETVPN is not scalable to a large number of remote sites.
- CGETVPN and DMVPN will not interoperate.
- DGETVPN key servers would be on public, hacker-reachable space and need higher security.
How the community answered
(40 responses)- A8% (3)
- B13% (5)
- C5% (2)
- D75% (30)
Why each option
GETVPN is designed for private WAN environments, and its key servers become a security liability when exposed on the public internet.
GETVPN uses efficient group rekey mechanisms that actually reduce background traffic compared to maintaining individual point-to-point IPsec SAs, so high background traffic is not a concern.
GETVPN is highly scalable and supports thousands of group members using shared group keys, making scalability a strength rather than a limitation.
GETVPN and DMVPN are not mutually exclusive and can interoperate within the same network, so incompatibility is not a valid concern.
GETVPN depends on key servers (KS) that all group members must reach to obtain encryption keys and group policies; when deployed over the public internet, these key servers reside in publicly reachable address space and are directly exposed to attackers. This is a fundamental architectural mismatch - GETVPN was designed for trusted private networks such as MPLS, not internet-facing deployments where key servers require hardening against public threats.
Concept tested: GETVPN key server security in public internet deployments
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-16-12/sec-conn-getvpn-xe-16-12-book/sec-get-vpn.html
Topics
Community Discussion
No community discussion yet for this question.