nerdexam
Cisco

352-001 · Question #50

Your organization is working on a design solution for a new Internet-based remote access virtual private network that has 1000 remote sites. A network administrator recommends GETVPN as the model beca

The correct answer is D. GETVPN key servers would be on public, hacker-reachable space and need higher security.. GETVPN is designed for private WAN environments, and its key servers become a security liability when exposed on the public internet.

Designing Security

Question

Your organization is working on a design solution for a new Internet-based remote access virtual private network that has 1000 remote sites. A network administrator recommends GETVPN as the model because the network of today uses DMVPN, which results in a lot of background NHRP control traffic. What is a potential problem with using GETVPN for this design solution?

Options

  • AGETVPN would require a high level of background traffic to maintain its IPsec SAs.
  • BGETVPN is not scalable to a large number of remote sites.
  • CGETVPN and DMVPN will not interoperate.
  • DGETVPN key servers would be on public, hacker-reachable space and need higher security.

How the community answered

(40 responses)
  • A
    8% (3)
  • B
    13% (5)
  • C
    5% (2)
  • D
    75% (30)

Why each option

GETVPN is designed for private WAN environments, and its key servers become a security liability when exposed on the public internet.

AGETVPN would require a high level of background traffic to maintain its IPsec SAs.

GETVPN uses efficient group rekey mechanisms that actually reduce background traffic compared to maintaining individual point-to-point IPsec SAs, so high background traffic is not a concern.

BGETVPN is not scalable to a large number of remote sites.

GETVPN is highly scalable and supports thousands of group members using shared group keys, making scalability a strength rather than a limitation.

CGETVPN and DMVPN will not interoperate.

GETVPN and DMVPN are not mutually exclusive and can interoperate within the same network, so incompatibility is not a valid concern.

DGETVPN key servers would be on public, hacker-reachable space and need higher security.Correct

GETVPN depends on key servers (KS) that all group members must reach to obtain encryption keys and group policies; when deployed over the public internet, these key servers reside in publicly reachable address space and are directly exposed to attackers. This is a fundamental architectural mismatch - GETVPN was designed for trusted private networks such as MPLS, not internet-facing deployments where key servers require hardening against public threats.

Concept tested: GETVPN key server security in public internet deployments

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-16-12/sec-conn-getvpn-xe-16-12-book/sec-get-vpn.html

Topics

#GETVPN#DMVPN#key server security#Internet VPN design

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice