nerdexam
Exams400-007Questions#421
Cisco

400-007 · Question #421

400-007 Question #421: Real Exam Question with Answer & Explanation

The correct answer is B: ipsec ah. The requirement is to provide data integrity only, not confidentiality, because confidentiality is handled at the application layer. IPSec AH provides authentication and integrity for the IP packets without encrypting the payload, ensuring data integrity but not confidentiality.

Question

Two companies need to implement an extranet overlay network solution by using a VPN tunnel over the internet to use each other's HTTP REST APIs. The solution must only provide data integrity because data confidentality will be covered at the application leyer. The existing firewall devices will be used as VPN endpoints for the tunnel, but they have limited available resources. Which type of VPN tunnel must be deployed for the extranet service?

Options

  • Aipsec esp
  • Bipsec ah
  • Cgre tunnel
  • DgreoIPsec

Explanation

The requirement is to provide data integrity only, not confidentiality, because confidentiality is handled at the application layer. IPSec AH provides authentication and integrity for the IP packets without encrypting the payload, ensuring data integrity but not confidentiality. Since the firewall devices have limited resources, using IPSec AH (which only provides integrity and authentication but no encryption) reduces processing overhead compared to ESP. Therefore, IPSec AH is the appropriate choice for a VPN tunnel that ensures data integrity without confidentiality, suitable for resource-constrained firewall endpoints.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 400-007 Practice