nerdexam
(ISC)2

CISSP-ISSAP · Question #142

You work as a Chief Security Officer for Tech Perfect Inc. You have configured IPSec and ISAKMP protocol in the company's network in order to establish a secure communication infrastructure. ccording

The correct answer is B. It provides key generation mechanisms. C. It authenticates communicating peers. D. It protects against threats, such as DoS attack, replay attack, etc.. ISAKMP (RFC 2408) directly provides three security services to the network: key generation mechanisms (B) to produce cryptographic keying material, peer authentication (C) to verify the identity of communicating endpoints before any secure channel is established, and threat mitig

Infrastructure Security

Question

You work as a Chief Security Officer for Tech Perfect Inc. You have configured IPSec and ISAKMP protocol in the company's network in order to establish a secure communication infrastructure. ccording to the Internet RFC 2408, which of the following services does the ISAKMP protocol offer to the network? Each correct answer represents a part of the solution. Choose all that apply.

Options

  • AIt relies upon a system of security associations.
  • BIt provides key generation mechanisms.
  • CIt authenticates communicating peers.
  • DIt protects against threats, such as DoS attack, replay attack, etc.

How the community answered

(27 responses)
  • A
    22% (6)
  • B
    78% (21)

Explanation

ISAKMP (RFC 2408) directly provides three security services to the network: key generation mechanisms (B) to produce cryptographic keying material, peer authentication (C) to verify the identity of communicating endpoints before any secure channel is established, and threat mitigation (D), including built-in protections against replay attacks, denial-of-service, and man-in-the-middle attacks through message construction and state machine design.

Option A is the distractor because it inverts the relationship - ISAKMP does not rely upon security associations; rather, it establishes and manages them. Saying ISAKMP "relies on" SAs describes a dependency, not a service it offers to the network.

Memory tip: Think of ISAKMP as the negotiation engine - it Authenticates who you're talking to, Keys the session, and Shields against network-layer attacks (A-K-S). Security Associations are the output of ISAKMP's work, not its input - so "relies upon SAs" should immediately stand out as backward.

Topics

#ISAKMP protocol#IPSec#Key management#Peer authentication

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSAP Practice