2 Comments on “Which of the following configurations is MOST appropriate for Jerry?”

1. buck says:

   September 23, 2014 at 9:33 pm

   From the R77_VPN_AdminGuide:
   SmartDashboard IKE DoS Attack Protection Settings

   To protect against IKE DoS attacks, configure the SmartDashboard IKE Denial of Service Protection settings, in the VPN >Advanced page of the Global Properties. IKE DoS protection is not supported for IPv6 addresses.

   Support IKE DoS protection from identified source — The default setting for identified sources is Stateless. If the Security Gateway is under load, this setting requires the peer to respond to an IKE notification in a way that proves that the IP address of the peer is not spoofed. If the peer cannot prove this, the Security Gateway does not begin the IKE negotiation. If the source is identified, protecting using Puzzles is over cautious, and may affect performance. A third possible setting is None, which means no DoS protection.

   Support IKE DoS protection from unidentified source — The default setting for unidentified sources is Puzzles. If the Security Gateway is under load, this setting requires the peer to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously. For unidentified sources, Stateless protection may not be sufficient because an attacker may well control all the IP addresses from which the IKE requests appear to be sent. A third possible setting is None, which means no DoS protection.

   The correct answer is C

   
   
   
   0

   
   
   
   0
2. ccsa says:

   October 8, 2014 at 12:51 pm

   Q: Jerry needs to MINIMIZE the performance impact of
   implementing this new protection.
   Puzzle no minimize….
   D – correct for this question, but in real world – C.

   
   
   
   0

   
   
   
   0