70-291 Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Online Class

Demo Question 9.

Exhibit, Network Topology You work as the network administrator at EliteCertify.com. The EliteCertify.com network consists of a single Active Directory domain named EliteCertify.com. All servers on the EliteCertify.com network run Windows Server 2003 and all client computers run Windows XP Professional. EliteCertify.com has its headquarters in Chicago and a branch office in Dallas. The relevant portion of the network is illustrated in the exhibit. You have received instruction from the CIO to configure an L2TP/IPSec VPN tunnel between EliteCertify -SR24 and EliteCertify -SR25 and configure and assign an IPSec policy named CK_IPSec that requires secure communications. A new EliteCertify.com written security policy requires that you ensure that no unsecured traffic from the Internet reaches the internal network through this VPN whilst ensuring access to the VPN servers from their respective internal networks is not disrupted. Which of the configurations will accomplish this?

A. Input and output L2TP/IPSec packet filters must be configured on the internal interfaces on EliteCertify -SR24 and EliteCertify -SR25.
B. Input and output L2TP/IPSec packet filters must be configured on the external interfaces on EliteCertify -SR24 and EliteCertify -SR25.
C. Edit the All IP Traffic IP Filter list to include the IP addresses for only EliteCertify -SR24 and EliteCertify -SR25 in the properties of CK_IPSec.
D. Edit the All ICMP Traffic IP Filter list to include the IP addresses for only EliteCertify -SR24 and EliteCertify -SR25 in the properties of CK_IPSec.


Display Answer

Answer: B

Explanation: Packet filtering is a technology that filters what type of traffic is allowed into and out of the router. One of the most useful features in RRAS is its ability to selectively filter TCP/IP packets in both directions. You can construct filters that allow or deny traffic into or out of your network based on rules that specify source and destination addresses and ports. The basic idea behind packet filtering is simple: You specify filter rules and incoming packets are measured against those rules. You have two choices: Accept all packets except those prohibited by a rule or drop all packets except those permitted by a rule. Filters are normally used to block out undesirable traffic. In general, the idea is to keep out packets that your machines shouldn't see. If you want to ensure that no unsecured traffic from the Internet reaches your internal network through the VPN whilst ensuring access to the VPN servers from their respective internal networks, then you should configure input and output L2TP / IPSec packet filters on the external interfaces on both EliteCertify -SR24 and EliteCertify -SR25. Incorrect answers: A. The filters should be configured on the external interfaces of both EliteCertify -SR24 and EliteCertify -SR25 and not on the internal interfaces. C, D. Editing the All IP Traffic IP Filter to include the EliteCertify -SR24 and EliteCertify -SR25 IP addresses is not going to address the problem that you are trying to avoid. Neither will edit the All ICMP traffic IP Filter list. Reference: James Chellis, Paul Robichaux & Matthew Sheltz, MCSA/MCSE. Windows Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study Guide, Sybex Inc., Alameda, 2003, pp. 422, 447