HCSE-Presales-Campus Network Planning and Design V1.0 Questions and Answers
Question 17
Which of the following statements is false about GRE over IPsec?
Options:
A.
IPsec supports encapsulation in both tunnel and transport modes.
B.
Compared with tunnel mode, transport mode adds an additional outer IP header. As a result, the packet is longer and more likely to be fragmented. Therefore, GRE over IPsec in tunnel mode is recommended.
C.
IPsec protects data flows between the GRE tunnel source and GRE tunnel destination.
D.
GRE over IPsec first encapsulates packets using GRE and then protects the GRE packets using IPsec.
Answer:
B
Explanation:
Option B is false because it reverses the encapsulation behavior. In IPsec transport mode, the IPsec security header is inserted after the existing IP header; a new outer IP header is not normally added. In tunnel mode, the complete original IP packet is encapsulated and a new outer IP header is added. Tunnel mode therefore generally introduces greater overhead and produces a longer packet than transport mode, not the reverse.
The remaining statements are correct. IPsec supports both transport and tunnel modes. GRE over IPsec performs GRE encapsulation first, allowing GRE to transport the original payload, and then applies IPsec protection to the resulting GRE packet. The IPsec security association is established between the GRE tunnel endpoints, protecting the GRE-encapsulated traffic as it traverses an untrusted transport network.
Huawei SD-WAN data channels can use either GRE or GRE over IPsec. GRE provides flexible overlay encapsulation, while IPsec adds confidentiality, integrity, origin authentication, and anti-replay protection for site-to-site traffic. Huawei specifically identifies IPsec encryption as the mechanism securing site-to-site SD-WAN services.
==================
Question 18
Which of the following technologies is used for wireless attack detection?
Options:
A.
Mesh
B.
Spectrum analysis
C.
PMF
D.
WIPS
Answer:
D
Explanation:
WIPS is the correct technology because it provides wireless intrusion prevention capabilities, including detecting and containing rogue access points, rogue stations, ad hoc devices, spoofing attempts, flood attacks, and other malicious activity on the radio interface. Huawei’s security-design material groups WIDS and WIPS with wireless attack detection and rogue-device containment. It recommends attack detection in public areas and primary or secondary education environments with high security requirements.
WIDS primarily detects and reports suspicious behavior, while WIPS adds active prevention or containment actions according to the configured policy. The other options serve different purposes. Mesh is a wireless networking architecture used to provide backhaul connectivity or extend coverage between APs; it is not an attack-detection mechanism. Spectrum analysis identifies non-Wi-Fi interference sources and evaluates radio-frequency utilization, but does not provide complete security attack detection and containment. Protected Management Frames protects selected 802.11 management frames against forgery, deauthentication, and disassociation attacks, but it is a protection mechanism rather than the comprehensive detection system requested. Therefore, WIPS is the correct answer.