Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1032
Views
5
Helpful
4
Replies

SCOR 350-701 VPN encryption review question wrong?

Go to solution
sanchezeldorado
Level 1
Level 1

‎03-12-2022 11:36 AM

Hello,

 

In my certification book, Chapter 8 question 2 says:

 

You are hired to configure a site-to-site VPN between a Cisco FTD device and a Cisco
IOS-XE router. Which of the following encryption and hashing protocols will you
select for optimal security?

a. AES-192, SHA, Diffie-Hellman Group 21
b. IDEA, SHA, Diffie-Hellman Group 2
c. AES-192, SHA, Diffie-Hellman Group 5
d. AES-256, SHA, Diffie-Hellman Group 21

 

The book shows the answer as A. It's wrong isn't it? I can't find any reference for AES-192 being better. I know it wouldn't have the same processing load as AES-256, but I would think the stronger encryption is better. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-12-2022 11:43 AM

@sanchezeldorado yes I'd agree answer D would be more secure.

 

The closest Cisco document regarding preferred ciphers is this link https://gblogs.cisco.com/uki/deep-dive-a-vpn-journey/ albeit it's referring to IKEv2 proposals, it states AES-CBC-256 would be preferred over 192.

 

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎03-12-2022 11:43 AM

@sanchezeldorado yes I'd agree answer D would be more secure.

 

The closest Cisco document regarding preferred ciphers is this link https://gblogs.cisco.com/uki/deep-dive-a-vpn-journey/ albeit it's referring to IKEv2 proposals, it states AES-CBC-256 would be preferred over 192.

 

Go to solution
sanchezeldorado
Level 1
Level 1
In response to Rob Ingram

‎03-12-2022 12:53 PM

Thank you! Just wanted to make sure I wasn't crazy.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-14-2022 03:32 AM

Yes AES-256 would be preferred over AES-192. Both FTD and IOS-XE support AES-256.

The book is a bit outdated. DH groups 16 or 20 would be preferred over 21.

The hashing algorithm should also specify what type of SHA (SHA-1, SHA-256, SHA-384, SHA-512 etc.).

0 Helpful

Go to solution
mestasew1
Level 1
Level 1

‎06-12-2022 01:26 AM

Thanks posting this question and the discussion. I am preparing for 350-701 too and about to post this question for the community but found out the same question posted .

I  confirmed answer D with 256 bit is more secured.  I might send feedback for Cisco press including other observations- in case they publish 2nd version of errata. 

0 Helpful
Customers Also Viewed These Support Documents