Configuring Network-Based Authentication and NGFW for VPN Connections | CompTIA CASP+ Exam Answer

Network-Based Authentication and NGFW Configuration for VPN Connections

Question

A company's security policy states any remote connections must be validated using two forms of network-based authentication.

It also states local administrative accounts should not be used for any remote access.

PKI currently is not configured within the network.

RSA tokens have been provided to all employees, as well as a mobile application that can be used for 2FA authentication.

A new NGFW has been installed within the network to provide security for external connections, and the company has decided to use it for VPN connections as well.

Which of the following should be configured? (Choose two.)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E. F.

DE.

Based on the company's security policy, remote connections require two forms of network-based authentication and local administrative accounts should not be used for remote access. RSA tokens have been provided to all employees, and a new NGFW has been installed for VPN connections.

To ensure compliance with the security policy and provide additional security measures for remote connections, the following two configurations should be implemented:

  1. Certificate-based authentication: Certificate-based authentication involves the use of digital certificates to verify the identity of a user or device. A digital certificate is issued by a trusted third-party called a Certificate Authority (CA), and it contains information about the identity of the user or device, as well as the public key of the user or device. The NGFW should be configured to require a valid client certificate for remote VPN connections. This ensures that only authorized users with a valid certificate can access the network, and it also provides an additional layer of security as the certificate is unique to each user and cannot be easily replicated or shared.

  2. RADIUS: Remote Authentication Dial-In User Service (RADIUS) is a network protocol that provides centralized authentication, authorization, and accounting (AAA) management for remote access. RADIUS servers can be used to enforce network policies, such as requiring two-factor authentication, and they can also be used to track and log user activity. The NGFW should be configured to use RADIUS to validate user credentials for VPN connections. This ensures that only authorized users with valid credentials can access the network, and it also provides an additional layer of security as user credentials are encrypted and protected during transmission.

Therefore, the correct answers are A. Certificate-based authentication and D. RADIUS.

The other options (B. TACACS+, C. 802.1X, E. LDAP, and F. Local user database) do not provide the level of security required by the company's security policy. TACACS+ is primarily used for device authentication and management, 802.1X is primarily used for wired network access control, LDAP is primarily used for user authentication and authorization, and a local user database does not provide centralized management or tracking capabilities.