Which of the following failover link configurations can leave an ASA vulnerable to replay attacks? (Select the best answer.)
- connecting the active and standby units directly with a crossover cable
- connecting the active and standby units to a dedicated VLAN on a switch
- sharing a regular data interface with the stateful failover link
- sharing the LAN failover link with the stateful failover link
- using a dedicated Ethernet interface as the stateful failover link
Sharing a regular data interface with the stateful failover link on a Cisco Adaptive Security Appliance (ASA) can leave the ASA vulnerable to replay attacks. A replay attack is a type of maninthemiddle attack in which the attacker uses a packet sniffer to capture legitimate network data, such as authentication tokens and preshared keys, and then replays the data to a target. In addition, the attacker might delay or modify the captured data before directing it to the target. On an ASA, all LAN failover and stateful failover information is transmitted as clear text by default. Therefore, sharing the stateful failover link with a regular data interface can unnecessarily expose virtual private network (VPN) configuration information, such as user names, passwords, and preshared keys (PSKs) to malicious users on the shared network segment. You can mitigate this risk by configuring a failover key on both the active unit and the standby unit to protect failover information. Cisco strongly recommends using a dedicated Ethernet interface or sharing a LAN failover link instead of sharing the stateful failover link with a regular data interface.
ASAs can be configured to participate in either a stateless or a stateful failover implementation. In a stateless failover implementation, the active unit and standby unit use a dedicated LAN link, known as a LAN failover link, for failover traffic. The LAN failover link can use any unnamed Ethernet interface and can connect the failover pair directly, with either a straightthrough or crossover Ethernet cable, or through a switch, with no other devices on the same network segment or virtual LAN (VLAN) as the failover pair. Although all failover traffic is sent as clear text by default, a LAN failover link does not leave an ASA vulnerable to replay attacks because the failover pair are either directly connected or connected through a dedicated VLAN.
By contrast, the failover link between two ASAs in a stateful failover implementation can use a dedicated Ethernet link, a shared LAN failover link, or a shared regular data interface. If a dedicated Ethernet link is used for stateful failover, it must follow the same connectivity guidelines as a LAN failover link: it can be either a direct connection or a dedicated VLAN on a switch. Like a LAN failover link, a stateful failover link using either a dedicated Ethernet link or a shared LAN failover link does not leave an ASA vulnerable to replay attacks because the failover pair are either directly connected or connected through a dedicated VLAN.