Wireless Security and Vulnerabilities Quiz

Questions and Answers

An attacker intercepts an HTTPS public encryption key and decrypts login credentials. What type of vulnerability is primarily exploited in this scenario?

• Session Hijacking
• Brute Force Attack
• Replay Attack
• Man-in-the-Middle Attack (correct)

What type of WLAN attack is specifically mitigated by using a per-MPDU TKIP sequence counter (TSC)?

• Weak-IV attack
• Forgery attack
• Bit-flipping attack
• Replay attack (correct)

A small business is using consumer-grade wireless routers. Which security measure is the most appropriate to implement to secure the wireless network?

• WPA2-Enterprise
• WPA-Enterprise
• WPA2-Personal (correct)
• 802.1X/EAP-PEAP

Which of the following is a primary criteria for a network to qualify as a Robust Security Network (RSN)?

WEP may not be used for encryption. (D)

After capturing network traffic, you observe authentication and association frames, followed by DHCP and ISAKMP protocol packets. What security solution is likely represented?

Open 802.11 authentication with IPSec (A)

A Windows laptop has a dual-band Wi-Fi adapter. Which wireless frequency band would potentially offer less interference in a crowded area with multiple access points?

5 GHz band (A)

Given the previous scenario, to mitigate common threats, which encryption protocol is best suited if we use WPA2-Personal?

AES-CCMP (D)

In a WPA2-Personal scenario, what kind of key is used for the actual data encryption once the shared secret has been initially established during authentication?

Session Key (B)

Which of the following topics should be included in end-user training for password selection and acceptable network use?

Social engineering recognition and mitigation techniques. (C)

What is the most appropriate way for a wireless security professional to address rogue access points within a large organization's network?

Implementing a WIPS for rogue detection and response. (C)

Before creating a WLAN security policy, what is the most essential prerequisite for ABC Hospital?

Strong management support for the process. (B)

In which deployment scenario is peer-to-peer traffic blocking most beneficial?

Public hot-spots with many users and applications. (C)

Which of these authentication technologies is capable of setting up a TLS tunnel between the client device and the authentication server?

WPA2-Enterprise (C)

What specific action should a wireless professional take to mitigate the biggest risk posed by rogue access points?

Set up a WIPS system. (A)

What initial step is crucial before developing a robust WLAN security policy for ABC Hospital?

Securing sponsorship from senior leadership and management. (A)

In which situation is it most critical to block peer-to-peer traffic on a Wi-Fi network?

Public Wi-Fi hotspots with many clients using assorted applications. (C)

Which of the following security measures BEST addresses the requirement to limit network permissions for a guest hot-spot to only internet access?

Configuring ACLs that restrict data types and destinations on the guest WLAN. (B)

What is the primary purpose of implementing a captive portal with HTTPS login for a guest WLAN?

To ensure all guest users are authenticated before accessing the WLAN. (D)

In the 802.1X/EAP framework, what event directly precedes the opening of the 802.1X controlled port?

The completion of the 4-way handshake. (A)

Why does the 802.1X Uncontrolled Port open while the Controlled Port is still blocked after 802.1X/EAP is successful?

Uncontrolled Ports are always open for network operations. (A)

What was a significant obstacle that hindered early adoption of Opportunistic Key Caching (OKC)?

Lack of standardization and client certification caused delayed support. (B)

Why is it recommended to use different VLANs for corporate and guest WLANs in addition to separate controllers?

To segregate network traffic and enhance security by logically separating networks. (B)

Which security control helps prevent guest users from associating their device to the corporate WLAN?

Implementing a WIPS to deauthenticate guest users (D)

Why is it important for a hot-spot to limit access to network resources as much as possible?

To reduce the risk of unauthorized access to sensitive information and systems. (A)

ABC company is upgrading their WLAN infrastructure to support Voice over Wi-Fi, what is a primary security concern given that most Voice over Wi-Fi phones do not support IPSec?

The lack of IPSec support on Voice over Wi-Fi phones. (D)

What is the most appropriate security solution to implement when upgrading to Voice over Wi-Fi and needing to replace WEP with IPSec?

Migrate to WPA2-Enterprise with fast secure roaming for all devices and segment Voice over Wi-Fi on a separate VLAN. (B)

What is the role of LDAP when used in a WLAN authentication solution?

A data retrieval protocol used by authentication services like RADIUS. (C)

Which of the following security protocols provides mutual authentication without the need for X.509 certificates?

EAP-FAST (B)

An 802.1X/EAP is being used for wireless authentication, with a controller and 7 access points, what is the most common role of Radius in this solution?

The RADIUS server is responsible for authentication and authorization of the clients. (C)

Given an 802.1X/EAP-based wireless security solution, with a WLAN controller and 7 APs, what is the purpose of the EAP protocol?

To provide a framework for authentication within the 802.1X architecture. (A)

What is the primary difference between EAP-FAST, and EAP-TLS?

EAP-FAST uses a Protected Access Credential (PAC), and EAP-TLS uses X.509 certificates. (D)

Why might an organization choose to implement WPA2-Enterprise over WPA-Personal?

WPA2-Enterprise is considered more secure than WPA-Personal, especially for a large number of managed device. (C)

What is a primary difference between EAP-TTLS and EAP-TLS regarding authentication credentials?

EAP-TTLS does not require the use of a certificate for each STA, but EAP-TLS does. (B)

In a WPA2-Enterprise setup, how does the WLAN controller receive group assignments for authenticated users to apply specific security profiles?

The RADIUS server includes a group name attribute in its response to the WLAN controller during each successful authentication. (A)

What is the specific role of the Pairwise Transient Key (PTK) within IEEE 802.11 authentication and key management?

It provides keys to encrypt unicast data frames across the wireless medium. (B)

Which technology would need to be implemented to support a TSN due to legacy wireless equipment that doesn't support AES encryption, when it wouldn't be necessary in an 802.11-2012 compliant network?

WEP (A)

What is the primary difference in the way EAP-TTLS and EAP-TLS handle client authentication?

EAP-TLS requires both server and client certificates for authentication, while EAP-TTLS only requires a server-side certificate and uses a tunneled authentication method for the client. (A)

In the context of WPA2-Enterprise, what is the immediate effect of a RADIUS server returning a group name to the WLAN controller during user authentication?

The WLAN controller assigns a pre-configured security profile to the authenticated user, based on the returned group name. (A)

Why is the Pairwise Transient Key (PTK) specific to unicast data frame encryption, and not used for other traffic?

The PTK is specifically designed to protect sensitive data during unicast transmissions by encrypting and signing packets. (B)

Why might an administrator choose to implement WEP for older wireless equipment given the potential security risks?

Some very old devices do not support the newer encryption standards like CCMP (AES), making WEP necessary to connect to the network. (C)

Joe is unable to connect to ABC Company's 802.11 WLAN. Given that his laptop is authorized and the environment includes WIPS, what is the most likely cause of his connectivity issue?

Joe's laptop is using a personal PC card radio with different drivers, and client utilities, disabling the integrated 802.11 radio. (A)

ABC Company uses an overlay WIPS with dipole antenna sensors to locate rogue devices. Which of the following techniques can the 802.11 based platform use to determine the location of rogue devices?

Time Difference of Arrival (TDoA), Trilateration of RSSI measurements, and RF Fingerprinting (C)

In a Single Channel Architecture (SCA) network, what key characteristic is shared across all Access Points (APs)?

The same channel and BSSID for each AP. (C)

In ABC Company's Single Channel Architecture (SCA) network, which authentication method is exclusively used?

PEAPv0/EAP-MSCHAPv2 (A)

In an SCA environment with a Voice over Wi-Fi client (STA-1) moving throughout the network, what best describes the changes that are happening?

STA-1 associates with a new AP when the RSSI signal of the current connected AP drops below an acceptable level, without requiring further authentication. (C)

What is the primary purpose of ABC Company's WIPS termination policy?

To trigger alerts for rogue stations, rogue APs, DoS attacks, and unauthorized roaming. (B)

What is a key factor that makes a Single Channel Architecture (SCA) beneficial for client roaming?

It allows all APs to use the same channel and BSSID. (A)

Joe’s laptop is attempting to connect to a PEAPv0/EAP-MSCHAPv2 network and failing. What is the most likely reason for the failure, given the company’s WIPS policy?

Joe's laptop uses a different radio card, despite being authorized on the WIPS. (C)

Flashcards

What type of attack involves intercepting a server's public encryption key and decrypting login credentials?

A WLAN attack where an attacker intercepts the HTTPS public encryption key from a web server and decrypts login credentials in real-time.

What WLAN attack is prevented by a per-MPDU TKIP sequence counter (TSC)?

A security measure in TKIP (Temporal Key Integrity Protocol) that uses a unique counter to prevent replay attacks. The counter is incremented for each MPDU (MAC Protocol Data Unit) transmitted, ensuring that each frame is unique.

What security measure can you implement on a consumer-grade wireless router to enhance security?

A security solution that uses a unique pre-shared key (PSK) to encrypt wireless traffic. This is the most basic and common security solution for home and small business networks.

What is a primary criteria for a network to qualify as a Robust Security Network (RSN)?

A set of security standards required for a wireless network to be certified as Robust Security Network (RSN). The primary criteria is not using WEP for encryption.

What security solution is represented by the following protocol messages: auth req, auth rsp, assoc req, assoc rsp, DHCP communication, and ISAKMP packets?

This is a pre-authentication security solution that uses the ISAKMP (Internet Security Association and Key Management Protocol) for key exchange. This is a strong security solution, especially when combined with IPSec, making it a reliable choice for establishing secure communication links between networks.

Which security solution utilizes AES-CCMP encryption for robust data protection?

A secure and widely compatible wireless security solution that utilizes AES-CCMP encryption for data protection. WPA2 is a significant upgrade over WEP and provides robust security features like robust key management and advanced encryption algorithms.

Describe the functionality of 802.1X/EAP-TTLS in a network setting.

A secure method for authenticating devices on a network, involving three components: authentication, authorization, and accounting. EAP-TTLS is a protocol that provides flexible authentication methods, often used for securing network access with certificates or passwords.

Identify the function of 802.1X/PEAPv0/MS-CHAPv2 in securing network access.

EAPv0/MS-CHAPv2 is a widely used authentication protocol for secure network access, often employed with 802.1X to authenticate devices with user credentials. It utilizes a challenge-response mechanism for verification, offering a secure method for network access.

Rogue APs in Security Policy

A security policy document should outline procedures for detecting and mitigating rogue access points. This could involve scanning for unauthorized radio signals, enforcing network segmentation, or utilizing a Wireless Intrusion Prevention System (WIPS) to proactively identify and respond to threats.

WPA2-Enterprise

WPA2-Enterprise provides a strong authentication mechanism with robust security features using 802.1x and EAP protocols. It leverages mutual authentication, ensuring both client and server identities are verified, and offers encryption through AES.

Hiding SSID for Rogue APs

Hiding the SSID (network name) can make it harder for attackers to identify and connect to legitimate access points. However, this alone isn't a foolproof method as attackers can still attempt to discover the SSID using other techniques.

Spectrum Analysis for Rogue APs

Using a spectrum analyzer allows wireless security professionals to actively scan the radio frequency spectrum for rogue AP signals, giving them a clear view of unauthorized transmissions.

WIPS for Rogue Detection

WIPS (Wireless Intrusion Prevention System) is dedicated to detecting and responding to malicious activity on the wireless network. It can identify rogue APs, monitor traffic patterns, and automatically take actions like blocking connections.

Port Security for Rogue APs

Port security on network switches restricts which devices can connect to specific ports. Enabling port security with a limited number of MAC addresses can help prevent unauthorized access by limiting the number of devices that can connect to a single port.

Management Support for WLAN Policy

Before establishing a WLAN security policy, it's crucial to secure management support. This support ensures resources, authority, and commitment from leadership to implement and enforce the policy effectively.

Peer-to-Peer Blocking

Peer-to-peer traffic blocking restricts direct communication between devices on the network. It's particularly useful in public hotspots where you want to prevent unauthorized data sharing or malware propagation.

EAP-FAST

A wireless security protocol that provides mutual authentication without relying on X.509 certificates for identity verification.

WPA-Personal

A security protocol that encrypts wireless communication using a pre-shared key (PSK) and provides basic security for home and small business networks.

802.11

A standard that dictates how wireless access points (APs) and stations communicate and authenticate with each other.

IPSec VPN

A security solution that encrypts data transmitted between devices on a network, providing privacy and confidentiality.

Voice over Wi-Fi

A technology used to extend voice calls over the internet via a wireless network; it is usually employed in enterprise settings for VoIP phone calls.

Fast Secure Roaming

A technology that enables seamless roaming between wireless access points (APs) without interrupting connectivity.

Multi-factor Authentication

A security mechanism that uses multiple authentication factors to improve security and reduce the risk of unauthorized access.

Guest Network Security Requirements

Restricting network access to only the internet, preventing access corporate resources.

Separate Controllers for Guest and Corporate WLANs

Using a separate controller for guest and corporate networks enhances security by isolating traffic and preventing unauthorized access.

Wireless Intrusion Prevention System (WIPS)

Employing a WIPS to disconnect guests attempting to join the corporate network improves security by preventing unauthorized access.

Access Control Lists (ACLs) for Guest WLAN

Restricting access to specific data and destinations using ACLs on the guest network enhances security by limiting what guests can access.

Captive Portal Authentication and VLAN Separation

Implementing captive portal authentication and VLAN separation for guest and corporate networks enhances security by providing user control and isolation.

4-Way Handshake in 802.1X/EAP

The 4-Way Handshake, a part of the WPA2/3 authentication process, must be completed before a device is granted network access.

Opportunistic Key Caching (OKC) Drawbacks

Opportunistic Key Caching (OKC) enables faster network roaming by pre-caching keys, but initial problems made it less widely adopted.

OKC Challenges

Initial problems with OKC included lack of standardization and client support, as well as limited processing power for encryption on older devices.

EAP-TTLS vs EAP-TLS

EAP-TTLS (Tunneled TLS) does not require an authentication server, but EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) does.

How do authenticated users get assigned to groups in a WLAN controller with WPA2-Enterprise security?

The WLAN controller receives a group attribute from the RADIUS server during each successful user authentication. This attribute determines which security profile the user is assigned, based on their group membership.

What is the PTK in IEEE 802.11?

The Pairwise Transient Key (PTK) is used to encrypt unicast data frames that are transmitted over the wireless medium. It is important for ensuring secure communication between the wireless client and the access point.

How are security profiles assigned in a WLAN controller with WPA2-Enterprise security?

The WLAN controller is responsible for assigning security profiles based on user group membership. It receives authentication information from the RADIUS server, including the user's group attribute. Each group is associated with a specific security profile.

What is WPA2-Enterprise security and how does it work?

WPA2-Enterprise security uses a RADIUS server to authenticate users and assign them to specific groups. This allows for fine-grained access control and security based on user roles.

What is the Pairwise Master Key (PMK) in IEEE 802.11?

In IEEE 802.11, the Pairwise Master Key (PMK) is used for establishing secure communication between a client and an access point. It is derived from the user's credentials and the network's security settings.

Which encryption technology would you use to support legacy devices in an 802.11-2012 wireless network?

CCMP, or Counter Mode with CBC-MAC Protocol, is the encryption method used in the 802.11i standard, which is the foundation for WPA2. It is more secure than older methods like WEP and RC4.

What does WIPS stand for?

WIPS (Wireless Intrusion Prevention System) is a security system designed to identify, locate and if possible, prevent wireless security threats within a wireless network. Typical WIPS threats include rogue access points, rogue stations, unauthorized network access, DoS attacks, unauthorized roaming, malicious traffic and more.

What is a WIPS termination policy?

A WIPS termination policy defines the actions taken by a WIPS system when it detects potential threats. This policy can include sending alerts to administrators, blocking suspicious traffic, or isolating devices believed to be malicious.

What is a rogue access point?

Rogue Access Point (RAP) is an unauthorized access point that connects to a wireless network without the knowledge or consent of the network administrator. It can pose a serious security risk by allowing unauthorized access to the network, creating possible unauthorized access for attackers.

What is a rogue station?

Rogue Stations are client devices that connect to a wireless network without proper authorization from the network administrator. They can be used to launch attacks, steal data, and disrupt network traffic. A WIPS system can help to identify and isolate rogue stations.

What is a DoS attack?

In the context of wireless security, a DoS (Denial of Service) attack aims to disrupt the availability of a wireless network by overwhelming it with traffic, making it difficult or impossible for authorized users to connect and access resources.

What is unauthorized roaming?

Unauthorized roaming within a WIPS context refers to a device's attempt to connect to an access point it isn't authorized to use. This can be a security risk because it allows unauthorized access to the network and potentially allows malicious devices to gain access.

What is TDoA (Time Difference of Arrival)?

The Time Difference Of Arrival (TDoA) technique is used to determine the location of a device by measuring the time it takes for a signal to reach multiple sensors. By calculating the time difference, the system can triangulate the location of the device emitting the signal.

What is trilateration?

Trilateration uses the strength of a signal received by multiple sensors to estimate the location of a device. By measuring the Received Signal Strength Indicator (RSSI) and triangulating the measurements, the system can determine the device's location.

Study Notes

CWSP-207 Study Notes

• Course is CWSP-207

• Total questions: 119

• Topic 1: Vulnerabilities, Threats, and Attacks

  • An attack is in progress, but the attacker has not gained access to any files. This describes a denial-of-service (DoS) attack.
  • WLAN attacks exploit specific vulnerabilities such as management interface exploits, zero-day exploits, RF DoS, hijacking attacks, and social engineering attacks. These can be used to gain credentials or disrupt communication.
  • 802.11n access points at airports are susceptible to man-in-the-middle attacks and Wi-Fi phishing attacks.
  • ABC Corporation should be advised against using MS-CHAPv2 for their WLAN security, as it is vulnerable to offline dictionary attacks and not secure for WPA2-Enterprise implementations. LEAP is secure only when used within a TLS-encrypted tunnel.

• Topic 1 (continued) -Wireless attacks such as rogue APs, DoS, and eavesdropping can't be detected by WIPS solutions of any kind.

  • Social engineering is a security attack that cannot be detected by WIPS software solutions. -In a WLAN security penetration exercise, obtaining the WEP key allows an attacker to decrypt other users' traffic. To recreate encryption keys using a protocol analyzer three inputs are required: authenticator nonce, supplicant nonce, and authenticator address (BSSID). -802.11w protects against RF DoS and Layer 2 disassociation attacks.
  • When using a wireless aggregator utility to combine multiple packet captures the utility is likely being used for troubleshooting wireless adapter failures and performing a interference source location test.

• Topic 1 (continued)

  • WPA2 Personal uses Open System authentication followed by a 4-Way Handshake resulting in easily performed hijacking attacks.

• Topic 2: Security Policy

  • A security policy that requires VPN software for connectivity to the corporate network will help mitigate peer-to-peer attacks when laptops are used on public access networks.
  • Password complexity and regular changes to static passwords in a security policy help to mitigate vulnerabilities.
  • Strong authentication, encryption, and robust security methods should be addressed by a WLAN security policy to provide a secure network for users to access sensitive information such as corporate data, file shares, intranet web servers, or internet network access.

• Topic 3: WLAN Security Design and Architecture

  • EAP-MD5, EAP-TLS, PEAPv0/MSCHAPv2 technologies are used, establishing a TLS tunnel between the supplicant and the authentication server.
  • When CCMP is used for protection of data frames, 16 bytes of overhead are added to Layer 2 frames. Eight of these bytes make up the MIC (message integrity code) Layer of validation to ensure that the wireless receiver does not incorrectly process corrupted signals, The MIC a hash computation against the MAC Header to detect replay attacks.
  • WPA2-Personal authentication and AES-CCMP encryption protect the MSDU contents of the 802.11 frames from eavesdroppers.

• Topic 3 (continued)

  • EAP-TLS will not protect the client's username and password within an encrypted tunnel used as a security solution. This is a disadvantage when comparing PEAPv0 EAP/MSCHAPv2.
  • 802.1x/EAP-TTLS and PEAPv0/MSCHAPv2 authentication protocols are used for securing corporate WLAN data. Each group's security settings are configured in the WLAN controller for their respective VLANs. When authenticated users are assigned to groups their access to data is controlled according to the security policies.
  • A common issue is security issues and user conflicts caused by having corporate and guest accounts on the same WLAN. Using a different controller for guest networks is a good solution.
  • Offline dictionary attacks can be used to gain wireless network access, but will not decrypt data traffic from other users.

• Additional Topics (as applicable)

  • Wireless security attacks,
  • Wireless security solutions,
  • Wireless security policies

Description

Test your knowledge on wireless security vulnerabilities and solutions. This quiz covers common attacks, network security criteria, and encryption protocols suitable for a secure wireless network. Ideal for those aiming to enhance their understanding of WLAN security measures.