Chapter 17 - 802.11 Network Security Architecture
How are IPsec VPNs used to provide security in combination with 802.11 WLANs? A. Client-based security on public access WLANs B. Point-to-point wireless bridge links C. Connectivity across WAN links D. All of the above
D. VPNs are most often used for client-based security when connected to public access WLANs and hotspots that do not provide security. Because most hotspots do not provide layer 2 security, it is imperative that end users provide their own security. Another common use of VPN technology is to provide site-to-site connectively between a remote office and a corporate office across a WAN link. When WLAN bridges are deployed for wireless backhaul communications, VPN technology can be used to provide the necessary level of data privacy.
128-bit WEP encryption uses a user-provided static key of what size? A. 104 bytes B. 64 bits C. 124 bits D. 128 bits E. 104 bits
E. 128-bit WEP encryption uses a secret 104-bit static key, which is provided by the user (26 hex characters) and combined with a 24-bit initialization vector (IV) for an effective key strength of 128 bits.
When 802.1X/EAP security is deployed, RADIUS attributes can also be leveraged for role-based assignment of which type of user access permissions? (Choose all that apply.) A. Stateful firewall rules B. Time C. VLANS D. ACLs E. Bandwidth
A, B, C, D, E. The three main components of an RBAC approach are users, roles, and permissions. Separate roles can be created, such as the sales role or the marketing role. User traffic permissions can be defined as layer 2 permissions (MAC filters), VLANs, layer 3 permissions (access control lists), layers 4-7 permissions (stateful firewall rules), and bandwidth permissions. All these permissions can also be time based. The user traffic permissions are mapped to the roles. Some WLAN vendors use the term "roles," whereas other vendors use the term "user profiles."
Which of the following encryption methods use symmetric ciphers? (Choose all that apply.) A. WEP B. TKIP C. Public-key cryptography D. CCMP
A, B, D. WEP, TKIP, and CCMP use symmetric ciphers. WEP and TKIP use the ARC4 cipher, and CCMP uses the AES cipher. Public-key cryptography is based on asymmetric communications.
The IEEE 802.11-2016 standard states which of the following regarding 802.11ac data rates and encryption? (Choose all that apply.) A. WEP and TKIP must not be used. B. CCMP and GCMP can be used. C. WEP cannot be used; however, TKIP can be used if also using 802.1X. D. Any encryption method defined by the standard can be used.
A, B. The migration from TKIP to CCMP can be seen in the IEEE 802.11n amendment, the IEEE 802.11ac amendment, and the IEEE 802.11-2016 standard, which all state that high throughput (HT) or very high throughput (VHT) data rates are not allowed to be used if WEP or TKIP is enabled. This exclusion was decided in 2012 by both the IEEE and the Wi-Fi Alliance. CCMP is the designated encryption method for 802.11n/ac data rates. The 802.11ad-2012 amendment standardized the use of Galois/Counter Mode Protocol (GCMP), which uses AES cryptography. The extremely high data rates defined by 802.11ad need GCMP because it is more efficient than CCMP. GCMP is also considered an optional encryption method for 802.11ac radios.
Which three main components constitute an 802.1X authorization framework? (Choose all that apply.) A. Supplicant B. Authorizer C. Authentication server D. Intentional radiator E. Authenticator
A, C, E. The 802.1X authorization framework consists of three main components, each with a specific role. The components work together to ensure that only properly validated users and devices are authorized to access network resources. The supplicant requests access to network resources; the authentication server authenticates the identity of the supplicant; and the authenticator allows or denies access to network resources via virtual ports. A layer 2 authentication protocol called Extensible Authentication Protocol (EAP) is used within the 802.1X framework to validate users at layer 2.
What does 802.1X/EAP provide when implemented for WLAN security? (Choose all that apply.) A. Access to network resources B. Verification of access point credentials C. Dynamic authentication D. Dynamic encryption-key generation E. Verification of user credentials
A, D, E. The purpose of 802.1X/EAP is authentication of user credentials and authorization to access network resources. Although the 802.1X framework does not require encryption, it highly suggests the use of encryption. A by-product of 802.1X/EAP is the generation and distribution of dynamic encryption keys. While the encryption process is actually a by-product of the authentication process, the goals of authentication and encryption are very different. Authentication provides mechanisms for validating user identity, whereas encryption provides mechanisms for data privacy or confidentiality.
For an 802.1X/EAP solution to work properly, which two components must both support the same type of EAP? (Choose all that apply.) A. Supplicant B. Authorizer C. Authenticator D. Authentication server
A, D. An 802.1X/EAP solution requires that both the supplicant and the authentication server support the same type of EAP. The authenticator must be configured for 802.1X/EAP authentication but does not care which EAP type passes through. The authenticator and the supplicant must support the same type of encryption.
Identify the security solutions that are defined by WPA2. (Choose all that apply.) A. 802.1X/EAP authentication B. Dynamic WEP encryption C. Optional CCMP/AES encryption D. PSK authentication E. DES encryption
A, D. The WPA2 certification requires the use of an 802.1X/EAP authentication method in the enterprise and the use of a PSK authentication in a SOHO environment. The WPA2 certification also requires the use of stronger dynamic encryption-key generation methods. CCMP/AES encryption is the mandatory encryption method, and TKIP/ARC4 is the optional encryption method.
Which of the following methods of authentication must occur along with the 4-Way Handshake in order to generate dynamic TKIP/ARC4 or CCMP/AES encryption keys? (Choose all that apply.) A. Shared Key authentication and 4-Way Handshake B. 802.1X/EAP authentication and 4-Way Handshake C. Static WEP and 4-Way Handshake D. PSK authentication and 4-Way Handshake
B, D. Shared Key authentication is a legacy authentication method that does not provide seeding material to generate dynamic encryption keys. Static WEP uses static keys. A robust security network association requires a four-frame EAP exchange, known as the 4-Way Handshake, which is used to generate dynamic TKIP or CCMP keys. The handshake may occur either after an 802.1X/EAP exchange or as a result of PSK authentication.
Which wireless security standards and certifications call for the use of CCMP/AES encryption? (Choose all that apply.) A. WPA B. 802.11-2016 C. 802.1X D. WPA2 E. 802.11 legacy
B, D. The 802.11-2016 standard defines CCMP/AES encryption as the default encryption method; TKIP/RC4 is the optional encryption method. This was originally defined by the 802.11i amendment, which is now part of the 802.11-2016 standard. The Wi-Fi Alliance created the WPA2 security certification, which mirrors the robust security defined by the IEEE. WPA2 supports both CCMP/AES and TKIP/RC4 dynamic encryption key management.
Which WLAN security mechanism requires that each WLAN user have unique authentication credentials? A. WPA-Personal B. 802.1X/EAP C. Open System D. WPA2-Personal E. WPA-PSK
B. As required by an 802.1X security solution, the supplicant is a WLAN client requesting authentication and access to network resources. Each supplicant has unique authentication credentials that are verified by the authentication server.
When enabled, WLAN encryption provides data privacy for which portion of an 802.11 data frame? A. MPDU B. MSDU C. PPDU D. PSDU
B. Encapsulated inside the frame body of an 802.11 data frame is an upper-layer payload called the MAC service data unit (MSDU). The MSDU contains data from the Logical Link Control (LLC) and layers 3-7. The MSDU is the data payload that contains an IP packet plus some LLC data. When encryption is enabled, the MSDU payload within an 802.11 data frame is encrypted.
Which of these security methods is a replacement for PSK authentication as defined by WPA3? A. Per-user/per-device PSK B. Wi-Fi Protected Setup (WPS) C. Simultaneous Authentication of Equals (SAE) D. EAP-PSK E. WPA2 Personal
C. The Wi-Fi Alliance views Simultaneous Authentication of Equals (SAE) as a more secure replacement for PSK authentication. The ultimate goal of SAE is to prevent dictionary attacks altogether. SAE will be part of the WPA3 security certification.
Which layer 2 protocol is used for authentication in an 802.1X framework? A. RSN B. SAE C. EAP D. PAP E. CHAP
C. The supplicant, authenticator, and authentication server work together to provide the framework for 802.1X port-based access control, and an authentication protocol is needed to assist in the authentication process. The Extensible Authentication Protocol (EAP) is used to provide user or device authentication.
When you are using an 802.11 wireless controller solution, which device would usually function as the authenticator? A. Access point B. LDAP server C. WLAN controller D. RADIUS server
C. WLAN controllers normally centralize the data plane, and all the EAP traffic is tunneled between the APs and the WLAN controller. The WLAN controller is the authenticator. When an 802.1X/EAP solution is deployed in a wireless controller environment, the virtual controlled and uncontrolled ports exist on the WLAN controller.
CCMP encryption uses which AES key size? A. 192 bits B. 64 bits C. 256 bits D. 128 bits
D. The AES algorithm encrypts data in fixed data blocks with choices in encryption-key strength of 128, 192, or 256 bits. CCMP/AES uses a 128-bit encryption-key size and encrypts in 128-bit fixed-length blocks.
The ACME Company is using WPA2-Personal to secure handheld barcode scanners that are not capable of 802.1X/EAP authentication. Because an employee was recently fired, all the barcode scanners and APs had to be reconfigured with a new static 64-bit PSK. What type of WLAN security solution may have avoided this administrative headache? A. MAC filter B. Hidden SSID C. Changing the default settings D. Proprietary PSK
D. The biggest problem with using PSK authentication in the enterprise is social engineering. The PSK is the same on all WLAN devices. If the end user accidentally gives the PSK to a hacker, WLAN security is compromised. If an employee leaves the company, all the devices have to be reconfigured with a new 64-bit PSK, creating a lot of work for an administrator. Several WLAN vendors offer proprietary PSK solutions in which each individual client device will have its own unique PSK. These proprietary PSK solutions prevent social engineering attacks. They also virtually eliminate the burden for an administrator having to reconfigure each and every WLAN end-user device.
Which of these use cases for a per-user/per-device implementation of PSK authentication is not recommended? A. Unique credentials for BYOD devices B. Unique credentials for IoT devices C. Unique credentials for guest WLAN access D. Unique credentials for legacy enterprise devices without 802.1X/EAP support E. Unique credentials for enterprise devices with 802.1X/EAP support
E. Multiple use cases for per-user and per-device PSK credentials have gained popularity in the enterprise. However, proprietary implementations of PSK authentication are not meant to be a replacement for 802.1X/EAP.
Which encryption methods do the IEEE 802.11-2016 standard mandate for robust security network associations, and which method is optional? A. WEP, AES B. IPsec, AES C. MPPE, TKIP D. TKIP, WEP E. CCMP, TKIP
E. The 802.11-2016 standard defines what is known as a robust security network (RSN) and robust security network associations (RSNAs). CCMP/AES encryption is the mandated encryption method, and TKIP/RC4 is an optional encryption method. TKIP, CCMP, and GCMP are considered to be robust security network (RSN) encryption protocols. However, TKIP is being deprecated and GCMP has not yet been used in the enterprise WLAN marketplace.