8.3.10 Wireless Defenses Section Quiz
You need to configure a wireless network using WPA2-Enterprise. Which of the following components should be part of your design? (Select two.)
802.1x AES encryption To configure WPA2-Enterprise, you need a RADIUS server to support 802.1x authentication. WPA2 uses AES for encryption. WPA2-PSK, also called WPA2-Personal, uses pre-shared keys for authentication. WPA uses TKIP for encryption.
You've just finished installing a wireless access point for a client. What should you do to prevent unauthorized users from using the access point (AP) configuration utility?
Change the administrative password on the AP. You should change the administrative password used by the AP. Many AP manufacturers use a default administrative username and password that are well known. If you don't change these parameters, anyone connecting to the AP can easily guess the password required to access the AP's configuration utility.
You want to connect a laptop computer running Windows to a wireless network. The wireless network uses multiple access points and WPA2-Personal. You want to use the strongest authentication and encryption possible. SSID broadcast has been disabled. What should you do?
Configure the connection with a pre-shared key and AES encryption. To connect to a wireless network using WPA2-Personal, you need to use a pre-shared key for authentication. Advanced Encryption Standard (AES) encryption is supported by WPA2 and is the strongest encryption method. WPA and WPA2 designations that include Personal or PSK use a pre-shared key for authentication. Methods that include Enterprise use a RADIUS server for authentication and 802.1x authentication with usernames and passwords.
Which EAP implementation is MOST secure?
EAP-TLS EAP-TLS uses Transport Layer Security (TLS) and is considered one of the most secure EAP standards available. A compromised password is not enough to break into EAP-TLS enabled systems because the attacker must also have the client's private key. EAP-MD5 offers minimal security and is susceptible to dictionary attacks and man-in-the-middle attacks. Lightweight Extensible Authentication Protocol (LEAP) does a poor job of protecting user authentication credentials and is also susceptible to dictionary attacks. EAP-FAST is a replacement for LEAP that uses a protected access credential (PAC) to establish a TLS tunnel in which client authentication credentials are transmitted. While more secure than EAP-MD5 and LEAP, EAP-FAST can still be compromised if the attacker intercepts the PAC.
Which of the following do switches and wireless access points use to control access through a device?
MAC address filtering Both switches and wireless access points are Layer 2 devices, meaning they use the MAC address to make forwarding decisions. Both devices typically include some form of security that restricts access based on the MAC address. Routers and firewalls operate at Layer 3 and can use the IP address or port number for filtering decisions. A circuit-level gateway is a firewall that can make forwarding decisions based on the session information.
You want to implement 802.1x authentication on your wireless network. Where would you configure passwords that are used for authentication?
On a RADIUS server 802.1x authentication uses usernames and passwords, certificates, or devices such as smart cards to authenticate wireless clients. Authentication requests received by the wireless access point are passed to a RADIUS server, which validates the login credentials (such as the username and password). If you are using pre-shared keys for authentication, configure the same key on the wireless access point and on each wireless device. A CA is required to issue a certificate to the RADIUS server. The certificate proves the identity of the RADIUS server and can also be used to issue certificates to individual clients.
You have physically added a wireless access point to your network and installed a wireless networking card in two laptops that run Windows. Neither laptop can find the network. You have come to the conclusion that you must manually configure the access point (AP). Which of the following values uniquely identifies the network AP?
SSID The SSID (service set identifier) identifies the wireless network. All PCs and access points in a LAN share the same SSID. WEP (Wired Equivalent Privacy) is used to add a layer of security to the transmission, while the channel identifies the frequency that the card and AP communicate on.
You need to add security for your wireless network, and you would like to use the most secure method. Which method should you implement?
WPA2 Wi-Fi Protected Access 2 (WPA2) is currently the most secure wireless security specification. WPA2 includes specifications for both encryption and authentication. WPA was an earlier implementation of security specified by the 802.11i committee. WEP was the original security method for wireless networks. WPA is more secure than WEP but less secure than WPA2. Kerberos is an authentication method, not a wireless security method.
You are replacing a wired business network with an 802.11g wireless network. You currently use Active Directory on the company network as your directory service. The new wireless network has multiple wireless access points, and you want to use WPA2 on the network. What should you do to configure the wireless network? (Select two.)
Configure devices to run in infrastructure mode Install a RADIUS server and use 802.1x authentication When using wireless access points, configure an infrastructure network. Because you have multiple access points and an existing directory service, you can centralize authentication by installing a RADIUS server and using 802.1x authentication. Use ad hoc mode when you need to configure a wireless connection between two hosts. Use open authentication with WEP or when you do not want to control access to the wireless network. Use shared secret authentication with WPA or WPA2 when you can't use 802.1x.
The owner of a hotel has contracted with you to implement a wireless network to provide internet access for guests. The owner has asked that you implement security controls so that only paying guests are allowed to use the wireless network. She wants guests to be presented with a login page when they initially connect to the wireless network. After entering a code provided by the concierge at check-in, guests should then be allowed full access to the internet. If a user does not provide the correct code, he or she should not be allowed to access the internet. What should you do?
Implement a captive portal A captive portal would be the best choice in this scenario. A captive portal requires wireless network users to abide by certain conditions before they are allowed access to the wireless network. For example, the captive portal could require them to: Agree to an acceptable use policy Provide a PIN or password Pay for access to the wireless network View information or advertisements about the organization providing the wireless network (such as an airport or hotel) When a wireless device initially connects to the wireless network, all traffic to or from that device is blocked until the user opens a browser and accesses the captive portal webpage. After the user provides the appropriate code, traffic is unblocked, and the host can access the network normally. MAC address filtering and 802.1x authentication would work from a technical standpoint, but these would be completely unmanageable in a hotel scenario where guests come and go every day. Using a pre-shared key would require a degree of technical expertise on the part of the hotel guests. It could also become problematic if the key were to be leaked, allowing non-guests to use the wireless network.