Certified Wireless Technology Administrator - Chapter 9 - Wireless LAN Security Basics
Point-to-Point Tunneling Protocol or PPTP
A Layer 3 VPN solution that uses the Microsoft 128-bit Point-to-Point Encryption or MPPE protocol and provides both tunneling and encryption capabilities.
MAC
A ________________ filter is used to allow or deny wireless barcode scanners access to an 802.11b/g network. A. WEP B. IPSec C. SSID D. RF E. MAC
Remote Authentication Dial-In User Service or RADIUS
A centralized server used in computer networking to provide authentication services, authorization, and accounting for devices that connect and use computer network resources. Also known as an authentication, authorization, and accounting or AAA server.
Temporal Key Integrity Protocol or TKIP
A firmware upgrade designed to enhance security issues with Wired Equivalent Privacy; TKIP is an enhancement to WEP.
Role-based access control or RBAC
A mechanism that relies on restricting access to only authorized users or groups. This access is from authentication based on specific roles rather than user identities. It was designed to ease the task of security administration on large networks.
Automatically monitor the network for potential attacks
A newly configured wireless intrusion prevention system will _______________. A. Require a network administrator to monitor for intrusions B. Automatically monitor the network for potential attacks C. Require an administrator to manually shut down a rogue access point D. Automatically notify a network administrator regarding a firmware upgrade
Integrated WIPS sensors
A part of a wireless access point's functionality. It may have a dedicated radio for full-time WIPS monitoring, or it may share a radio with the access point for part-time WIPS monitoring.
Authentication, Authorization, and Accounting or AAA
A protocol that provides a framework to allow secure access and authorization as well as keep track of the user's activities on a computer network, including wireless networks. Commonly part of a RADIUS server's functionality.
Payment Card Industry or PCI Compliance
A regulation requiring companies to adhere to security standards created to protect credit and debit card information pertaining to financial transactions.
Counter Mode with Cipher-Block Chaining Message Authentication Code Protocol or CCMP
A security protocol that is a mandatory part of the IEEE 801.11i amendment to the standard and part of Wi-Fi Protected Access 2.0 or WPA2 certification from the Wi-Fi Alliance, providing strong security.
wireless intrusion prevention system or WIPS
A software and/or hardware solution designed to monitor wireless networking RF signals using sensors or access points and to record events to a centralized database. It has the capability to react and prevent intrusion.
wireless network management system or WNMS
A software-based, hardware-based, or cloud-based solution that allows for centralized management and control of a wireless network and may allow work with wired networks.
Media access control or MAC address filtering
A technique that allows or denies access to a wireless client device based on its Layer 2 MAC unique hardware address. A weak security feature, because it can be easily compromised by MAC address spoofing.
Physical Layer Monitoring
A type of monitoring that allows the wireless network engineer to see what is happening in the air as it relates to radio frequency. This is usually accomplished with the use of a spectrum analyzer, which allows an engineer to "see" the radio frequency and thus detect potential interference issues and also security issues.
Data Link Layer Monitoring
A type of monitoring that means looking at the Layer 2 information; it allows a network engineer to view the wireless LAN frames that traverse the air and provides the opportunity to view both potential performance and security issues. Protocol analysis tools allow the engineer to view both frame exchanges and frame decoding by expanding on the captured wireless frames.
MAC Address Spoofing
A way of changing through software the assigned Layer 2 MAC address to something other than what it was intended to be. This may allow you to gain access to restricted systems.
authentication
A way to validate or confirm the identity or credentials of a user, client, or device. Can be user based or hardware based.
Spoof an address.
A weakness with MAC address filtering is that it allows an intruder to ______________________. A. Crack the encryption. B. Spoof an address. C. Cause an RF DoS attack. D. Steal user authentication.
probe request frame
All access points are required to respond to a "null" or broadcast probe request. This will not specify an SSID value and will rely on the access points to provide the SSID in the probe response frame.
WEP Cloaking
Allows organizations to operate WEP-encrypted networks securely and preserve their existing investment in mobile devices. This technology will make popular freeware cracking tools useless and allow the company to maintain their current devices.
IEEE 802.1X
Also called user-based security, an IEEE standard for port-based access control; it provides an authentication process. Originally intended for use with IEEE 802.3 Ethernet networks but used with IEEE 802.11 wireless networks.
open system authentication
Also known as a null authentication, this type of authentication is an automatic authentication process defined by the IEEE 802.11 standard to give wireless LAN client devices the capability to connect to an access point. It consists of two wireless frames.
wildcard SSID
An SSID with a value of 0. Also referred to as a null SSID.
beacon frame
An advertisement of the wireless network. It by default is set to broadcast at about 10 times a second and will advertise the SSID of the wireless network during this interval.
shared-key authentication
An authentication method defined by the IEEE 802.11 standard, used in legacy devices. It is a four-step process that requires the use of Wired Equivalent Privacy or WEP for IEEE 802.11 authentication and data encryption. This authentication method is flawed because it has several known vulnerabilities.
Advanced Encryption Standard or AES
An encryption cipher providing up to 256 bits of encryption. It is a block cipher, uses the Rijndael method, and is required in IEEE 802.11i/WPA 2.0 wireless networking.
Wired Equivalent Privacy (WEP)
An optional authentication and/or encryption mechanism defined in the IEEE 802.11 standard designed to prevent casual eavesdropping. A weak and compromised legacy form of wireless security. It sucks.
Layer 3
At what layer of the OSI model do VPNs commonly operate?
captive portal
Authentication web page for a wireless hotspot or other type of wireless LAN application. The web page is a redirection and might ask users to enter authentication information, input payment information, or to agree to terms and conditions of use of the wireless network.
WPA2 Personal and WEP
Both ______________ and ________________ are wireless LAN security methods that support shared key security. Choose two. A. WPA2 Personal B. WPA2 Enterprise C. 802.1X/EAP D. WEP E. WPA Enterprise
Overlay WIPS sensors
Dedicated wireless devices that have physical characteristics similar to those of wireless access points but are only used for scanning the air and sending data to a WIPS server.
Service set identifier or SSID hiding
Disabling the broadcast of the service set identifier or SSID in wireless LAN beacon frames. It is a weak and compromised method used by some as a form of wireless security.
Scrambling information so that only the sender and the intended recipient know the algorithm and are able to decipher the information.
Encryption is the process of what?
Know the SSID and enter it manually
Hiding the service set identifier of a wireless LAN will require a user to _________ in order to gain access to the wireless network. A. Enter a username and password when prompted B. Call the help desk and ask for a new password C. Enable the SSID broadcast on the client device D. Know the SSID and enter it manually
Creates private communications over a public network infrastructure such as the Internet.
How does a VPN operate?
Two
How many wireless LAN frames are exchanged during the IEEE 802.11 open system authentication process?
As a firmware upgrade for access points and clients.
How was TKIP designed to be implemented?
passphrase-based security
In IEEE 802.11 wireless LANs, a this is a series of characters or words, 8 to 63 ASCII or 64 hexadecimal characters in length, used to create a 256-bit preshared key. It is designed to verify an identity and allow access to wireless network resources.
authentication server
In IEEE 802.1x, this is the RADIUS or AAA server that will authenticate the wireless supplicant. It receives all information from the authenticator.
authenticator
In IEEE 802.1x, this is the wireless access point that the wireless client device is requesting access from. It acts as a middleman between the wireless supplicant and the authentication server. When the supplicant requests to join the wireless network, it passes the authentication information between the two devices.
supplicant
In IEEE 802.1x, this is the wireless client device requesting authorization from authenticator in an attempt to connect to the wireless network.
The server that will authenticate the supplicant, usually RADIUS.
In IEEE the 802.1X standard, the authentication server is another name for what?
Health Insurance Portability and Accountability Act or HIPAA, Title II Compliance
It establishes mandatory regulations that require extensive changes to the way that healthcare providers conduct business by securing computer information and data. The goal of it is to provide standardized mechanisms for electronic data exchange, security, and confidentiality of all healthcare-related computer information and data.
IPSec
Layer 2 Tunneling Protocol commonly uses which encryption method? A. IPSec B. PPTP C. AES D. WEP E. MPPE
Enter a username and password that will be centrally administered.
Remote Authentication Dial-In User Service RADIUS requires users on a wireless network to perform what function? A. Access the corporate network using only the PSTN and a modem. B. Call in to the help desk service and request a username and password. C. Enter a username and password that will be centrally administered. D. Request remote assistance to help solve a software problem on a computer.
deauthentication storm
Sending many consecutive deauthentication frames.
Virtual private networking or VPN
Technology that allows for private communications over a public network infrastructure such as the Internet. It creates a secure tunnel for the user and the connected endpoint. Typically operates at Layer 3 of the OSI model.
Access point
The IEEE 802.1X standard identifies the authenticator as another term for the ________________ in wireless networking. A. Client device B. Access point C. RADIUS server D. EAP server
Extensible Authentication Protocol or EAP
The authentication process used with IEEE 802.1X. Available in various types which allow a user to authenticate to a wireless network in several ways, including credentials such as username/password or certificate-based authentication.
Layer 2 Tunneling Protocol or L2TP
The combination of two different tunneling protocols: Cisco's Layer 2 Forwarding or L2F and Microsoft's Point-to-Point Tunneling Protocol PPTP. It defines the tunneling process, which requires some level of encryption in order to function. A popular choice of encryption is Internet Protocol Security or IPSec
64-bit, 128-bit
The length of a WEP key is typically ________________ or _____________________. A. 5-bit, 10-bit B. 13-bit, 26-bit C. 64-bit, 128-bit D. 128-bit, 256-bit E. 192-bit, 256-bit
CCMP
The security amendment to the IEEE 802.11 standard requires _____________________. A. WEP B. CCMP C. TKIP D. PPTP E. VPN
The wireless access point.
The term authenticator in IEEE 802.1X terminology is another name for what?
Push-button security or push-button configuration (PBC)
This allows users to configure wireless LAN security with "the push of a button," making setting up wireless security a one-step process. It creates a connection between the devices, configures the network's SSID, and turns on security.
Wi-Fi Protected Setup or WPS
This provides strong out-of-the-box setup adequate for many SOHO implementations. It requires support for two types of authentication that enable users to automatically configure network names and strong WPA2 data encryption and authentication: • Push-button configuration or PBC • PIN-based configuration, based on a personal identification number Support for both configurations are required for access points; client devices at a minimum must support PIN. A third, optional method, near field communication or NFC tokens, is also supported.
PIN-Based Security
This requires a unique PIN to be entered on all devices that will be part of the same secure wireless network. A PIN will come as either a fixed label or sticker on a device, or it can be dynamically generated in the setup utility and shown on the computer screen.
Robust Secure Network or RSN
This was introduced as a part of the IEEE 802.11i amendment to the standard which provided much improvement in the ways wireless LANs can be secured. In order for wireless LAN equipment to be compliant, it will optionally support Temporal Key Integrity Protocol or TKIP and it must also support Counter Mode with Cipher-Block Chaining Message Authentication Code Protocol or CCMP.
• 24/7/365 Monitoring • Detection and Mitigation • Notification of Threats • Integrated Spectrum Analysis • Elaborate Reporting Systems • Regulatory Policy Compliance • Retains Data for Forensics
What are the primary advantages of using a wireless intrusion prevention system or WIPS?
• Build and maintain a secure network. • Protect cardholder data. • Maintain a vulnerability management program. • Implement strong access control measures. • Regularly monitor and test networks. • Maintain an information security policy.
What are the six requirements in order to be a PCI-compliant a company?
• Client side endpoint • Network infrastructure which can be public or private • Server side endpoint
What are the three components of a VPN solution?
Point-to-Point Tunneling Protocol or PPTP and Layer 2 Tunneling Protocol or L2TP.
What are the two most common types of VPN technology?
Open system authentication and shared-key authentication.
What are the two types of authentication addressed by the original IEEE 802.11 standard?
Wi-Fi Protected Setup or WPS certification
What interoperability certification was designed as a simple way to secure SOHO devices?
A networking service that provides centralized authentication and administration of users.
What is Remote Authentication Dial-In User Service or RADIUS?
A software/hardware solution that monitors the radio waves passing through the air and reports captured information to software to be recorded in a server database via a wireless sensor.
What is a wireless intrusion prevention system or WIPS in regard to wireless networking?
A way of restricting access to only authorized users or groups based on the permission levels they are assigned.
What is role-based access control (RBAC)?
SSID hiding
What is the common term used to describe the action of preventing the SSID from being broadcast in a beacon frame?
Captive portal
What is the name of a common feature of wireless LAN controller that will intercept a user's attempt to access the network by redirecting them to an authorization web page?
MAC filtering
What legacy security method will allow or disallow a wireless LAN client device to connect to an access point based on its unique physical address?
SOHO brands that support WPS
What type of wireless network device is PIN-based security most commonly used with? A. SOHO brands that support WPA 2.0 B. Enterprise brands that support WPA 2.0 C. SOHO brands that support WPS D. Enterprise brands that support WPS
WEP
Which data encryption/authentication method is identified in the original IEEE 802.11 standard? A. TKIP B. AES C. CCMP D. WEP E. EAP
CCMP or Counter Mode with Cipher-Block Chaining Message Authentication Code Protocol
Which encryption is a mandatory part of the IEEE 801.11i amendment?
TKIP
Which encryption method is an optional part of the IEEE 801.11i amendment?
Restricts access to authorized users or groups
Which function does RBAC provide? A. Restricts access to authorized users or groups B. Provides access to only network administrators C. Streamlines hardware installation D. Allows users to install software
Secure Layer 3 transmissions over a public network infrastructure
Which process is a VPN solution intended to provide for users connecting to a network? A. Secure Layer 3 transmissions over a public network infrastructure B. Secure Layer 2 transmissions over a public network infrastructure C. Secure Layer 3 transmissions over a corporate network infrastructure D. Secure Layer 2 transmissions over a corporate network infrastructure
Passphrase
Which security feature provides the strongest security for a home-based wireless network? A. SSID hiding B. Passphrase C. MAC filters D. 128-bit WEP
WPA Enterprise, WEP, and MAC filters.
Which security methods do IEEE 802.11n access points support? Choose three. A. WPA Enterprise B. WEP C. PPTP D. RBAC E. MAC filters F. IPSec
PIN
Which security solution is mandatory for client devices in order to be considered Wi-Fi Protected Setup certified? A. WEP B. PIN C. WPA D. PBC E. TKIP
Shared key
Wired Equivalent Privacy or WEP is required for what type of IEEE 802.11 authentication?
Carefully plan a strategy using WEP and VLANs.
You are a network administrator and are asked for a security recommendation regarding older wireless 802.11-compliant VoIP handsets. The company does not have the budget to upgrade the equipment at this time. Which would be the best recommendation you could provide? A. Don't worry about securing the handsets because voice transmissions cannot be deciphered. B. Carefully plan a strategy using WEP and VLANs. C. Use a VPN solution with L2TP/IPSec. D. Use a CCMP/AES Layer 2 solution.
Interference from a neighboring access point and RF denial-of-service (DoS) attack
You are a wireless network administrator monitoring the reports for a recently installed wireless intrusion prevention system. You receive an alert notifying you of high levels of RF activity detected from an access point operating as a sensor and currently set to channel 6. Which problem could be causing the alert? Choose two. A. Interference from a neighboring access point B. RF deauthentication storm C. RF denial-of-service (DoS) attack D. Misconfigured client workstation E. RF encryption attack
A VPN to the corporate network
You need to attend a business meeting out of town that requires air travel. You are at the airport and have some extra time. While waiting to board your plane you decide to check your office email using an IEEE 802.11g wireless hotspot access point at the airport. In order to provide a secure connection, you would enable your notebook computer to use _____________. A. Passphrase security B. WEP C. A VPN to the corporate network D. IEEE 802.1X/EAP to the corporate network
