Certified Wireless Technology Administrator - Chapter 9 - Wireless LAN Security Basics

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Point-to-Point Tunneling Protocol or PPTP

A Layer 3 VPN solution that uses the Microsoft 128-bit Point-to-Point Encryption or MPPE protocol and provides both tunneling and encryption capabilities.

MAC

A ________________ filter is used to allow or deny wireless barcode scanners access to an 802.11b/g network. A. WEP B. IPSec C. SSID D. RF E. MAC

Remote Authentication Dial-In User Service or RADIUS

A centralized server used in computer networking to provide authentication services, authorization, and accounting for devices that connect and use computer network resources. Also known as an authentication, authorization, and accounting or AAA server.

Temporal Key Integrity Protocol or TKIP

A firmware upgrade designed to enhance security issues with Wired Equivalent Privacy; TKIP is an enhancement to WEP.

Role-based access control or RBAC

A mechanism that relies on restricting access to only authorized users or groups. This access is from authentication based on specific roles rather than user identities. It was designed to ease the task of security administration on large networks.

Automatically monitor the network for potential attacks

A newly configured wireless intrusion prevention system will _______________. A. Require a network administrator to monitor for intrusions B. Automatically monitor the network for potential attacks C. Require an administrator to manually shut down a rogue access point D. Automatically notify a network administrator regarding a firmware upgrade

Integrated WIPS sensors

A part of a wireless access point's functionality. It may have a dedicated radio for full-time WIPS monitoring, or it may share a radio with the access point for part-time WIPS monitoring.

Authentication, Authorization, and Accounting or AAA

A protocol that provides a framework to allow secure access and authorization as well as keep track of the user's activities on a computer network, including wireless networks. Commonly part of a RADIUS server's functionality.

Payment Card Industry or PCI Compliance

A regulation requiring companies to adhere to security standards created to protect credit and debit card information pertaining to financial transactions.

Counter Mode with Cipher-Block Chaining Message Authentication Code Protocol or CCMP

A security protocol that is a mandatory part of the IEEE 801.11i amendment to the standard and part of Wi-Fi Protected Access 2.0 or WPA2 certification from the Wi-Fi Alliance, providing strong security.

wireless intrusion prevention system or WIPS

A software and/or hardware solution designed to monitor wireless networking RF signals using sensors or access points and to record events to a centralized database. It has the capability to react and prevent intrusion.

wireless network management system or WNMS

A software-based, hardware-based, or cloud-based solution that allows for centralized management and control of a wireless network and may allow work with wired networks.

Media access control or MAC address filtering

A technique that allows or denies access to a wireless client device based on its Layer 2 MAC unique hardware address. A weak security feature, because it can be easily compromised by MAC address spoofing.

Physical Layer Monitoring

A type of monitoring that allows the wireless network engineer to see what is happening in the air as it relates to radio frequency. This is usually accomplished with the use of a spectrum analyzer, which allows an engineer to "see" the radio frequency and thus detect potential interference issues and also security issues.

Data Link Layer Monitoring

A type of monitoring that means looking at the Layer 2 information; it allows a network engineer to view the wireless LAN frames that traverse the air and provides the opportunity to view both potential performance and security issues. Protocol analysis tools allow the engineer to view both frame exchanges and frame decoding by expanding on the captured wireless frames.

MAC Address Spoofing

A way of changing through software the assigned Layer 2 MAC address to something other than what it was intended to be. This may allow you to gain access to restricted systems.

authentication

A way to validate or confirm the identity or credentials of a user, client, or device. Can be user based or hardware based.

Spoof an address.

A weakness with MAC address filtering is that it allows an intruder to ______________________. A. Crack the encryption. B. Spoof an address. C. Cause an RF DoS attack. D. Steal user authentication.

probe request frame

All access points are required to respond to a "null" or broadcast probe request. This will not specify an SSID value and will rely on the access points to provide the SSID in the probe response frame.

WEP Cloaking

Allows organizations to operate WEP-encrypted networks securely and preserve their existing investment in mobile devices. This technology will make popular freeware cracking tools useless and allow the company to maintain their current devices.

IEEE 802.1X

Also called user-based security, an IEEE standard for port-based access control; it provides an authentication process. Originally intended for use with IEEE 802.3 Ethernet networks but used with IEEE 802.11 wireless networks.

open system authentication

Also known as a null authentication, this type of authentication is an automatic authentication process defined by the IEEE 802.11 standard to give wireless LAN client devices the capability to connect to an access point. It consists of two wireless frames.

wildcard SSID

An SSID with a value of 0. Also referred to as a null SSID.

beacon frame

An advertisement of the wireless network. It by default is set to broadcast at about 10 times a second and will advertise the SSID of the wireless network during this interval.

shared-key authentication

An authentication method defined by the IEEE 802.11 standard, used in legacy devices. It is a four-step process that requires the use of Wired Equivalent Privacy or WEP for IEEE 802.11 authentication and data encryption. This authentication method is flawed because it has several known vulnerabilities.

Advanced Encryption Standard or AES

An encryption cipher providing up to 256 bits of encryption. It is a block cipher, uses the Rijndael method, and is required in IEEE 802.11i/WPA 2.0 wireless networking.

Wired Equivalent Privacy (WEP)

An optional authentication and/or encryption mechanism defined in the IEEE 802.11 standard designed to prevent casual eavesdropping. A weak and compromised legacy form of wireless security. It sucks.

Layer 3

At what layer of the OSI model do VPNs commonly operate?

captive portal

Authentication web page for a wireless hotspot or other type of wireless LAN application. The web page is a redirection and might ask users to enter authentication information, input payment information, or to agree to terms and conditions of use of the wireless network.

WPA2 Personal and WEP

Both ______________ and ________________ are wireless LAN security methods that support shared key security. Choose two. A. WPA2 Personal B. WPA2 Enterprise C. 802.1X/EAP D. WEP E. WPA Enterprise

Overlay WIPS sensors

Dedicated wireless devices that have physical characteristics similar to those of wireless access points but are only used for scanning the air and sending data to a WIPS server.

Service set identifier or SSID hiding

Disabling the broadcast of the service set identifier or SSID in wireless LAN beacon frames. It is a weak and compromised method used by some as a form of wireless security.

Scrambling information so that only the sender and the intended recipient know the algorithm and are able to decipher the information.

Encryption is the process of what?

Know the SSID and enter it manually

Hiding the service set identifier of a wireless LAN will require a user to _________ in order to gain access to the wireless network. A. Enter a username and password when prompted B. Call the help desk and ask for a new password C. Enable the SSID broadcast on the client device D. Know the SSID and enter it manually

Creates private communications over a public network infrastructure such as the Internet.

How does a VPN operate?

Two

How many wireless LAN frames are exchanged during the IEEE 802.11 open system authentication process?

As a firmware upgrade for access points and clients.

How was TKIP designed to be implemented?

passphrase-based security

In IEEE 802.11 wireless LANs, a this is a series of characters or words, 8 to 63 ASCII or 64 hexadecimal characters in length, used to create a 256-bit preshared key. It is designed to verify an identity and allow access to wireless network resources.

authentication server

In IEEE 802.1x, this is the RADIUS or AAA server that will authenticate the wireless supplicant. It receives all information from the authenticator.

authenticator

In IEEE 802.1x, this is the wireless access point that the wireless client device is requesting access from. It acts as a middleman between the wireless supplicant and the authentication server. When the supplicant requests to join the wireless network, it passes the authentication information between the two devices.

supplicant

In IEEE 802.1x, this is the wireless client device requesting authorization from authenticator in an attempt to connect to the wireless network.

The server that will authenticate the supplicant, usually RADIUS.

In IEEE the 802.1X standard, the authentication server is another name for what?

Health Insurance Portability and Accountability Act or HIPAA, Title II Compliance

It establishes mandatory regulations that require extensive changes to the way that healthcare providers conduct business by securing computer information and data. The goal of it is to provide standardized mechanisms for electronic data exchange, security, and confidentiality of all healthcare-related computer information and data.

IPSec

Layer 2 Tunneling Protocol commonly uses which encryption method? A. IPSec B. PPTP C. AES D. WEP E. MPPE

Enter a username and password that will be centrally administered.

Remote Authentication Dial-In User Service RADIUS requires users on a wireless network to perform what function? A. Access the corporate network using only the PSTN and a modem. B. Call in to the help desk service and request a username and password. C. Enter a username and password that will be centrally administered. D. Request remote assistance to help solve a software problem on a computer.

deauthentication storm

Sending many consecutive deauthentication frames.

Virtual private networking or VPN

Technology that allows for private communications over a public network infrastructure such as the Internet. It creates a secure tunnel for the user and the connected endpoint. Typically operates at Layer 3 of the OSI model.

Access point

The IEEE 802.1X standard identifies the authenticator as another term for the ________________ in wireless networking. A. Client device B. Access point C. RADIUS server D. EAP server

Extensible Authentication Protocol or EAP

The authentication process used with IEEE 802.1X. Available in various types which allow a user to authenticate to a wireless network in several ways, including credentials such as username/password or certificate-based authentication.

Layer 2 Tunneling Protocol or L2TP

The combination of two different tunneling protocols: Cisco's Layer 2 Forwarding or L2F and Microsoft's Point-to-Point Tunneling Protocol PPTP. It defines the tunneling process, which requires some level of encryption in order to function. A popular choice of encryption is Internet Protocol Security or IPSec

64-bit, 128-bit

The length of a WEP key is typically ________________ or _____________________. A. 5-bit, 10-bit B. 13-bit, 26-bit C. 64-bit, 128-bit D. 128-bit, 256-bit E. 192-bit, 256-bit

CCMP

The security amendment to the IEEE 802.11 standard requires _____________________. A. WEP B. CCMP C. TKIP D. PPTP E. VPN

The wireless access point.

The term authenticator in IEEE 802.1X terminology is another name for what?

Push-button security or push-button configuration (PBC)

This allows users to configure wireless LAN security with "the push of a button," making setting up wireless security a one-step process. It creates a connection between the devices, configures the network's SSID, and turns on security.

Wi-Fi Protected Setup or WPS

This provides strong out-of-the-box setup adequate for many SOHO implementations. It requires support for two types of authentication that enable users to automatically configure network names and strong WPA2 data encryption and authentication: • Push-button configuration or PBC • PIN-based configuration, based on a personal identification number Support for both configurations are required for access points; client devices at a minimum must support PIN. A third, optional method, near field communication or NFC tokens, is also supported.

PIN-Based Security

This requires a unique PIN to be entered on all devices that will be part of the same secure wireless network. A PIN will come as either a fixed label or sticker on a device, or it can be dynamically generated in the setup utility and shown on the computer screen.

Robust Secure Network or RSN

This was introduced as a part of the IEEE 802.11i amendment to the standard which provided much improvement in the ways wireless LANs can be secured. In order for wireless LAN equipment to be compliant, it will optionally support Temporal Key Integrity Protocol or TKIP and it must also support Counter Mode with Cipher-Block Chaining Message Authentication Code Protocol or CCMP.

• 24/7/365 Monitoring • Detection and Mitigation • Notification of Threats • Integrated Spectrum Analysis • Elaborate Reporting Systems • Regulatory Policy Compliance • Retains Data for Forensics

What are the primary advantages of using a wireless intrusion prevention system or WIPS?

• Build and maintain a secure network. • Protect cardholder data. • Maintain a vulnerability management program. • Implement strong access control measures. • Regularly monitor and test networks. • Maintain an information security policy.

What are the six requirements in order to be a PCI-compliant a company?

• Client side endpoint • Network infrastructure which can be public or private • Server side endpoint

What are the three components of a VPN solution?

Point-to-Point Tunneling Protocol or PPTP and Layer 2 Tunneling Protocol or L2TP.

What are the two most common types of VPN technology?

Open system authentication and shared-key authentication.

What are the two types of authentication addressed by the original IEEE 802.11 standard?

Wi-Fi Protected Setup or WPS certification

What interoperability certification was designed as a simple way to secure SOHO devices?

A networking service that provides centralized authentication and administration of users.

What is Remote Authentication Dial-In User Service or RADIUS?

A software/hardware solution that monitors the radio waves passing through the air and reports captured information to software to be recorded in a server database via a wireless sensor.

What is a wireless intrusion prevention system or WIPS in regard to wireless networking?

A way of restricting access to only authorized users or groups based on the permission levels they are assigned.

What is role-based access control (RBAC)?

SSID hiding

What is the common term used to describe the action of preventing the SSID from being broadcast in a beacon frame?

Captive portal

What is the name of a common feature of wireless LAN controller that will intercept a user's attempt to access the network by redirecting them to an authorization web page?

MAC filtering

What legacy security method will allow or disallow a wireless LAN client device to connect to an access point based on its unique physical address?

SOHO brands that support WPS

What type of wireless network device is PIN-based security most commonly used with? A. SOHO brands that support WPA 2.0 B. Enterprise brands that support WPA 2.0 C. SOHO brands that support WPS D. Enterprise brands that support WPS

WEP

Which data encryption/authentication method is identified in the original IEEE 802.11 standard? A. TKIP B. AES C. CCMP D. WEP E. EAP

CCMP or Counter Mode with Cipher-Block Chaining Message Authentication Code Protocol

Which encryption is a mandatory part of the IEEE 801.11i amendment?

TKIP

Which encryption method is an optional part of the IEEE 801.11i amendment?

Restricts access to authorized users or groups

Which function does RBAC provide? A. Restricts access to authorized users or groups B. Provides access to only network administrators C. Streamlines hardware installation D. Allows users to install software

Secure Layer 3 transmissions over a public network infrastructure

Which process is a VPN solution intended to provide for users connecting to a network? A. Secure Layer 3 transmissions over a public network infrastructure B. Secure Layer 2 transmissions over a public network infrastructure C. Secure Layer 3 transmissions over a corporate network infrastructure D. Secure Layer 2 transmissions over a corporate network infrastructure

Passphrase

Which security feature provides the strongest security for a home-based wireless network? A. SSID hiding B. Passphrase C. MAC filters D. 128-bit WEP

WPA Enterprise, WEP, and MAC filters.

Which security methods do IEEE 802.11n access points support? Choose three. A. WPA Enterprise B. WEP C. PPTP D. RBAC E. MAC filters F. IPSec

PIN

Which security solution is mandatory for client devices in order to be considered Wi-Fi Protected Setup certified? A. WEP B. PIN C. WPA D. PBC E. TKIP

Shared key

Wired Equivalent Privacy or WEP is required for what type of IEEE 802.11 authentication?

Carefully plan a strategy using WEP and VLANs.

You are a network administrator and are asked for a security recommendation regarding older wireless 802.11-compliant VoIP handsets. The company does not have the budget to upgrade the equipment at this time. Which would be the best recommendation you could provide? A. Don't worry about securing the handsets because voice transmissions cannot be deciphered. B. Carefully plan a strategy using WEP and VLANs. C. Use a VPN solution with L2TP/IPSec. D. Use a CCMP/AES Layer 2 solution.

Interference from a neighboring access point and RF denial-of-service (DoS) attack

You are a wireless network administrator monitoring the reports for a recently installed wireless intrusion prevention system. You receive an alert notifying you of high levels of RF activity detected from an access point operating as a sensor and currently set to channel 6. Which problem could be causing the alert? Choose two. A. Interference from a neighboring access point B. RF deauthentication storm C. RF denial-of-service (DoS) attack D. Misconfigured client workstation E. RF encryption attack

A VPN to the corporate network

You need to attend a business meeting out of town that requires air travel. You are at the airport and have some extra time. While waiting to board your plane you decide to check your office email using an IEEE 802.11g wireless hotspot access point at the airport. In order to provide a secure connection, you would enable your notebook computer to use _____________. A. Passphrase security B. WEP C. A VPN to the corporate network D. IEEE 802.1X/EAP to the corporate network


Ensembles d'études connexes

Psychology, Chapter 1, Introduction & Research Methods

View Set

Chapter 20: Practical Contracts and the Lawyer Practice Test

View Set