Chapter 28: Securing Wireless Networks

Enterprise mode

802.1x EAP-based authentication requirement for WPA, WPA2, and WPA3.

EAP-Flexible Authentication via Secure Tunneling (EAP-FAST)

A Cisco authentication method that is based on EAP and uses a PAC as a credential for outer authentication and a TLS tunnel for inner authentication

8. A pre-shared key is used in which of the following wireless security configurations? (Choose all that apply.) a. WPA2 personal mode b. WPA2 enterprise mode c. WPA3 personal mode d. WPA3 enterprise mode

A and C. The personal mode for WPA, WPA2, and WPA3 is used to require a preshared key authentication. Enterprise mode uses 802.1x instead.

7. The Wi-Fi Alliance offers which of the following certifications for wireless devices that correctly implement security standards? (Choose all that apply.) a. WEP b. WPA2 c. 802.11 d. AES

B. The Wi-Fi Alliance offers the WPA, WPA2, and WPA3 certifications for wireless security. WEP, AES, and 802.11 are not certifications designed and awarded by the Wi-Fi Alliance.

Counter/CBC-MAC Protocol (CCMP)

A wireless security scheme based on 802.11i that uses AES counter mode for encryption and CBC-MAC for data integrity

Protected access credential (PAC)

Special-purpose data that is used as an authentication credential in EAP-FAST.

Message integrity check (MIC)

A cryptographic value computed from the contents of a data frame and used to detect tampering.

Lightweight EAP (LEAP)

A legacy Cisco proprietary wireless security method.

Extensible Authentication Protocol (EAP)

A standardized authentication framework that is used by a variety of authentication methods

Wired Equivalent Privacy (WEP)

An 802.11 authentication and encryption method that requires clients and APs to use a common WEP key.

Open authentication

An 802.11 authentication method that requires clients to associate with an AP without providing any credentials at all.

Authentication server (AS)

An 802.1x entity that authenticates users or clients based on their credentials, as matched against a user database. In a wireless network, a RADIUS server is an AS.

Supplicant

An 802.1x entity that exists as software on a client device and serves to request network access.

802.1x

An IEEE standard that defines port-based access control for wired and wireless networks.

RADIUS server

An authentication server used with 802.1x to authenticate wireless clients.

Forward secrecy

A key exchange method used in WPA3 that prevents attackers from being able to use a discovered pre-shared key to unencrypt data that has already been transmitted over the air

Protected Management Frame (PMF)

A service provided by WPA3 that protects a set of 802.11 robust management and action frames, to prevent spoofing of AP functions.

Simultaneous Authentication of Equals (SAE)

A strong authentication method used in WPA3 to authenticate wireless clients and APs and to prevent dictionary attacks for discover- ing pre-shared keys.

Galois/Counter Mode Protocol (GCMP)

A strong encryption method used in the WPA3 wireless security model.

Certificate authority (CA)

A trusted entity that generates and signs digital certificates.

Temporal Key Integrity Protocol (TKIP)

A wireless security scheme developed before 802.11i that provides a MIC for data integrity, a dynamic method for per-frame WEP encryp- tion keys, and a 48-bit initialization vector. The MIC also includes a time stamp and the sender's MAC address

5. Suppose you would like to select a method to protect the privacy and integrity of wireless data. Which one of the following methods should you avoid because it has been deprecated ? a. TKIP b. CCMP c. GCMP d. EAP

A. The TKIP method was deprecated when the 802.11 standard was updated in 2012. CCMP and GCMP are still valid methods. EAP is an authentication framework and is not related to data encryption and integrity.

Protected EAP (PEAP)

An authentication method that uses a certificate on the AS for outer authentication and a TLS tunnel for inner authentication. Clients can provide their credentials through either MS-CHAPv2 or GTC.

EAP Transport Layer Security (EAP-TLS)

An authentication method that uses digital certificates on both the server and the supplicant for mutual authentication. A TLS tunnel is used during client authentication and key exchanges.

Public Key Infrastructure (PKI)

An enterprisewide system that generates and revokes digital certificates for client authentication.

2. Which one of the following is used to protect the integrity of data in a wireless frame? a. WIPS b. WEP c. MIC d. EAP

C. A message integrity check (MIC) is an effective way to protect against data tampering. WIPS is not correct because it provides intrusion protection functions. WEP is not correct because it does not provide data integrity along with its weak encryption. EAP is not correct because it defines the framework for authentication.

4. Which one of the following is used as the authentication framework when 802.1x is used on a WLAN? a. Open authentication b. WEP c. EAP d. WPA

C. EAP works with 802.1x to authenticate a client and enable access for it. Open authentication and WEP cannot be correct because both define a specific authentication method. WPA is not correct because it defines a suite of security methods in addition to authentication.

6. Which one of the following is the data encryption and integrity method used by WPA2? a. WEP b. TKIP c. CCMP d. WPA

C. WPA2 uses CCMP only. WEP has been deprecated and is not used in any of the WPA versions. TKIP has been deprecated but can be used in WPA only. WPA is not a correct answer because it is an earlier version of WPA2.

1. Which of the following are necessary components of a secure wireless connection? (Choose all that apply.) a. Encryption b. MIC c. Authentication d. All of these answers are correct.

D. For effective security, you should leverage authentication, MIC, and encryption.

3. Which one of the following is a wireless encryption method that has been found to be vulnerable and is not recommended for use? a. AES b. WPA c. EAP d. WEP

D. WEP is known to have a number of weaknesses and has been compromised. Therefore, it has been officially deprecated and should not be used in a wireless network. AES is not a correct answer because it is the current recommended encryption method. WPA is not correct because it defines a suite of security methods. EAP is not correct because it defines a framework for authentication.

Personal mode

Pre-shared key authentication as applied to WPA, WPA2, and WPA3.

Wi-Fi Protected Access (WPA)

The first version of a Wi-Fi Alliance standard that requires pre-shared key or 802.1x authentication, TKIP, and dynamic key management; based on parts of the 802.11i amendment before it was ratified.

WPA Version 2 (WPA2)

The second version of a Wi-Fi Alliance standard that requires pre-shared key or 802.1x authentication, TKIP or CCMP, and dynamic encryption key management; based on the complete 802.11i amendment after its ratification.

WPA Version 3 (WPA3)

The third version of a Wi-Fi Alliance standard introduced in 2018 that requires pre-shared key or 802.1x authentication, GCMP, SAE, and forward secrecy.