CNA 270 chapter 9 - WLAN Security Basics
authenticator
Acts as a middleman between the wireless client and the authentication server.
EAP-TLS, TTLS (EAP-MSCHAPv2), PEAP (EAP-MSCHAPv2, EAP-FAST
Some popular EAP types include:
Media access control
MAC
64 bit 128 bit
The WEP key can be either _____ or_____.
PPTP
Using _____on a wireless network should be avoided.
authentication
a way of confirming an identity
10, 26
128-bit WEP keys have _____ ASCII characters and ___ hex characters.
5 , 13,
64-bit WEP keys have _____ ASCII characters and ___ hex characters.
6-63, 64, 256, longer, more random
A Passphrase consists or ___ ASCII (case sensitive) or ___ hexadecimal characters and creates a ___-bit preshared key. The ___ and ____ the passphrase, the more secure it will be.
Client side (endpoint), Network Infrastructure (public or private, Server Side (endpoint)
A VPN solution consists of three components:
overly, integrated
A WIPS requires hardware sensors for monitoring and sending data to the WIPS server. These can be either dedicated devices known as _____, or can share functionality with the wireless access points, known as ______.
dictionary attack
A ______ is performed by software that challenges the encrypted password against common words or phrases in a text file.
Wireless network management system (WNMS), software, hardware, cloud-based
A centralized solution to manage a large number of infrastructure devices available in ____, ____, or _____ form.
shared-key authentication
A four-step process for authentication from original 802.11 which requires WEP in order to function correctly.
passphrase, IEEE 802.11i, 256-bit
After the ____ is entered into the device, with the help of an electronic algorithm from the _____ amendment, it will create a ______ preshared key.
counter mode with cipher-block chaining message authentication code protocol
CCMP
Advanced Encryption Standard (AES)
CCMP uses the _______algorithm block cipher.
Wi-Fi protected setup (WPS)
Certification from Wi-Fi Alliance for push-button and pin-based security.
MAC, registry, configuration file, burned in address
Changing the ____address in the ____ or in a ______ changes only the software reference that the operating system sees and uses. It does not change the ______.
eavesdropping, Radio frequency DoS, MAC address spoofing, Hijacking, Man-in-the-middle attack, peer-to-peer attacks, encryption cracking
Concerns and threats for wireless LANs
WIPS monitoring only parttime
Downside to integrated WIPS sensors
credentials, certificate-based
EAP types allow a user to authenticate to a wireless network in several ways including ____ and ____ authentication
SSID hiding, MAC filtering, WEP
Legacy wireless LAN security technologies
Health Insurance Portability and Accountability Act of 1996
HIPPA
reduce unnecessary tech support calls
Hiding the SSID is sometimes used to....
probe, matching SSID, wildcard SSID (0), null SSID
IEEE 802.11 standard requires access points to respond to all _____requests that have a _______, or what is known as a _______, also known as a _______.
Physical and Data Link
IEEE 802.11 wireless LAN device technology operates a these two layers of the OSI model.
Robust Secure Network (RSN), TKIP, CCMP
IEEE 802.11i introduced ________ which means the network will optionally support ________ and it must also support _________.
device segmentation, virtual local area network (VLAN)
If you have to use WEP, it is important for the network administrator to use appropriate _____ for the WEP-enabled devices in order to not compromise the entire network infrastructure. One way to do this is to consider the use of a _______.
second IP frame
In a very basic sense, VPNs use encapsulation methods where one IP frame is encapsulated within a _____.
WEP, TKIP, CCMP
In the IEEE 802.11 standard, three different encryption mechanisms can be used on a wireless network to protect data traffic:
wireless intrusion prevention system (WIPS)
In wireless networking, ______ is a software/hardware solution that monitors the radios waves and, using a wireless hardware sensor, can report captured information to software to be recorded in a server database.
RADIUS client, RADIUS server
In wireless networking, the wireless access point can act as a ______, which means it will have the capability to accept requests from wireless client devices and forward them to the _______ for authentication.
firmware upgrades, loss of power
It may be necessary to upgrade the device firmware in order to get either TKIP or CCMP capability. Improper _____ or _____ during the upgrade process may render the device unusable or require the device to be sent back to the manufacturer for repair.
MAC address filtering, MAC address
Its purpose is to either all or disallow access to the wireless network by restricting which ______ can IEEE authenticate and associate to a wireless network.
use of air (shared unbound medium)
Key vulnerability in wireless networking
Pin-based, push-button
Many manufacturers of SOHO-grade wireless LAN equipment have adopted either ____ or _____ wireless security.
disabling the SSID broadcast, SSID hiding, closed network
Most manufacturers of SOHO and enterprise access points provide the option not to broadcast the SSID in beacon frames. This is commonly known as ______,______, or _____.
24- bit
NO matter which you use, 64-bit WEP or 128-bit WEP, you are still only using a ___ initialization vector (IV).
802.11i
Newer security methods based on which IEEE amendment?
static keys, same key, manually entered
One disadvantage to WEP is that it uses ______, which means all wireless devices - access points, bridges, and client stations - must have the _____ and the key must be _______.
WEP Cloaking
One solution to the vulnerability of WEP is ________ which allows organizations to operate WEP-encrypted networks securely and preserve their ecisting investment in mobile devices such as barcode scanners.
open system , shared-key
Original IEEE 802.11 standard addresses these two types of authentication:
Microsoft Point-to-Point Encryption (MPPE-128) Protocol, tunneling, encryption
PPTP uses _________for encryption. This process provides both _____ and _______ capabilities for the user's data.
legislative compliance
Plans for complying with regulations on how data is handled for businesses such as healthcare, retail, financial, and others.
limiting throughput, enforcing time restrictions, controlling access to specific resources
Role-based access control can be used for various activities users may perform while connected to a wireless LAN, including.....
Service set Identifier
SSID
WIPS
Some advantages to using a ____ include: captures info by 24/7 monitoring, detects threats such as DoS attacks and rogue access points, notifies you about threats, supports integrated spectrum analysis, ensures compliance with corporate security policy and legislative compliance, retains data for forensic investigation, and uses hardware sensors for monitoring.
PIN, PBC, PIN, near field communication (NFC)
Support for both ___ and ___ configurations is required for access points; client devices at a minimum must support ____. A third, optional method, _____ tokens is also supported.
Temporal Key Integrity Protocol
TKIP
temporal key integrity protocol
TKIP
environment, specifications, cost, complexity
The EAP type chosen will depend on the ______ in which the wireless LAN is used. EAP types vary in ____, ___, and ______.
SecureEasySetup (SES)
The Linksys version of push-button security is called___.
discovery phase, passive, active
The SSID will allow wireless devices such as notebook computers to identify and connect to a wireless LAN using the ________, which includes the _____ and _____ scanning processes.
WPA, WPA 2.0, WPS
The WiFi alliance has released several certifications that pertain to wireless networking: ___ and ____ for SOHO and enterprise deployments, and ____ for the home user.
access point, registrar, PIN, PIN
The _____ will detect when a new wireless device device that supports WPS is in radio range. When this device tries to join the network, the _______ will prompt the user to enter the unique ____. Once the ____ is entered, the process authenticates the device and encrypts the network data sent to and from the device.
beacon frame, 10
The ________ is an advertisement of the wireless network. By default this is set to broadcast at about ___ times a second.
IEEE 802.1X/EAP, TKIP/RC4
The authentication method used by WPA - enterprise is _____ and the encryption/cipher method is ______.
passphrase, TKIP/RC4
The authentication method used by WPA - personal is _____ and the encryption/cipher method is ______.
IEEE 802.1X/EAP, CCMP/AES or TKIP/RC4
The authentication method used by WPA2 - enterprise is _____ and the encryption/cipher method is ______.
passphrase, CCMP/AES or TKIP/RC4
The authentication method used by WPA2 - personal is _____ and the encryption/cipher method is ______.
Extensible Authentication Protocol (EAP)
The authentication process used with IEEE 802.1X is....
6, 2
The media access control (MAC) address is a unique hardware identifier of a computer network device. This __-byte address is the Layer _ address that allows frames to be sent to and received from a device.
authentication , data privacy
The original IEEE 802.11 standard addressed which two areas of security?
access point
The registrar device in the case of a wireless LAN is the ______.
authentication, authorization, accounting
The three components that work together in the AAA protocol are:
IEEE 802.1X, user-based security
This advanced enterprise-level solution operates at Layer 2 and is an IEEE standard. It is also called _____.
MAC address spoofing
This involves tricking the wireless device into thinking its unique MAC address is something other than what is encoded in the actual network card.
MAC address
This is easily visible and cannot be encrypted
open system
This type of authentication is a two-step process, a two-frame exchange, and is one of the simplest ways to provide an authentication process.
passphrase-based security, the same 256-bit
This was designed with the SOHO or home-based user in mind. This type of security requires all wireless devices that are part of the same wireless network to have ____ pre-shared key (PSK) in order to securely communicate.
Point-to-Point Tunneling Protocol (PTP), Layer 2 Tunneling Protocol (L2TP)
Two common types of VPN protocols are:
tunneling, encryption
VPNs consist of two parts, _____ and _____.
layer 3
VPNs typically operate at _____.
Wired equivalent privacy
WEP
open system or shared-key
WEP can be used in one of two ways:
wireless intrusion prevention system
WIPS
intrusion signature database
WIPS countermeasures are based on identifying the intrusion by comparing the captured information to an _____ within the WIPS server.
802.1X, supplicant, authenticator, authentication server
Wireless devices that use ____ technology are identified using different terminology than that used in the IEEE 802.11 standards-based wireless networking: ______ (wireless client device), _____ (wireless access point), ______ (RADIUS or AAA authentication server)
Internet Protocol Security (IPSec)
With L2TP, a popular choice of encryption is _____, which provides authentication and encryption for each IP packet in a data stream.
IEEE 802.11 open system authentication
With _____ all information is broadcast through the air in plain text.
Remote Authentication Dial-In User Service (RADIUS)
___ is a networking service that provides centralized authentication and administration of users.
TKIP, encryption, integrity, 48, replay attacks, message integrity check, forgery attacks, RC4
___ was designed as a firmware upgrade to WEP. Enhancements include , pre-packet key mixing of the IV to separate IVs from the weak keys, A dynamic rekeying mechanism to change ______ and _____keys, __-bit IV and IV sequence counter to prevent _____, ____(MIC) to prevent ______, and the use of the ___ stream cipher, thereby allowing backward compatibility with WEP.
IEEE 802.1X/EAP
____ consists of two different components used together to form an enterprise computer network security solution.
Layer 2 Tunneling Protocol (L2TP)
____ is a combination of two different tunneling protocols: Cisco's Layer 2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol.
Role-based access control (RBAC)
____ is a way of restricting access to only authorized users based on roles rather than user identities.
CCMP
____ is mandatory for robust security network (RSN) compliance.
Passive
____ scanning occurs when the wireless client device listens for beacons frames.
PPTP
____ was developed by a vendor consortium, was very popular because of its configuration, and was included in all Microsoft Windows operating systems starting with Windows 95.
physical layer monitoring
_____ allows the wireless network engineer to see what is happening in the air as it relates to radio frequency, usually accomplished with the use of a spectrum analyzer.
CCMP, 2012, WPA2
_____ is a mandatory part of the IEEE 801.11i amendment, now in the IEEE 802.11-___ standard and part of ______certification from the Wi-Fi Alliance.
IEEE 802.1X
_____ is a port-based access control method and was designed to work with IEEE 802.3 Ethernet wired networks.
Virtual Private Networking (VPN)
_____ is the capability to create private communications over a public network infrastructure such as the internet.
user-based security, centralized database
______ allows an administrator to restrict access to a wireless network and its resources by creating users in a ______.
PIN functionality
_______ is required in order for a wireless device to be Wi-Fi Protected Setup (WPS) certified.
Data link layer monitoring, frame exchanges, frame decoding
_______ means looking at the layer 2 information; it allows a network engineer to view both ______ and _____ by expanding on the captured wireless frames.
captive portal
a process that redirects a user to an authentication source of some type before they will be allowed wireless network access.
payment card industry (PCI)
a regulation requiring companies to adhere to security standards created to protect card information pertaining to financial transactions
hijack attack
deauthentication frames force wireless device to reauthenticate...
data privacy
ensuring that information or data is understandable only by the individuals or groups it is intended for.
authentication
gives the capability to control access to a system
SSID
logical name for the wireless network and was designed to be used for wireless device segmentation.
supplicant
the software security component of the wireless client device.
dec 2011
when security flaw was reported with WPS
