CWSP-207 Certified Wireless Security Professional Question and Answers

Awareness of the exact vendor devices being installed

Management support for the process

End-user training manuals for the policies to be created

Security policy generation software

Enabling encryption to prevent MAC addresses from being sent in clear text

How to prevent non-IT employees from learning about and reading the user security policy

End-user training for password selection and acceptable network use

The exact passwords to be used for administration interfaces on infrastructure devices

Social engineering recognition and mitigation techniques

Use a WPA2-Enterprise compliant security solution with strong mutual authentication and encryption for network access of corporate devices.

Hide the SSID of all legitimate APs on the network so that intruders cannot copy this parameter on rogue APs.

Conduct thorough manual facility scans with spectrum analyzers to detect rogue AP RF signatures.

A trained employee should install and configure a WIPS for rogue detection and response measures.

Enable port security on Ethernet switch ports with a maximum of only 3 MAC addresses on each port.

Require Port Address Translation (PAT) on each laptop.

Require secure applications such as POP, HTTP, and SSH.

Require VPN software for connectivity to the corporate network.

Require WPA2-Enterprise as the minimal WLAN security solution.

MSCHAPv2 passwords used with EAP/PEAPv0 should be stronger than typical WPA2-PSK passphrases.

Password complexity should be maximized so that weak WEP IV attacks are prevented.

Static passwords should be changed on a regular basis to minimize the vulnerabilities of a PSK-based authentication.

Certificates should always be recommended instead of passwords for 802.11 client authentication.

EAP-TLS must be implemented in such scenarios.

Rogue APs

DoS

Eavesdropping

Social engineering

Token cards must be used for authentication.

Dynamic WEP-104 encryption must be enabled.

WEP may not be used for encryption.

WPA-Personal must be supported for authentication and encryption.

WLAN controllers and APs must not support SSHv1.

802.1X/EAP-TTLS

Open 802.11 authentication with IPSec

802.1X/PEAPv0/MS-CHAPv2

WPA2-Personal with AES-CCMP

EAP-MD5

Encryption cracking

Offline dictionary attacks

Layer 3 peer-to-peer

Application eavesdropping

Session hijacking

Layer 1 DoS

Transmitting a deauthentication frame to disconnect a user from the AP.

Auditing the configuration and functionality of a WIPS by simulating common attack sequences

Probing the RADIUS server and authenticator to expose the RADIUS shared secret

Cracking the authentication or encryption processes implemented poorly in some WLANs

Intruders may obtain the passphrase with an offline dictionary attack and gain network access, but will be unable to decrypt the data traffic of other users.

A successful attack against all unicast traffic on the network would require a weak passphrase dictionary attack and the capture of the latest 4-Way Handshake for each client.

An unauthorized wireless client device cannot associate, but can eavesdrop on some data because WPA2-Personal does not encrypt multicast or broadcast traffic.

An unauthorized WLAN user with a protocol analyzer can decode data frames of authorized users if he captures the BSSID, client MAC address, and a user’s 4-Way Handshake.

Because WPA2-Personal uses Open System authentication followed by a 4-Way Handshake, hijacking attacks are easily performed.

Offline dictionary attacks

MAC Spoofing

ASLEAP

DoS

RF jamming device and a wireless radio card

A low-gain patch antenna and terminal emulation software

A wireless workgroup bridge and a protocol analyzer

DHCP server software and access point software

MAC spoofing software and MAC DoS software

MS-CHAPv2 is compliant with WPA-Personal, but not WPA2-Enterprise.

MS-CHAPv2 is subject to offline dictionary attacks.

LEAP’s use of MS-CHAPv2 is only secure when combined with WEP.

MS-CHAPv2 is only appropriate for WLAN security when used inside a TLS-encrypted tunnel.

MS-CHAPv2 uses AES authentication, and is therefore secure.

When implemented with AES-CCMP encryption, MS-CHAPv2 is very secure.

An autonomous AP system with MAC filters

WPA2-Personal with support for LDAP queries

A VPN server with multiple DHCP scopes

A WLAN controller with RBAC features

A WLAN router with wireless VLAN support

Fast/secure roaming in an 802.11 RSN is significantly longer when EAP-TLS is in use.

EAP-TLS does not protect the client's username and password inside an encrypted tunnel.

EAP-TLS cannot establish a secure tunnel for internal EAP authentication.

EAP-TLS is supported only by Cisco wireless infrastructure and client devices.

EAP-TLS requires extensive PKI use to create X.509 certificates for both the server and all clients, which increases administrative overhead.

The RADIUS server can communicate with the DHCP server to issue the appropriate IP address and VLAN assignment to users.

The RADIUS server can support vendor-specific attributes in the ACCESS-ACCEPT response, which can be used for user policy assignment.

RADIUS can reassign a client’s 802.11 association to a new SSID by referencing a username-to-SSID mapping table in the LDAP user database.

RADIUS can send a DO-NOT-AUTHORIZE demand to the authenticator to prevent the STA from gaining access to specific files, but may only employ this in relation to Linux servers.

RADIUS attributes can be used to assign permission levels, such as read-only permission, to users of a particular network resource.

Intruders can send spam to the Internet through the guest VLAN.

Peer-to-peer attacks can still be conducted between guest users unless application-layer monitoring and filtering are implemented.

Unauthorized users can perform Internet-based network attacks through the WLAN.

Guest users can reconfigure AP radios servicing the guest VLAN unless unsecure network management protocols (e.g. Telnet, HTTP) are blocked.

Once guest users are associated to the WLAN, they can capture 802.11 frames from the corporate VLANs.

Multi-factor authentication

4-Way Handshake

PLCP Cyclic Redundancy Check (CRC)

Encrypted Passphrase Protocol (EPP)

Integrity Check Value (ICV)

Group Temporal Keys

Robust broadcast management

Robust unicast management

Control

Data

ACK

QoS Data

802.11w frame protection protects against some Layer 2 denial-of-service (DoS) attacks, but it cannot prevent all types of Layer 2 DoS attacks.

When frame protection is in use, the PHY preamble and header as well as the MAC header are encrypted with 256- or 512-bit AES.

Authentication, association, and acknowledgment frames are protected if management frame protection is enabled, but deauthentication and disassociation frames are not.

Management frame protection protects disassociation and deauthentication frames.

Fragmentation threshold

Administrative password

Output power

Cell radius

The MIC is used as a first layer of validation to ensure that the wireless receiver does not incorrectly process corrupted signals.

The MIC provides for a cryptographic integrity check against the data payload to ensure that it matches the original transmitted data.

The MIC is a hash computation performed by the receiver against the MAC header to detect replay attacks prior to processing the encrypted payload.

The MIC is a random value generated during the 4-way handshake and is used for key mixing to enhance the strength of the derived PTK.

WIPS sensor software installed on a laptop computer

Spectrum analyzer software installed on a laptop computer

An autonomous AP mounted on a mobile cart and configured to operate in monitor mode

Laptop-based protocol analyzer with multiple 802.11n adapters