CWNP Message of The Day

1
Which wireless security protocol cannot use digital certificates for both the supplicant and authentication server? A B C D E EAP-TLS IPSec VPN PEAPv0/EAP-TLS EAP-TTLS LEAP (yes)
Which of the following would cause a radio frequency signal to attenuate? (Choose 2) A B C D E Lowering the gain on a wireless receiver Removing the antenna from a wireless receiver A reflected signal received 130 degrees out of phase of the main signal (yes) A signal traveling through open air (yes) A fade margin increased by 5%
What is an example of a valid 802.11n draft PPDU format?
A 40 MHz HT (yes) B 20 GHz HT C DSSS-OFDM D OFDM E CSMA/CA To what type of attack is a wireless LAN switch always vulnerable?
A B C D E 5
Dictionary and brute force attacks Attacks against the lightweight access points(yes) Man-in-the-middle Forgery Weak key attacks
How does implementing the TKIP cipher suite improve upon the security of wireless networks currently using WEP? (Choose 3) A B C D E F Offers per-user, per-frame encryption keying (yes) Mitigates replay attacks using a per-frame sequence counter(yes) Increases the Initialization Vector to 64 bits Includes a new integrity checking process(yes) Requires mutual authentication Replaces the RC4 stream cipher with a stronger block cipher
XYZ University is installing a security camera system, and they want to use mesh routers to connect all of the security cameras back to a central Ethernet switch. Each camera has an Ethernet port and is located near an AC outlet. Each mesh router uses ERP-OFDM, AES-CCMP encryption, and has three Ethernet ports for connecting multiple cameras. Each mesh router will connect to at least two other mesh routers by design. All cameras
are housed in locked enclosures, are pointed at a specific location, and cannot be rotated. A student that is participating in the installation is going to attempt to circumvent this security solution. What plausible approach might the student use to circumvent this security solution?
A B C D
Use an 802.11 frame generator to send spoofed deauthentication frames to the mesh router with a source address of another mesh router. Use an RF jamming device to interrupt the wireless mesh link near a mesh router.(yes) Plug an additional camera into a lower-numbered (higher priority) Ethernet port on a mesh router. This would cause the mesh router to send video from the unauthorized camera which is pointing in a different direction. Enable an HR-DSSS client adapter near the mesh router, forcing it to enable protection mechanisms. This will result in an average bandwidth too low for fullmotion video and will cause substantial blurring. Given: Block Ack mechanisms are used to provide data aggregation for improving performance of wireless networks. What are two different types of Block Acks?
(Choose 2) A B C D E 8 Immediate(yes) Delayed(yes) Short Enhanced Deferred While troubleshooting the performance of several wireless stations, you suspect that their power management features are not optimally set. Which of the following things could you check?
A B C D
Verify all desktop computers are set to Active Mode and all laptops are set to Power Save Mode so that Access Points only buffer unicast and broadcast traffic from the laptops. Set all desktop and laptop computers to Power Save Mode to ensure all workstations have an equal chance to send packets across the wireless network. Make sure the desktop computers WLAN cards are set to Active Mode mode, so that they can receive frames from other stations at any time. (yes) Verify the laptop computers WLAN cards are set to Power Save Mode to guarantee the highest throughput and lowest latency possible while roaming. Based upon the included protocol analyzer capture, what can you definitively conclude about the wireless network? (Choose 2)
A B C
WEP cannot be used for encryption (yes) WAP2-Enterprise has been implemented 802.1XEAP-TLS is used for authentication
D E 10
All unicast traffic is encrypted using AES (yes) A passphrase was used to generate the Master PMK As a wireless security professional, you are tasked by a company to quickly attempt to bypass static WEP security on their 802.11a WLAN. WEP is configured as mandatory on all devices in the network. Which approaches do you take? (Choose 2)
A B C D E
Enable a wireless protocol analyzer and wait for it to gather a given amount of data traffic from multiple wireless LAN end users. You use AirCrack to look for weak IVs in the packet trace. (yes) Associate with an access point using Open System authentication and log in with the default username and password. You reconfigure the access point for a new WEP key. Record their SSID, phone number, address, and other data related to their organization and try to fit numbers and letters into patterns of 5, 10, 13, or 26 characters for use as a test WEP key (yes) Transmit a high volume of association frames to an access point to force it to fail into an Open System state. You use a WLAN client to associate and bypass WEP security. Configure Windows Zero Configuration (WZC) to have the key provided automatically to your client device. Enable a WLAN protocol analyzer to capture the WEP key. Which method of authenticating a wireless client to a network uses digital certificates or protected access credentials?
11
A B C D E F 12
Open authentication Shared key authentication Passphrases Kerberos EAP (yes) 802.11X Which statement is true regarding deployment of an overlay WIPS?
A B C D 13
Handheld WLAN protocol analyzers are used as agents in an overlay WIPS. The WIPS server appliance has 802.11a/g radios for 802.11-to-802.3 MAC frame conversion. The software control panel (dashboard) of a WIPS is a summary of all WLAN events as seen by all sensors. (yes) The WIPS analysis engine reports all events to a WNMS for correlation.
What is mandatory for a power device (PD) to be considered 802.3-2005 Clause 33 compliant?
A B
Reply with a detection signature (yes) Must perform classification using a classification signature
C D 14
Must include support for Class 5 signatures Use of 15.4 Watts of power per PSE port
ABC Corporation has spent thousands of dollars implementing a very secure WLAN solution that uses WPA2-compliant 802.1X/EAP-TTLS. ABC Corp still has concerns about potential security holes. ABC Corp has hired you to perform a penetration test of their network, and you are unable to penetrate their authentication or encryption scheme. Which penetration test could you perform next?
A B C
Install a Homeplug (Powerline) Ethernet bridge in an unused office. Connect a Homeplug access point into an outdoor electrical outlet on the building and access ABC's network from your car. (yes) Install an access point and DHCP server software on your laptop. Use an RF jamming device to hijack EAP users onto your laptop and perform peer attacks against their operating system. Use an RF jamming device to disrupt channel 1 on ABC's wireless network in order to convince them they need to redo the site survey. Have one of your associates call ABC's IT manager and sell him site surveying services. During the site survey, tell users that you need their passwords to make the wireless LAN work for them. Install RADIUS software that supports 802.1X/EAP-TTLS on your laptop. Call the helpdesk and convince them to give you the RADIUS shared secret. Then install a rogue access point in ABC Corp's lobby.
15 LAN.
ABC Corporation has recently decided to purchase and install an 802.11a/g wireless The network administrator decides to purchase a WLAN switch because of its wide range of EAP support. ABC Corporation has no Public Key Infrastructure (PKI), but likes the EAP-TLS model of wireless security. As a hired consultant, you mention an EAP type that closely resembles the functionality EAP-TLS, without using digital certificates. What EAP type did you mention?
of
A B C D E 16
EAP-TTLS EAP-MD5 PEAPv0/EAP-MSCHAPv2 EAP-FAST (yes) PEAPv1/EAP-GTC
What are the two best ways to counter a dictionary attack? (Choose 2) A B C D E Require strong passwords Use dynamic keying (yes) Only allow digital certificates (yes) Ensure RADIUS is used for authentication Accept only 256-bit encryption or greater
17
What statements are true regarding Pairwise Master Keys (PMK) and Group Master Keys (GMK) that are used in IEEE 802.11 RSNAs?
(Choose 2) A B C D E 18 The Group Master Key (GMK) is derived from the Pairwise Master Key (PMK) The Pairwise Master Key (PMK) is derived from the Group Master Key (GMK) The PMK is used to derive the PTK which is used to protect unicast traffic (yes) The PMK may be directly mapped from a Preshared Key (PSK) (yes) The GMK is used to encrypt multicast traffic
ABC Company recently implemented wireless networks at many of their branch offices. To determine RF coverage areas and access point placement, they measured the signal strength as reported in their laptop's wireless network card. What limitations does this site survey method include? (Choose 2) A B C D E Does not identify interference sources (yes) Different vendors report identical RF signals at different signal strengths (yes) Only indicates a signal's viability A laptop WLAN card does not accurately identify signal strength Does not consider impact of security overhead
19
You are considering upgrading your wireless security solution from WEP to WPAPersonal. What weakness would not be addressed in your security solution? (Choose 2) A B C D E F Forgery attacks Jamming attacks (yes) Replay attacks Dictionary attacks (yes) Collision attacks Weak Key Attacks
20
You work as a consultant for an IT professional services firm. One of your clients is a construction company who builds high rise office developments in your metropolitan area. Each construction site: a) is several miles from the downtown corporate data center b) has an on-site temporary office area equipped with phone lines c) has no line-of-sight back to the corporate data center building Since the internal data and power cabling is not installed in the building under construction until the last stage of construction, providing wired Internet access to on-site engineers for the purpose of accessing the corporate Intranet via VPN has always been impossible until the last stages of the construction project. You have been asked to design a secure, short-term, low-cost, high-speed wireless solution that will give on-site engineers Internet access. What solution do you choose?
A B
Purchase an individual HR-DSSS WISP account for each engineer and issue them client adapters. Rent temporary wireless access from a tenant of a building adjacent to the
C D E
construction site. Implement xDSL and an HR-DSSS access point with a sector antenna at each temporary office. (yes) Install HR-DSSS mesh routers on the top of each building under construction and the corporate data center. Install a T1 in the temporary office and HR-DSSS mesh routers throughout the construction site.
21
Given: A Robust Security Network (RSN) is a security network that allows only the creation of robust security network associations (RSNAs). To be considered an RSN, which statement is true?
A B C D E
An RSN must support the CCMP cipher suite, may optionally allow use of the TKIP cipher suite, and may not allow the use of WEP. (yes) An RSN must support the CCMP cipher suite, may optionally allow use of the TKIP cipher suite or WEP. An RSN must support the CCMP cipher suite and the TKIP cipher suite, and may not allow the use of WEP. An RSN must support the CCMP cipher suite and the TKIP cipher suite, and may optionally allow the use of WEP. An RSN must support the CCMP cipher suite, may not allow use of the TKIP cipher suite or WEP.
22
As part of its corporate security policy, your organization requires all wireless LANs to be separated from the wired network core using a device capable of authentication, data encryption, and throughput limiting. Which device will accomplish this policy requirement?
A B C D 23
Wireless workgroup bridge Transparent tunneling bridge Wireless LAN controller (yes) Personal firewall software
On an HR-DSSS wireless LAN, which statements are true regarding all stations accessing the same access point within a BSS? (Choose 2) A B C D E All stations must use the same authentication mechanism All stations are always in a single layer 3 broadcast domain All stations have full-duplex communication with each other through the access point All stations operate in the same shared medium (yes) All stations know the access point's beacon interval (yes)
24
The IEEE 802.11 standard (as amended) describes Ad Hoc wireless LANs as having what characteristics?
A B C
Support for client polling Support for RADIUS authentication services Support for time-bounded services
D E 25
Support for seamless roaming of clients between networks Shared Key authentication services (yes)
To prevent theft of an access point, which deterrent is used?
A B C D E 26
Install an SNMP management utility to periodically poll all wireless infrastructure devices. Mark the owner's name and contact information on the outside of the access point. Record the MAC addresses and serial number of the access point. Mount the access point out of view and out of reach. (yes) Mount the access point only in a locked equipment room.
The 802.1X-2004 standard defines which two port access entities (PAEs)? (Choose 2) A B C D E F Supplicant (yes) Supplication Server Encryptor KDC Authenticator (yes) Authentication Server
27
ABC Company has recently installed a WLAN switch/controller and configured it to support WPA2-Enterprise and termination of PPTP/MS-CHAPv2/MPPE-128 VPN tunnels. ABC's client devices are configured to use 802.1X/EAP with CCMP and PPTP. How will simultaneous use of these two security mechanisms affect client roaming across the enterprise?
A B each C D
Roaming will be equally as fast as having only the WPA2-Enterprise solution in place.(yes) Roaming will be very slow because the PPTP VPN tunnel must be rebuilt for thin AP. Client devices will be able to roam between access points while maintaining the WPA2 connection, but the PPTP VPN connection will only be available through the original thin access point. Client devices must be configured to support two simultaneous associations: one for WPA2, and one for PPTP.
28
What has occurred if an RF signal strikes an uneven surface causing the signal to be reflected in many directions simultaneously so that the resultant signals are less significant then the original signal?
A B C D E F
Return loss Interference Phase shift keying Diffraction Scattering (yes) Refraction
29
Which EAP type supports only password authentication (without support for certificates), but supports mutual authentication of the supplicant and authentication server?
A B C D E F 30
EAP-TLS EAP-MD5 LEAP (yes) PEAPv1/EAP-GTC PEAPv0/EAP-MSCHAPv2 EAP-FAST
What is the term used to define the area surrounding a transmitted RF beam, whose size is based on distance and frequency?
A B C D E 31
Inductance Sphere Fresnel Zone (yes) Interference Band Diffraction Domain Cone of Silence
While auditing ABC Company's wireless security solution, you discover ABC Company has a 'closed' system that does not broadcast the network name in its beacons. What benefits and weaknesses can you provide to ABC Company regarding its use of hidden SSIDs? (Choose 2) A B C D E Prevents intruders from actively discovering the wireless network Stops WLAN discovery tools such as Netstumbler from locating the wireless network Disables wireless protocol analyzers from finding the wireless network using passive scanning (yes) Eliminates intruders from learning the SSID in order to join the wireless network Keeps users from accidentally attempting to connect to the wrong wireless network (yes)
32
While performing a security audit for XYZ company, you notice in a trace capture that a client can successfully roam without completing a 4-way handshake. You check and see that the wireless client station is using WPA for authentication. What is the best explanation for what you are seeing?
A B C D E
The client is using PMK Caching for fast roaming The client is using Opportunistic PMK Caching for fast roaming The client is using a proprietary vendor solution for fast roaming (yes) Preauthentication is configured on the WLAN controller and wireless client WPA does not require additional 4-way handshakes when roaming to another AP managed by the same WLAN controller
33 of
ABC Company's lightweight access points periodically go 'off channel' for a short period time to scan all 802.11a/g Wi-Fi channels to detect and locate rogue access points. When a rogue access point is found, the active security policy requires at least one access point to perform a deauthentication attack against the rogue. What type of WIPS does ABC Company have?
A B C D E 34
Hot-standby Integrated (yes) Overlay Autonomous AP-reliant
What are common characteristics of a single-channel architecture solution? (Choose 2) A B C D E There is no need for channel planning. Handoffs between access points are removed. All access points share the same channel, SSID, and MAC address. (yes) Co-channel interference is eliminated. A WLAN controller is required for centralized management. (yes)
35
What conditions have to be met for a Wi-Fi client to take advantage of WMM Power Save? (Choose 2) A B C D E F The client AND access point must meet Wi-Fi CERTIFIED for WMM Power Save specifications (yes) Latency-sensitive applications must support WMM Power Save (yes) All other clients within range must be Wi-Fi CERTIFIED for WMM Power Save RTS/CTS must be enabled when using WMM Power Save The client operating system must support an 802.11e supplicant The client must support long and short preambles
36
Given: An HR-DSSS access point is classified as a Class 2 PD (Powered Device), and uses 5 Watts of power. When connecting this access point to an 802.3-2005 Clause 33 compliant Power Sourcing Equipment (PSE) device, how much power is wasted from the PSE's power budget?
A B C D E 37
2 Watts (yes) 10.4 Watts 0 Watts 7 Watts 15.4 Watts
Which protocol is NOT supported on an HR-DSSS wireless LAN?
A B C D E 38
IPX/SPX TCP/IP ISDN (yes) Netbeui DECnet
In an ERP-OFDM wireless LAN, what can cause attenuation of an 802.11 RF signal? (Choose 2) A B C D E Adding an RF extension cable (yes) Open air space between transmitter and receiver (yes) Nearby Bluetooth 2.0 wireless systems Adding an RF amplifier in series with the main RF signal path Bright sunlight between the transmitting and receiving antennas
39
An intruder wants to perform a WLAN hijacking attack against a wireless laptop on its layer 2 and layer 3 connections. This will be followed by a peer attack against open file shares on the wireless laptop. What items must the intruder possess to conduct this attack?
A B C high D
The SSID and channel of the authorized network, a narrowband RF jamming device, access point software, and subnet information of the existing network or DHCP server software (yes) The SSID and channel of the authorized network, a spectrum analyzer, protocol analyzer software, wireless frame generator software, and DHCP server software The SSID of the authorized network, Internet Connection Sharing software, a power FHSS jamming device, and DHCP server software The channel of the authorized network, a mobile microwave oven, access point software, a spectrum analyzer, and wireless protocol analysis software
40
As a consultant, you have been hired to design a wireless LAN security solution. Of primary concern is a wireless man-in-the-middle (MITM) attack. Which security solution will prevent this type of attack?
A B C D E 41
802.1X/PEAP (yes) MAC filters RADIUS LDAP L2TP VPN
Which common security solutions used on 802.11 wireless LANs support data encryption? (Choose 3) A B C D E IPSec/ESP with certificates (yes) IP unnumbered WPA2-Personal (yes) Shared Key authentication 802.1X/EAP-MD5
Secure Shell (yes)
42 Senior management of XYZ Company is complaining that implementations of their client's wireless networks take too long to complete. They want to know if a complete RF site survey is necessary. As their senior wireless systems analyst, what do you tell them? (Choose 2) A B C D E Self-managing wireless networks minimize the need for an onsite site survey (yes) Must know RF behavior and interference sources to determine access point placement (yes) Virtual site surveys are just as accurate and eliminate the need for expensive manual site surveys A wireless network will not work if a site survey is not first completed Performing a site survey will ensure wireless networks will not experience cochannel interference
43
Which of the following would cause a radio frequency signal to attenuate? (Choose 2) A B C D E Lowering the gain on a wireless receiver Removing the antenna from a wireless receiver A reflected signal received 130 degrees out of phase of the main signal (yes) A signal traveling through open air (yes) A fade margin increased by 5%
44
A user complains that they cannot connect to the Internet through the wireless network, even though their client utility shows they are connected with a strong signal. You check their system and see they have been successfully assigned an IP address of 169.254.138.16. Other stations can access the Internet without issue. What might be the problem? (Choose 3) A B C D E F Their wireless card's MAC address is not filtered correctly on the access point (yes) They have a mis-configured WEP key (yes) They are not authenticated to the wireless access point They are not associated to the wireless access point The access point failed layer 2 mutual authentication The RADIUS server denied access to the supplicant (yes)
45
ABC Company is looking to implement a new enterprise WLAN and is deciding upon either a single- or multi-channel architecture solution. They have hired you as a consultant to help educate them on the advantages and weaknesses of each solution. What information can you provide them to help make their decision? A not Roaming is improved with single-channel architecture because the client does have to make any roaming decisions.(yes)
B C D E
Because single-channel architecture effectively eliminates the need for channel planning, wireless site surveys are no longer necessary. Multi-channel architecture solutions take more planning to avoid channel overlap compared to single-channel architecture solutions. All access points in a single-channel architecture use the same BSSID (mac address), helping to prevent a client from distinguishing one access point from another.(yes) Within the same physical space, multi=channel architecture systems can provide greater throughput capacity than single-channel architecture systems.(yes)
Explanation: Multi-channel architecture networks deploy access points using a different RF channel or frequency for each transmitter. To provide areas of continuous coverage, access points are placed at intervals, with each providing coverage in its area, or cell, on a given RF channel. The use of different RF channels prevents co-channel interference in areas where cells overlap. This overlapping condition is avoided in the adaptive model by moving access points on the same channel physically as far apart as possible. Wireless network designers use transmit power to influence the size of each cell, and as much as possible identify the best RF channel reuse pattern across the network to avoid areas where same-channel cells overlap. In the multi-channel architecture model, client stations choose to associate to a particular access point by selecting the appropriate RF channel and tuning out other access points transmitting on other RF channels. Roaming is accomplished by the client switching its radio to work on the new access point's RF channel. The handoff between access points is initiated by the client. The client must decide it's time to handover, then select the target access point and switch to the new RF channel, and then re-authenticate at that access point. Each of these phases of handover is difficult to accomplish quickly, accurately and consistently. Single-channel architecture networks use access points that are all tuned to the same RF channel or frequency. The simplest view of this model shows a number of access points with overlapping coverage forming a continuous region. Most implementations uses access points that also share the same SSID and MAC address, and are designed so that the clients cannot distinguish between the access points providing coverage. Instead, the network decides which access point should transmit and receive data for a particular client. In other words the client is not involved in any handoff decision. As clients move through a building, the network directs traffic to them via the nearest access point with available capacity. A WLAN controller is necessary to centrally manage the handoff decisions. Because all access points are set to a common RF channel, the only decision to be made is to choose the best channel for the entire network. Co-channel interference is a phenomenon where transmissions from one cell spread to a nearby cell on the same RF channel, causing errors or dropped transmissions due to interference when they coincide with transmissions to or from devices in that cell. To mitigate co-channel interference, spatial separation is effective because the greater the distance between the devices causing and suffering interference, the lower the level of the unwanted received signal. Eventually the interfering signal is reduced to such a low level that it is no longer powerful enough to disrupt the wanted transmissions. Because all access points share the same channel, single-channel architecture cannot use spatial separation, and must attempt to solve co-channel interference using stronger proprietary temporal coordination mechanisms outside of the 802.11 standards. Detailed access point placement based upon a highly accurate site survey must be used to minimize the effects of cochannel interference from channel overlap.
By co-locating multiple access points in the same physical area using non-overlapping channels, multi-channel architecture systems can provide greater overall throughput than a single-channel architecture system. 46 Given: Beacons are transmitted periodically to allow mobile stations to locate and identify a BSS, as well as keep each wireless station in sync with the access point to allow for those stations to use sleep mode. What part of the beacon is used to keep each wireless station's timer synchronized? A B C D E 47 Beacon Interval Timestamp (yes) Traffic Indication Map (TIM) DTIM Sync Field
What is a significant difference between an 802.3-2005 Clause 33 compliant Endpoint or Midspan PSE device? A B C D E Endpoint PSE devices can support Gigabit Ethernet but Midspan PSE devices only support 10BASE-T or 100BASE-TX. (yes) Midspan PSE devices regenerate an Ethernet signal similar to a repeater. Ethernet signals and electrical power may both travel on the same two wire pairs when using an endpoint PSE device. (yes) Endpoint PSE devices will continuously monitor for powered device connectivity. Endpoint PSE devices withhold power until PoE compliance is determined.
Explanation: The two types of Power Sourcing Equipment (PSE) include endpoint and midspan devices. Alternative A Ethernet cabling uses the data lines (orange and green pairs) while alternative B Ethernet cabling uses the unused conductors (blue and brown pairs). An endpoint PSE is housed with a switch and has the ability to use either alternative A or alternative B power sourcing. Midspan PSE devices reside between a non-PSE switch and an end station (power device or PD) and can only send power over the non-data lines. This difference allows endpoint PSE devices to support 10BASE-T, 100BASE-TX, and 1000BASE-T connectivity, while midspan devices only support 10BASE-T and 100BASE-TX, as 1000BASE-T requires use of all eight Ethernet lines. 48 Which two types of attacks can be defeated by using a strong password? (Choose 2) A B C D E F 49 Dictionary (yes) Brute Force (yes) Spoofing Jamming Injection Hijacking
ABC Company has purchased a WLAN switch and lightweight access points. Each access point has an ERP-OFDM radio, and ABC Company has estimated it will take approximately 30 access points to cover the entire facility and to provide the proper throughput capacity. Considering the ERP channel separation requirements, how many non-overlapping channels may be used in this installation?
A B C D 50
2 3 (yes) 4 8
Given: As a wireless security expert, you have been hired by ABC Company to create a wireless network security policy that dictates all wireless network traffic must be segmented from the network backbone. What device could be implemented to segment the wireless traffic from the network backbone? (Choose 3) A B C D E F Layer 2 unmanaged switch WLAN Controller (yes) PoE Injector VPN Concentrator (yes) Enterprise Encryption Gateway (yes) RBAC Supplicant
51
What WLAN attack can be performed with the illustrated software utility? A B C D E Fake AP 802.11 deauthentication Bit flipping MAC address spoofing (yes) 802.1X EAP Start flood
52
Which statement most accurately describes the Passive Scanning process in an Independent Basic Service Set?
A B C
D response for use in E association F
Access points broadcast beacons on all channels on each radio within the regulatory domain, and nearby stations record information found in the beacons for use in the association process Access points broadcast beacons on a single channel on each radio for which they are programmed, and nearby stations record information found in the beacons for use in the association process. Stations broadcast probe request frames on all channels within the regulatory domain, and nearby access points respond with probe response frames. Stations record information found in the probe response frames for use in the association process. Stations broadcast probe request frames on the single channel for which they are programmed. Nearby access points respond on that channel with probe frames. Stations record information found in the probe response frames the association process. Stations broadcast beacons on all channels within the regulatory domain, and nearby stations record information found in the beacons for use in the process. Stations broadcast beacons on a single channel, and nearby stations record information found in the beacons for use in the association process. (yes)
53
Which security solution is the best way to defeat an offline dictionary attack against a wireless network? A B C D Implement WPA2-Personal Implement EAP-LEAP Implement EAP-MD5 Implement WPA-Enterprise (yes)
54
Given: You are transmitting data using an ERP-OFDM access point connected to an 18 dBi omnidirectional antenna through a cable producing 3dB loss. If you wanted to transmit at the maximum allowed EIRP, what would be the dBm rating at the Intentional Radiator? A B C D E 18 (yes) 36 30 15 21
Explanation: Omnidirectional antennas are always treated as point-to-multipoint (PtMP) connections. Regulatory bodies such as the FCC and others mandate PtMP connections in the 2.4 GHz band (in which HR-DSSSERP-OFDM (802.11bg) operates) may not exceed 36 dBm (4 Watts). Additionally, PtMP links must follow the '1:1 Rule' which mandates the maximum 2.4 GHz PtMP power from the Intentional Radiator (an RF device specifically designed to generate and radiate RF signals, including all cabling and connectors except the antenna) is 1000 mW (1 Watt) if using an antenna capable of 6 dBi gain (1 Watt + 6 dBi = 4 Watts). For each 3 dBi antenna gain is increased, IR power must be reduced by 3 dB (keeping the total dBm at or below the 36 dBm limit). An intentional radiator is defined by the FCC and other regulatory bodies as an RF device specifically designed to generate and radiate RF signals, and includes the RF device and all cabling and connectors up to, but not including, the antenna. If the maximum is 36 dBm and the system uses an 18 dBi antenna (+18 dBi) then 36 - 18 = 18 dBm of maximum EIRP. 55 What knowledge of radio frequency technology will assist you in troubleshooting or implementing an ERP-OFDM wireless network? A B C D E Using transmitting and receiving antennas with differing polarization creates antenna diversity, which compensates for problems with multipath. Solid metal objects directly between a transmitter and receiver should be removed to avoid refraction of the RF signal. Adding amplifiers or attenuators into a wireless LAN system allows an administrator to adjust the system's Voltage Standing Wave Ratio (VSWR). Regulatory bodies such as the FCC, ETSI, IC, or ARIB regulate every part of an 'intentional radiator,' including the RF transmitter, all cabling and connectors connected to its output, and the gain of the antenna. Per the IEEE 802.11 standard (as amended), two different vendor cards can receive the exact same RF signal but report a different RSSI (Received Signal
Strength Indicator) value. (yes) The gain of a real antenna relative to a half-wave dipole antenna is calculated using the dBd unit of measure. (yes)
Explanation: The IEEE 802.11 standard (as amended) requires only that a WLAN card report signal strength using a simple metric called Received Signal Strength Indicator (RSSI) (Per section 14.2.3.2 of the IEEE 802.11 standard (as amended), RSSI is intended to be used in a relative manner. Absolute accuracy of the RSSI reading is not specified.) This vagueness has resulted in different implementations between vendors, creating inconsistent signal strength reporting. dBd measures the gain of a real antenna relative to a half-wave dipole antenna. The gain of the antenna used for dBd measurement is a half-wave dipole with a gain of 2.14 dBi. dBd can be converted to dBi by adding 2.14. Wireless systems and their components, such as intentional radiators, must fall within regulatory guidelines of the countries in which the wireless systems will be used. Regulatory bodies include the Federal Communications Commission (FCC) for the United States, the European Telecommunications Standards Institute (ETSI) for Europe, Industry Canada (IC) for Canada, and the Association of Radio Industries and Businesses (ARIB) for Japan. An intentional radiator is any device which is designed to produce radio waves on purpose. In a wireless system, an intentional radiator includes the RF device and all cabling and connectors up to, but not including the antenna. VSWR occurs when there is mismatched impedance (resistance to current flow) between devices in an RF system. VSWR causes a loss of forward energy through a system due to some of the power being reflected back toward the transmitter. This loss of forward energy caused by reflected power is known as return loss. Amplifiers and attenuators change the power of an RF signal, but do not change the impedance of any devices in the system. Refraction describes the bending of a radio wave as it passes through a medium of different density. An RF signal could not refract through a solid metal object, but instead would be reflected and/or absorbed. Radio waves exhibit the property of polarization, which is the plane of their electrical fields. Polarization is typically referred to as being horizontal or vertical, but the actual polarization can be at any angle. Circular polarization is also possible. Receiving a horizontally polarized signal with a vertically polarized antenna (or vice versa) will reduce the amount of signal received. Antenna diversity means using multiple antennas, inputs, and receivers within the same receiver in order to compensate for the conditions that cause multipath. 56 What role does LDAP play in a wireless security solution? A B C D E 57 Provides a login authentication service Provides AAA services similar to RADIUS Acts as a network access server Used to query a database by an 802.1X authentication server (yes) Provides layer 3 encryption by creating a VPN tunnel
You are a wireless network administrator for ABC Corporation. Currently ABC Corp has a VPN concentrator that uses a PPTP/MS-CHAPv2/MPPE-128 VPN security solution for its 100 WLAN users. Since the WLAN was installed, there have been multiple successful attacks against ABC Corp's access points since they are using Open System authentication. ABC Corp wants to update their WLAN security solution. Which security solution would improve the security of ABC Corp's access points while increasing encryption strength and network scalability? A B C D L2TP/IPSec with AES-192 WPA2-Enterprise with EAP-TTLS (yes) SSH2 with 3DES WEP with Shared Key authentication
58
When attempting to join a wireless network, what will a wireless client station do? A B C D Send out beacons looking for an access point with the same SSID Answer with a probe response if it shares the same SSID as an access point Authenticate the access point automatically when using Open System Authentication Fail authentication if configured with the wrong WEP key when using Shared Key Authentication (yes)
59
Which configurations are considered optional for Wi-Fi Protected Setup Certification? A B C D E Near Filed Communications (NFC) (yes) Personal Identification Number (PIN) Universal Serial Bus (USB) (yes) Push Button Configuration (PBC) Pre-shared Key (PSK)
Explanation: The Wi-Fi Protected Setup specification mandates that all Wi-Fi CERTIFIED products that support Wi-Fi Protected Setup are tested and certified to include both PIN and PBC configurations in APs, and at a minimum, PIN in client devices. A Registrar, which can be located in a variety of devices, including an AP or a client, issues the credentials necessary to enroll new clients on the network. In order to enable users to add devices from multiple locations, the specification also supports having multiple Registrars on a single network. Registrar capability is mandatory in an AP. The optional NFC and USB methods, like PBC, join devices to a network without requiring the manual entry of a PIN. In NFC configuration, Wi-Fi Protected Setup is activated simply by touching the new device to the AP or another device with Registrar capability. The USB method transfers credentials via a USB flash drive (UFD). Both provide strong protection against adding an unintended device to the network. However, Wi-Fi certification for USB and NFC is not currently available. 60 You have been tasked to secure your company's wireless network. Which protocols would be considered viable options? A B C D E F 61 ICMP CCMP (yes) TKIP (yes) 802.11x SSH2 (yes) PPPoE
ABC Company has chosen VPN technology to secure their 802.11g WLAN because employees roam both around the company's building and externally at hot spots around the country. ABC Company's WLAN security policy requires an encryption algorithm stronger than RC4. The network manager is considering L2TP as a VPN solution and asks you, a WLAN security consultant, what types of encryption algorithms L2TP uses. What can you tell the network manager about L2TP? A B C AES-256 encryption is supported on every VPN platform that supports L2TP. L2TP does not support encryption by itself, so it must be paired with a protocol that supports encryption in order to meet security policy requirements. (yes) L2TP itself is an encryption algorithm stronger than RC4. Additionally, a
D 62
connectivity solution must be chosen to compliment L2TP. L2TP can use RC5 encryption when used with 802.1X.
Several types of radio frequency information can be used when performing a manual site survey. What information does SNR provide? A B C D Viability of an RF signal (yes) Channel use and noise level Amount of co-channel interference Link speed of transmitted RF wave
63
What statements are true for 802.11 FHSS? A B C D E FHSS is affected by narrowband RF interference to a lesser degree than DSSS (yes) FHSS uses all 100 MHz of the 2.4 GHz ISM band FHSS uses frequency diversity to retransmit lost frames on different frequencies (yes) FHSS is highly susceptible to interference from class 2 Bluetooth systems at a distance of up to 1 mile (1.6 km) OFDM technology, found in the IEEE ERP-OFDM standard, is based on 802.11 FHSS technology
64
What are characteristics of frequency ranges? A B C D Generally, higher bandwidth ranges travel farther through open space than lower bandwidth ranges The 2.4GHz ISM range extends from 2.4000 GHz to 2.4725 GHz The 2.4 GHz ISM range extends from 2.4000 GHz to 2.5 GHz The difference between the upper and lower bounds of a frequency range is its Bandwidth (yes) A wireless device operating in the 2.4 GHz frequency range can not wirelessly with a device that operates in the 5 GHz frequency range.(yes)
E communicate 65
As a wireless security professional, you are tasked by a company to quickly attempt to bypass static WEP security on their 802.11a WLAN. WEP is configured as mandatory on all devices in the network. Which approaches do you take? A Enable a wireless protocol analyzer and wait for it to gather a given amount of traffic from multiple wireless LAN end users. You use AirCrack to look for weak in the packet trace. (yes) Associate with an access point using Open System authentication and log in with the default username and password. You reconfigure the access point for a new WEP key. Record their SSID, phone number, address, and other data related to their organization and try to fit numbers and letters into patterns of 5, 10, 13, characters for use as a test WEP key (yes) Transmit a high volume of association frames to an access point to force it to fail into an Open System state. You use a WLAN client to associate and bypass WEP security. Configure Windows Zero Configuration (WZC) to have the key provided automatically to your client device. Enable a WLAN protocol analyzer to capture the WEP key.
data IVs B C or 26 D E
66
As a wireless security professional, you are trying to hijack the Layer 2 and Layer 3 connectivity of your manager's wireless laptop in order to prove to the Chief Technology Officer at your company that such an attack can be easily performed. In addition to a WLAN PC card, what tools are necessary to complete this hijacking attack? A B Ping of Death software utility, narrowband RF jamming device, port scanner Software access point, narrowband RF jamming device, DHCP server software Hardware access point, WLAN protocol analyzer, ping sweep utility Wideband RF jamming device, MAC spoofing software, RADIUS software
(yes C D
Explanation: For Layer 2 hijacking, you need access point software running on a mobile computer (laptop or similar) operating on a different channel than the access point to which the target machine is associated. Once the authorized user's channel is jammed using the narrowband RF jamming device, the user's WLAN card will roam to your software access point. Once associated at Layer 2 to the software access point, the target machine will need to renew its IP address, which is why the DHCP software is needed on the same intruder laptop. 67 What are examples of pre-RSNA (robust secure network association) options for providing confidentiality and authentication services? A B C D E 68 in WEP (yes) Shared Key authentication (yes) TKIP/RC4 CCMP/AES 4-Way Handshake
What is an advantage of using IEEE 802.3-2005, Clause 33 Power over Ethernet (PoE) an 802.11 WLAN environment? A B C D Reduced number of switched Ethernet ports and Category 5 cable runs necessary to support the WLAN Time and cost savings when positioning access points across an indoor enterprise environment. (yes) When used over multi-mode fiber, the solution can also be used as protection from a direct lightning strike. Allows data cables to transmit data of distances up to 150 meters over Category 5 cabling.
69
What are common applications of 802.11 Ad Hoc mode? A B C D E F Testing alarm features of wireless intrusion detection systems WLAN bridging between two nearby buildings Internet access for small wireless workgroups (yes) Throughput testing of Infrastructure Basic Service Sets File sharing among personnel in a small office (yes) Wireless hotspots in conference rooms or hotel lobbies
70
What is the maximum amount of Watts a PD device can draw from a PSE if the PD does not provide a recognized classification signature? A B 0 Watts 15.4 Watts
C D
5 Watts 12.95 Watts (yes)
Explanation: A Power device (PD) can draw only a maximum of 12.95 Watts. The Difference between a Power Sourcing Equipment (PSE) maximum output and PD maximum draw is due to power drops over the Ethernet cable. Per the IEEE 802.3-2005 Clause 33 standard: 33.3.4 PD classifications A PD may be classified by the PSE based on the classification information provided by the PD. The intent of PD classification is to provide information about the maximum power required by the PD during operation. Class 0 is the default for PDs. However, to improve power management at the PSE, the PD may opt to provide a signature for Class 1 to 3. The PD is classified based on power. The classification of the PD is the maximum power that the PD will draw across all input voltages and operational modes. A PD shall return Class 0 to 3 in accordance with the maximum power draw as specified by Table 33-10. Class Usage Range of maximum power used by the PD 0 Default 0.44 W to 12.95 W 1 Optional 0.44 W to 3.84 W 2 Optional 3.84 W to 6.49 W 3 Optional 6.49 W to 12.95 W 4 Not allowed Reserved for future use NOTE-Class 4 is defined but is reserved for future use. A Class 4 signature cannot be provided by a compliant PD. 71 Which statement is true regarding networks protected with port-based access control compliant with the 802.1X-2004 standard? A B C D The 802.1X standard addresses access control, authentication framework, and data privacy. Encryption is mandatory. The 802.1X standard addresses only access control and authentication framework, not data privacy (yes) The 802.1X standard addresses authentication framework and data privacy. Encryption is optional based on the EAP type used. The 802.1X standard addresses authentication framework, access control, and data privacy. EAP is optional. Encryption is mandatory.
72
What information is considered necessary to provide a professional site survey? A B C D E RSSI (yes) Non-802.11 interference (yes) Security settings Noise floor (yes) Access point configuration
73
ABC Corporation has hired you to review their wireless network security design. Part of
the design allows for clients to establish a secure wireless VPN connection with the corporate network from local Wi-Fi hotspots. ABC Corporation is considering L2TP as the tunneling protocol. Why will L2TP alone NOT fit this particular security configuration? A B C D L2TP does not natively implement encryption. Tunneled traffic is still susceptible to eavesdropping. (yes) L2TP will not work over 802.11 networks because of address translation requirements. L2TP builds a non-IP tunnel between source and destination. Non-IP tunnels cannot be routed over the Internet. L2TP implements native encryption using the RC4 stream cipher. RC4's strength is not adequate to secure traffic traversing the Internet.
74
Given: Recently, one of your user's wireless systems was compromised from a Man-inthe-Middle attack. What steps can you take that would be most effective in preventing this from happening again? A B C D E F Implement an intrusion prevention system (IPS) (yes) Provide end-user training on proper wireless security procedures (yes) Use only Robust Secure Network (RSN) wireless connections Disallow rogue access points in your wireless security policy Periodically perform a spectrum analysis against potential attackers Require all clients to use only mutual authentication (yes)
Explanation: Through the use of an 802.11 analyzer, a person can monitor 802.11 frames sent over the wireless LAN and easily fool the network through various 'man-in-the-middle' attacks. You can view the frames sent back and forth between a user's radio NIC and access point during the association process. As a result, you'll learn information about the radio card and access point, such as IP address of both devices, association ID for the radio NIC, and SSID of the network.With this information, someone can setup a rogue access point (on a different radio channel) closer to a particular user to force the user's radio NIC to reassociate with the rogue access point. Because 802.11 doesn't provide access point authentication, the radio NIC will reassoicate with the rogue access point. Once reassociation occurs, the rogue access point will capture traffic from unsuspected users attempting to login to their services. Of course this exposes sensitive user names and passwords to a hacker who has an interface with the rogue access point. Someone can also use man-in-the-middle techniques using a rogue radio NIC. After gleaning information about a particular wireless LAN by monitoring frame transmissions, a hacker can program a rogue radio NIC to mimic a valid one. This enables the hacker to deceive the access point by disassociating the valid radio NIC and reassociating again as a rogue radio NIC with the same parameters as the valid radio NIC. As a result, the hacker can use the rogue radio NIC to steal the session and continue with a particular network-based service, one that the valid user had logged into. Mutual authentication refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' identity. Requiring the access point to authenticate eliminates the threat of a man-in-the-middle attack. Educating users on the importance of properly using VPN connections, personal firewalls, etc. help users protect themselves from numerous types of attacks, especially those that can be easily defeated by following proper security measures. IPS systems can easily identify man-in-the-middle attacks.
75
You have an access point capable of 'hiding' the network name to create a 'closed' system. What is the effect of configuring the access point with this feature? A B C D E Attackers will not be able to find your wireless network Beacons are no longer transmitted Passive scanning can not be used to join a network (yes) Probe responses are encrypted on the access point The access point configuration is no longer fully IEEE 802.11 compliant (yes)
Explanation: 'Hiding' the wireless network or creating a 'closed' system are terms used for removing the SSID (network name) from a broadcasted Beacon frame, which is a violation of the IEEE 802.11 standard but has been added to most wireless infrastructure devices. Passive scanning is the process of listening for beacons on each channel for a specific period of time, for the purpose of hearing a beacon containing the SSID of a network to which it has been configured to associate. Hiding a wireless network eliminates the ability for passive scanning to identify wireless networks, increasing the difficulty of use for a wireless end user. Beacons still continue to be transmitted after hiding a wireless network, and attackers will still be able to find the SSID of a hidden wireless network, because it still gets transmitted in probe requests and responses, and association and reassociation requests. 76 In an HR-DSSS system, which channel pairs are considered non-overlapping? A B C D E F 77 channel 7 and channel 11 channel 5 and channel 10 (yes) channel 8 and channel 11 channel 3 and channel 6 channel 2 and channel 7 (yes) channel 2 and channel 4
ABC Company is reviewing an overlay Wireless Intrusion Protection System (WIPS) and has hired you as a consultant to help them understand the advantages and disadvantages of that solution. What are examples of how you could use this technology? choose 4 A Real-time location tracking (yes) B Defining and monitoring wireless network policies (yes) C Real-time rate limiting of throughput on a per-user or per-role basis D Rogue access point or client device detection and mitigation (yes) E Support of fast/secure roaming between access points F Security and performance report generation (yes) After implementing a wireless network, XYZ Company decided to update their security policy to include a wireless acceptable use policy. What are two purposes of this type of policy? A B C Help protect the company from the introduction of malicious software (yes) Reduce the likelihood of online dictionary or brute force attacks Eliminate the chance of a denial-of-service (DoS) attack
78
D E F
Reduce the number of false-positives reported in a wireless audit Avoid default or misconfigured infrastructure devices Avoid unnecessary performance problems on the wireless medium (yes)
Explanation: An acceptable use policy (AUP) is a set of rules which restrict the ways in which the network may be used. Enforcement of AUPs varies with the network. AUPs are also used by schools, corporations, etc., delimiting what is and is not permitted for use of the computers. The intent is to help protect the network from the introduction of malicious software, and to avoid unnecessary performance problems. 79 the During the 802.11i authentication process, what is the first secret key derived between supplicant and the authentication server? A B C D E Pairwise Master Key Group Temporal Key Master Session Key (yes) Pairwise Transient Key Group Session Key
Explanation: The complete process of an 802.11i authentication consists of handshakes between the supplicant and the authenticator, between the authenticator and the authentication server, and between the supplicant and the authentication server. After these handshakes, the supplicant and the authentication server have authenticated each other and generate a common secret called the Master Session Key (MSK). The supplicant uses the MSK to derive a Pairwise Master Key (PMK). 80 Which statement indicates a key principle of RF propagation and communication? A B C D E The range of RF transmissions increases as the frequency in use increases. Even if low RF signal strength is indicated, signal quality may be high enough for good communication (yes) Low signal quality, when coupled with high signal strength, always yields good communication. Solar flares may affect WLAN communication if the discharge is of sufficient amplitude Frequencies above 1 GHz are always considered non-LoS.
Explanation: Signal strength and signal quality do not always go hand-in-hand. A signal may have high amplitude (strength) and yet be very noisy (due to a bad transmitter) or may have an interfering signal in the area. You cannot accurately say that if a signal's strength is high, then the quality is also high. In fact, you can have a low-power signal that produces a high-quality link because both devices are close together with no interfering factors in the environment. The lower the frequency, the greater the range of that signal at the same amount of power. Solar flares affect communication between 3 - 30 MHz, but not WLAN frequencies. Line-of-Sight (LoS) and non-LoS transmitters vary greatly in frequency and are not all in a linear range starting at 1 GHz. 81 Given: ERP-OFDM wireless networks use Orthogonal Frequency Division Multiplexing to
achieve data rates of up to 54 Mbps. What is true of OFDM technology? (Choose 2) A B C D E 82 Used to communicate with HR-DSSS devices when configured for 'mixed' mode Uses four 'pilot' channels for channel monitoring (yes) Sub-divides the 2.4 GHz channels into 52 discrete sub-carriers (yes) Sub-carriers are approximately 100 kHz wide Uses Complementary Code Keying for greater reliability
One year ago, ABC Company installed four access points and configured them for 802.1X/LEAP using the integrated RADIUS services in each access point. ABC has outgrown the four access points and the maximum size of the integrated RADIUS database. ABC wishes to grow their wireless solution without changing their authentication scheme. Which solution will work for ABC Company? A B C D Upgrade the existing access points to support TACACS+, which will allow for a larger integrated database size. Use an EAP-enabled external RADIUS server for user authentication. (yes) Upgrade all access points to WPA2-Personal, and give every user their own individual passphrase. Double the number of access points to 8 and add more usernames to the integrated RADIUS database on each access point.
Explanation: The most scalable security solution is a centralized EAP-enabled RADIUS server. TACACS+ does not inherently allow for a larger database than RADUIS, and TACACS+ is rarely EAP-enabled. WPA2-Personal is no more scalable than WEP and less secure and less scalable solution than WPA2-Enterprise which uses RADIUS. WPA2-Personal uses a single passphrase for all users to authenticate and is designed primarily for SOHO rather than an enterprise environment. Adding additional access points will not increase the maximum size of the integrated RADIUS server database. 83 or What option best describes a Network Layer device designed to provide secure Internet network connectivity to a small number of wireless client stations? A B C D E Wireless Residential Gateway (yes) Wireless Bridge Access Point Wireless Mesh Router Enterprise Encryption Gateway
Explanation: Wireless Residential Gateways are devices that are used in SOHO (Small Office / Home Office) and SMB (Small/Medium Business) environments for wireless, wired, and Internet connectivity as well as any of the following features: a. Firewalling b. VPN endpoint or passthrough c. NAT/NAPT d. Virtual Servers / Port Redirection e. PPPoE / DHCP / Static IP addressing f. WPA/WPA2 Wireless Security
There are many other features that may be included in Wireless Residential Gateways. These units came into existence by adding an access point into a Residential Router/Gateway. The wireless features of these units continue to evolve as the WLAN market evolves. The EEG is a layer 2 (Data-Link) device, the wireless bridge is designed for point-to-point (PtP) or point-to-multipoint (PtMP) connectivity with other wireless bridges to connect multiple subnets, and does not provide connectivity to client stations. Access points and wireless mesh routers cannot, by themselves, provide Internet connectivity for any users - they require a router function. 84 What type of attack includes spoofing management frames from the access point that a client is connected to, and then de-authenticating, or disassociating WLAN clients connected to that access point? A B C D E 85 are Jamming Phishing DoS (yes) Bit-flipping Hijacking
As part of XYZ Company's security policy, protocols that submit information in cleartext not allowed. Which authentication protocol should be excluded from use on XYZ Company's network? A B C D E PAP (yes) MSCHAP v1 and PAP WEP and PAP Shared Key authentication PPTP and MSCHAP v1
Explanation: Password Authentication Protocol (PAP) is a legacy authentication protocol that transmits a username and password over a network to be compared to a table of name-password pairs. The main weakness of PAP is that both the username and password are transmitted in clear text (unencrypted) which can be captured by a protocol analyzer. 86 ABC Corporation implemented a PPTP/MS-CHAPv2/MPPE-128 VPN to secure its 802.11g WLAN one year ago. ABC Corp's VPN concentrator has been using local authentication, and they have steadily grown to match the VPN server's maximum local authentication capacity. As a consultant, you advise the network manager to consider what steps in order to scale this WLAN security solution and to strengthen its security? (Choose 2) A toB C D E ABC Corp's users should implement personal firewall software to prevent peerpeer attacks. (yes) Implement WPA2-Personal at layer2 while leaving the PPTP VPN in place to increase scalability. PPTP/RC4 should be changed to PPTP/AES to strengthen the VPN's encryption. Once the VPN server's local database capacity is exceeded, ABC Corp should migrate to IPSec VPN technology for greater scalability. ABC Corp should use RADIUS for authentication instead of local authentication
on the VPN server. (yes) Explanation: Most networks are attacked from inside the organization. Implementing personal firewall software will prevent or at least notify the user when attacks or requests are being made on their computer. The user will normally be able to accept or deny those actions accordingly. Personal firewalls are also included in Host Intrusion Prevention Systems (HIPS). Enterprisecapable RADIUS servers scale to large user deployments whereas local authentication solutions will not. Local authentication solutionsalso utilize the same processor that the other shared application is using thus making both operate slower when lots of traffic or authentications occur. This will reduce user throughput at a time when it is needed most. Also, RADIUS servers offer the ability to integrate into other centralized user databases like LDAP or Microsoft's Active Directory. 87 Which statements are true regarding deployment of lightweight access points? (Choose 4) A B C D E F Lightweight access points support 802.3af and may connect directly to the WLAN controller or to an Ethernet switch. Lightweight access points may connect to the WLAN controller with either a Layer-2 or a Layer-3 protocol. Lightweight access points may be controlled over either Layer-2 or Layer-3. Lightweight access points may use DNS to locate their assigned WLAN controller. Lightweight access points cannot be deployed over the Internet due to Network Address Translation. Lightweight access points may be configured for 802.11a or 802.11g, but not both simultaneously.
88
You work as a consultant for an IT professional services firm. One of your clients is a construction company who builds high rise office developments in your metropolitan area. Each construction site: a) is several miles from the downtown corporate data center b) has an on-site temporary office area equipped with phone lines c) has no line-of-sight back to the corporate data center building Since the internal data and power cabling is not installed in the building under construction until the last stage of construction, providing wired Internet access to on-site engineers for the purpose of accessing the corporate Intranet via VPN has always been impossible until the last stages of the construction project. You have been asked to design a secure, short-term, low-cost, high-speed wireless solution that will give on-site engineers Internet access. What solution do you choose? A B C D E Purchase an individual HR-DSSS WISP account for each engineer and issue them client adapters. Rent temporary wireless access from a tenant of a building adjacent to the construction site. Implement xDSL and an HR-DSSS access point with a sector antenna at each temporary office. (yes) Install HR-DSSS mesh routers on the top of each building under construction and the corporate data center. Install a T1 in the temporary office and HR-DSSS mesh routers throughout the construction site.
Explanation: The best implementation in this scenario is to implement a low-cost, high-speed, quickly-implemented Internet link such as ADSL. The ADSL Internet link will provide a means to access the corporate network securely via VPN. Buildings can be quite large, and using a sector antenna with an HR-DSSS (802.11b) access point provides a wide coverage area with a single antenna. The sector antenna would be mounted on the temporary offices and pointed at the building under construction. 89 ABC Corporation has hired you to review their wireless network security design. Part of the design allows for clients to establish a secure wireless VPN connection with the corporate network from local Wi-Fi hotspots. ABC Corporation is considering L2TP as the tunneling protocol. Why will L2TP alone NOT fit this particular security configuration? A B C D L2TP does not natively implement encryption. Tunneled traffic is still susceptible to eavesdropping. (yes) L2TP will not work over 802.11 networks because of address translation requirements. L2TP builds a non-IP tunnel between source and destination. Non-IP tunnels cannot be routed over the Internet. L2TP implements native encryption using the RC4 stream cipher. RC4's strength is not adequate to secure traffic traversing the Internet.
Explanation: L2TP needs IPSec to protect the tunnel as stated in the standard: 9.2 Packet Level Security Securing L2TP requires that the underlying transport make available encryption, integrity, and authentication services for all L2TP traffic. 802.11 at layer 2 has nothing to do with address translation at layer 3. L2TP uses IP and does not support encryption by itself. 90 What is the most significant security risk of not changing the configuration of an access point from its default settings? A B C D Information on vendor default settings are easily obtained, making it simpler for an attacker to know how to compromise the device (yes) Changing the default settings can prevent an attacker from discovering the access point, making the device secure Access points are commonly shipped from the factory with security holes that allow an attacker to easily connect to and compromise the device To make them easier to configure, all access points ship without any security enabled by default, leaving them wide-open for attackers to compromise
91
You are designing a wireless system for the ABC Company. Which of the following modulation and encoding characteristics should you consider? A B C D Using DQPSK will give you twice the data rate at the same signaling rate compared to DBPSK. (yes) Encoding refers to how an RF signal is manipulated to represent data, while modulation refers to how changes in an RF signal are translated into ones and zeros. PSK and CCK are types of modulation used in the HR-DSSS standard. CCK is used to achieve data rates of 1, 2, 5.5 and 11 Mbps.
Explanation: Modulation refers to how an RF signal is manipulated to represent data, while encoding refers to how changes in an RF signal are translated into ones and zeros. Differential
Binary Phase Shift Keying (DBPSK) and Differential Quaternary Phase Shift Keying (DQPSK) represent information by manipulating the phase of an RF signal. DBPSK is used in 1 Mbps transmissions while DQPKS has twice the data rate of DBPSK at the same signaling rate, so is used for 2 Mbps data rate transmissions. CCK is an encoding technique used to achieve data rates of 5.5 and 11 Mbps while Barker Coding is used for data rates of 1 and 2 Mbps. 92 on Before a client station can participate in a wireless LAN using a security solution based the WPA2-Enterprise framework, what must occur? choose two A B C D E F The client station must be Open System authenticated and associated. (yes) The client station must be issued an IP address by a DHCP server. The client station must negotiate an authentication protocol to use with the Access Point. The client station must be associated and EAP authenticated. (yes) The client station must configure and enable its IPSec policy. The client station must derive the PMK from the PSK.
Explanation: WPA2-Enterprise is synonymous with use of 802.1X/EAP with AES-CCMP and 802.11i compliance. The Wi-Fi Alliance released a white paper in March 2005 detailing WPA and WPA2 terminology, differences, and operational procedures. http://www.wi-fi.org/membersonly/getfile.asp?f=WFA_02_27_05_WPA_WPA2_White_Paper.pdf Per section 5.9 of the 802.11i-2004 amendment (see attached figure), a client station using 802.1X/EAP must first Open System authenticate and associate. Following Open System authentication, the 802.1X port-based access control mechanism can be used to facilitate EAP authentication over an uncontrolled port. (see attached figure). Following successful EAP authentication, a 4-Way Handshake must take place between the supplicant (client) and the authenticator (AP) to derive and exchange encryption keys before the 802.1X controlled port is unblocked and secured data traffic can be transmitted over the RF medium. The 4-Way Handshake was not listed in the answer options, but it is useful information. Encryption algorithms are not negotiated. The client devices support whatever they support, and the APs support whatever they support. The AP will announce supported authentication/encryption information in Beacons in a Robust Security Network (RSN). IPSec is a Layer-3 VPN solution, and is unrelated to WPA2-Enterprise. WPA2-Enterprise uses 802.1X/EAP, not Passphrases and Preshared Keys. When using WPA-Personal or WPA2-Personal, the Passphrase is mapped to a Preshared Key, which is then considered to be the Pairwise Master Key (PMK). IP addresses are always issued to 802.11i-compliant WLAN client devices AFTER it is 1) Open System authenticated and associated, 2) EAP authenticated and associated, and 3) has successfully completed the 4-Way Handshake. 93 an 'An entity at one end of a point-to-point LAN segment that seeks to be authenticated by Authenticator attached to the other end of that link' describes what role in the 802.1X2004 standard? A B C D E Authentication Server EAPoL Peer Ethernet Switch Supplicant PAE (yes) Port Access Control PDU
Explanation: The 802.1X-2004 standard calls for three specific network roles: supplicant (client) port access entity (PAE), authenticator (switch or access point) PAE, and authentication server (RADIUS or other). 94 ABC Company has recently installed an ERP-OFDM wireless LAN and is in the process of performing a baseline throughput analysis. The network administrator thinks that the ERP-OFDM network's performance is much closer to expected HR-DSSS values and wishes to discover what is causing the performance degradation. What troubleshooting tools could the network administrator use for this task? choose 3 A B C D E An 802.11 frame generator application Distributed spectrum analysis system (yes) Wireless Intrusion Prevention System (WIPS) (yes) Laptop protocol analyzer (yes) A PC Card manufacturer's client utilities
Explanation: An RF spectrum analyzer (whether handheld, laptop-based, or distributed) would help you locate narrowband or wideband RF interference which could be causing 802.11 frame retransmission. Retransmissions cause severe throughput degradation. WIPS and Laptop protocol analyzers are both capable of finding security and performance problems such as: 1. Rogue access points that are interfering with authorized systems 2. Use of protection mechanisms in a BSS due to HR-DSSS (802.11b) systems present in/around an ERP-OFDM (802.11g) system The difference between Laptop protocol analyzers and WIPS is where their WLAN radios are located. WIPS use distributed sensors around premises, but laptop protocol analyzers use a single, integrated PCMCIA or MiniPCI radio card. 95 Wireless Intrusion Prevention Systems (WIPS) started as Wireless Intrusion Detection Systems (WIDS). WIPS can both detect and prevent some network attacks, whereas WIDS can only detect and report network intrusions. Which wireless network attacks can WIPS prevent? A B C D Narrowband RF jamming of a spread spectrum channel EAP-Start flooding against an access point Association of authorized clients to rogue access points (yes) Deauthentication attacks against access points by intruders
Explanation: The physical layer for WLANs is the 'air' and, as such, is a shared medium. Some types of attack, particularly wireless denial of service attacks, take advantage of the difficulty in securing Layer-1 in WLANs. Further, some attacks may only take one frame to cause a disruption, which means that by the time the 'bad' frame is detected, it is already too late to stop. Some of the strengths and weaknesses with WIPS include: 1. Narrowband RF jamming cannot be directly mitigated by a WIPS since the physical medium is being flooded with what amounts to noise. The WIPS can be used to help identify and triangulate the location of the source device so that another control (i.e. a security guard) can address the RF jammer. 2. EAP-Start flooding can be detected, but again, not directly prevented by a WIPS. Since this attack is intended to waste AP resources by beginning a large number of wireless 'conversations' there is no connection or association for the WIPS to block. This attack is somewhat analogous to
the old SYN-Flood attacks that were intended to create a large number of embryonic connections on servers and thus use up available resources. 3. Deauthentication attacks are going to pose a similar problem to WIPS as the EAP-Start flooding mode. These attacks use a short, fire-and-forget method to cause problems in the WLAN. The WIPS can identify the attacker and then other means can be used to take it down. 4. Since association takes a number of exchanges and has the intent of establishing connectivity with the rogue AP, the WIPS can step into the middle of the exchange and shut it down. By monitoring the RF environment for new APs (and new beacons) the WIPS can remain aware of changes and new potential sources of attack. Once and AP has been designated as hostile, clients can be effectively blocked from successfully associating until the rogue device can be tracked down and removed. 96 ABC Company has implemented WPA2-Enterprise with PEAP on their WLAN. They use POP3/SSL for email retrieval. At what OSI layers is encryption applied using these security protocols? A B C D E Layer-1 Layer-2 (yes) Layer-3 Layer-4 Layer-7 (yes)
Explanation: All EAP types are Layer2 protocols. POP3 is an email retrieval protocol at layer7. Other examples of secure application (layer7) protocols include FTP/SSL, FTP/SSH, SNMP/SSL, HTTPS, and SNMPv3. 97 What must occur before a client can send and receive data on a wireless network? A B C D E 98 Know the SSID used by the access point Complete the 2-way association handshake (yes) Must disassociate with a previous access point Authenticate after establishing association Must use a MAC address included in the access point's MAC filter
The IEEE 802.11 standard (as amended) describes Ad Hoc wireless LANs as having what characteristics? A B C D E Support for client polling Support for RADIUS authentication services Support for time-bounded services Support for seamless roaming of clients between networks Shared Key authentication services (yes)
99
Given: ABC Corporation is designing a security solution for their new wireless network. Some client device applications use Layer 3 protocols other than IP. A consultant has recommended VPN technology as part of the wireless solution, but ABC does not know which VPN protocol should be used. What VPN protocol is appropriate?
A B C D E
EAP-TTLS Kerberos PPTP (yes) SSH2 WPA
Explanation: PPTP is a new networking protocol that supports multiprotocol virtual private networks (VPNs), enabling remote users to access corporate networks securely across the Internet by dialing into an Internet Service Provider (ISP) or by connecting directly to the Internet. PPTP offers the following advantages: * Lower Transmission Costs: PPTP uses the Internet as a connection instead of a long-distance telephone number or 800 service. This can greatly reduce transmission costs. * Lower Hardware Costs: PPTP enables modems and ISDN cards to be separated from the RAS server. Instead, they can be located at a modem pool or at a communications server (resulting in less hardware for an administrator to purchase and manage). * Lower Administrative Overhead: With PPTP, network administrators centrally manage and secure their remote access networks at the RAS server. They need to manage only user accounts instead of supporting complex hardware configurations. * Enhanced Security: Above all, the PPTP connection over the Internet is encrypted and secure, and it works with any protocol (including, IP, IPX, and NetBEUI). PPTP provides a way to route PPP packets over an IP network. Since PPTP allows multiprotocol encapsulation, you can send any type of packet over the network. For example you can send IPX packets over the Internet. PPTP treats your existing corporate network as a PSTN, ISDN, or X.25 network. This virtual WAN is supported through public carriers, such as the Internet. None of the other options are VPN protocols. 100 Which of these wireless LAN devices can cause the amplitude of the RF signal to increase beyond what was emitted by the transmitter? A B C D E RF amplifier (yes) RF sectorized antenna array (yes) RF power splitter RF power meter RF attenuator
Explanation: An antenna can introduce passive gain (focusing of the RF signal), which can increase the amplitude of the RF signal (as perceived by a receiving antenna directly in front of the transmitting antenna) beyond what was emitted by the transmitter. For example, a wireless bridge may emit a 100 mW signal into a 9 dBi gain antenna. The EIRP at the antenna element would be 800 mW (more than was emitted by the wireless bridge). An RF amplifier boosts the RF signal while it is still in the wired medium. RF amplifiers are active gain devices, meaning that their amplification circuits require a power source to operate. Once the amplification circuits are enabled, the RF signal passing through the amplifier increases. Taking the previous example, the wireless bridge emits a 100 mW signal into an RF amplifier. The RF amplifier then boosts the signal to 400 mW (+6 dB gain). The 400 mW signal is then fed into the antenna input. 101 What information is considered necessary to provide a professional site survey? A RSSI (yes)
B C D E
Non-802.11 interference (yes) Security settings Noise floor (yes) Access point configuration
Explanation: RF site surveys are the single most important part of a successful wireless implementation. If a thorough site survey is not performed, the wireless LAN might never work properly, and the site could spend significant amounts of money on hardware that doesn't perform the intended tasks. Site surveys answer how many access points should be used, and where they should be placed. To properly answer those two questions, a professional site survey should identify RSSI values and both wireless and non-wireless interference sources. RSSI values vary by vendor and may include signal strength, bit error rate (BER), signal-to-noise ratio (SNR), and load balancing requirements. 102 In a wireless environment experiencing the effects of multipath, what is the result of using a technology with a longer guard interval? A B C D Robustness of the system improves. (yes) The system is capable of greater capacity. Symbol transmission time is increased. Signal-to-noise ratio is reduced.
Explanation: Wireless systems must address issues with self-interference known as intersymbol interference or ISI and fading due to multipath. Preventing multipath errors is acheived by transmitting a short block of data (a symbol) and then waiting until the additional multipath signals fade before sending another symbol. This waiting time is know as the guard interval. When multipath is present, a longer guard interval leads to a more robust system. However, during the guard interval, the system cannot use the available spectrum, lowering the effective channel capacity. Therefore, the guard interval should be minimized. 103 802.1X/EAP-TLS supports what client authentication credential type? A B C D E Passwords x.509 Certificates (yes) Digital Security Token MD5 Hash Exchange Biometric
Explanation: EAP-TLS supports only digital certificates on the server and client. EAP-TLS is most often used for WLAN security when a Public Key Infrastructure (PKI) is already in place due to the certificate requirements. Certificates can be expensive and burdensome to implement, but provide extremely strong authentication when compared to passwords. 104 The distance an RF signal will be propagated depends in part on what factors? choose 3 A B C Output power of the Intentional Radiator (yes) Spread Spectrum technology in use Transmission frequency (yes)
D E F
Receiving antenna size and gain The medium through which the propagated RF signal travels (yes) The sensitivity of the receiving radio
Explanation: Output power of the Intentional Radiator, the transmission frequency, and the transmission medium all affect the distance an RF signal will travel. While the size and gain of the receiving antenna and the sensitivity of the receiving radio will both affect the distance at which an RF signal can be heard, it will not affect the distance the RF signal will travel. OFDM, FHSS, DSSS, HR-DSSS, and ERP-OFDM modulations do not affect the distance an RF signal will travel. Given the same output power at the intentional radiator, antenna gain, and transmission medium, all modulated signals would travel the same distance. 105 Given: You have configured two WLANs and mapped them to separate VLANs. What device can be used to allow the two WLANs to connect? A B C D E 106 Router (yes) Layer 3 switch (yes) Layer 2 switch Bridge VPN Concentrator
What types of transmissions are protected using a group key hierarchy in an RSN network? choose 2 A B C D E Broadcast (yes) Multicast (yes) Unicast Ad-hoc Plaintext
Explanation: A robust secure network (RSN) has two different key hierarchies used to protect traffic. The pairwise key hierarchy is used to protect unicast traffic, while broadcast and multicast traffic is protected by the group key hierarchy. 107 As a wireless security professional, you are tasked by a company to quickly attempt to bypass static WEP security on their 802.11a WLAN. WEP is configured as mandatory on all devices in the network. Which approaches do you take? choose 2 A B C or 26 D Enable a wireless protocol analyzer and wait for it to gather a given amount of data traffic from multiple wireless LAN end users. You use AirCrack to look for weak IVs in the packet trace. (yes) Associate with an access point using Open System authentication and log in with the default username and password. You reconfigure the access point for a new WEP key. Record their SSID, phone number, address, and other data related to their organization and try to fit numbers and letters into patterns of 5, 10, 13, characters for use as a test WEP key (yes) Transmit a high volume of association frames to an access point to force it to fail into an Open System state. You use a WLAN client to associate and bypass WEP security.
Configure Windows Zero Configuration (WZC) to have the key provided automatically to your client device. Enable a WLAN protocol analyzer to capture the WEP key.
Explanation: Tools are now available to crack static WEP keys in mere minutes. While guessing a company's WEP key is rarely possible, it is still possible if extremely weak WEP keys are used. Additionally, there are tools such as AirCrack now available to break WEP security in a very short period of time. Higher data rates (802.11a/g = 54 Mbps) and higher throughput for the average user means more traffic can be captured faster. Cracking tools such as AirCrack require a large amount of captured data to work effectively, but gathering large amounts on fast, heavily laden networks has become reasonable. 108 Given: A functional security policy describes technology-related procedures that must be followed to maintain a secure network. Which elements belong in a functional security policy? choose 3 A B C D E F Password policies (yes) Training requirements (yes) Risk assessment Asset management (yes) Impact analysis Violation Reporting Procedures
Explanation: A functional security policy describes technology-related procedures that must be followed to keep the network secure, and provides specific methods of mitigating threats described in the general security policy. A functional policy should contain password policies, training requirements, acceptable usage, security configuration for devices, and asset management. Risk assessment, impact analysis, and violation reporting procedures and enforcement belong in the general security policy. 109 The 802.11i-2004 amendment specifies which two authentication mechanisms? A B C D E F MAC filters VPN services Kerberos services Preshared key (yes) 802.1X port-based access control (yes) Authenticated DHCP
Explanation: The 802.11i amendment specifies use of 802.1X/EAP and Preshared keys. 802.1X is a port-based access control mechanism specified by the 802.1X-2004 standard. It is used, along with EAP, to provide flexible and secure WLAN authentication. There are many types of EAP, and the 802.11i amendment only specifies a generic 802.1X/EAP framework by which to authenticate clients. Each EAP type has its own RFC. When 802.1X/EAP is used, the RFC for the EAP type in use specifies how the AAA key will be exported. The AAA key is used to make the Pairwise Master Key (PMK), which is then used, during the 4-Way Handshake, to derive the Pairwise Transient Key (PTK). With Preshared keys, a
passphrase is entered into the authenticator and supplicant. Both the authenticator and the supplicant perform a passphrase-to-preshared key (PSK) mapping algorithm. The PSK is equal to the PMK, and the PTK is derived during a 4-Way handshake the same way with Preshared key authentication as it is with 802.1X/EAP. 110 What are mechanisms defined by the IEEE 802.11-1999 (R2003) standard for providing access control and privacy on a wireless LAN? A B C D E F RADIUS authentication services Wired Equivalent Privacy (WEP) (yes) Temporal Key Integrity Protocol (TKIP) Shared Key authentication (yes) 802.1X/EAP authentication IPSec Virtual Private Networking (VPN)
Explanation: The 802.11-1999 (R2003) standard defines Shared Key Authentication and Wired Equivalent Privacy (WEP) as methods of providing access control and privacy per sections 8.1.2 and 8.2.1 as shown below: 8.1.2 Shared Key authentication Shared Key authentication supports authentication of STAs as either a member of those who know a shared secret key or a member of those who do not. IEEE 802.11 Shared Key authentication accomplishes this without the need to transmit the secret key in the clear; however, it does require the use of the WEP privacy mechanism. Therefore, this authentication scheme is only available if the WEP option is implemented. Additionally, the Shared Key authentication algorithm shall be implemented as one of the dot11AuthenticationAlgorithms at any STA where WEP is implemented. The required secret, shared key is presumed to have been delivered to participating STAs via a secure channel that is independent of IEEE 802.11. 8.2 The Wired Equivalent Privacy (WEP) algorithm 8.2.1 Introduction Eavesdropping is a familiar problem to users of other types of wireless technology. IEEE 802.11 specifies a wired LAN equivalent data confidentiality algorithm. Wired equivalent privacy is defined as protecting authorized users of a wireless LAN from casual eavesdropping. This service is intended to provide functionality for the wireless LAN equivalent to that provided by the physical security attributes inherent to a wired medium. Data confidentiality depends on an external key management service to distribute data enciphering/deciphering keys. The IEEE 802.11 standards committee specifically recommends against running an IEEE 802.11 LAN with privacy but without authentication. While this combination is possible, it leaves the system open to significant security threats. 111 ABC Company is looking to implement a new enterprise WLAN and is deciding upon either a single- or multi-channel architecture solution. They have hired you as a consultant to help educate them on the advantages and weaknesses of each solution. What information can you provide them to help make their decision? choose 3 A not B Roaming is improved with single-channel architecture because the client does have to make any roaming decisions. (yes) Because single-channel architecture effectively eliminates the need for channel
C D E
planning, wireless site surveys are no longer necessary. Multi-channel architecture solutions take more planning to avoid channel overlap compared to single-channel architecture solutions. All access points in a single-channel architecture use the same BSSID (mac address), helping to prevent a client from distinguishing one access point from another. (yes) Within the same physical space, multi=channel architecture systems can provide greater throughput capacity than single-channel architecture systems. (yes)
Explanation: Multi-channel architecture networks deploy access points using a different RF channel or frequency for each transmitter. To provide areas of continuous coverage, access points are placed at intervals, with each providing coverage in its area, or cell, on a given RF channel. The use of different RF channels prevents co-channel interference in areas where cells overlap. This overlapping condition is avoided in the adaptive model by moving access points on the same channel physically as far apart as possible. Wireless network designers use transmit power to influence the size of each cell, and as much as possible identify the best RF channel reuse pattern across the network to avoid areas where same-channel cells overlap. In the multi-channel architecture model, client stations choose to associate to a particular access point by selecting the appropriate RF channel and tuning out other access points transmitting on other RF channels. Roaming is accomplished by the client switching its radio to work on the new access point's RF channel. The handoff between access points is initiated by the client. The client must decide it's time to handover, then select the target access point and switch to the new RF channel, and then re-authenticate at that access point. Each of these phases of handover is difficult to accomplish quickly, accurately and consistently. Single-channel architecture networks use access points that are all tuned to the same RF channel or frequency. The simplest view of this model shows a number of access points with overlapping coverage forming a continuous region. Most implementations uses access points that also share the same SSID and MAC address, and are designed so that the clients cannot distinguish between the access points providing coverage. Instead, the network decides which access point should transmit and receive data for a particular client. In other words the client is not involved in any handoff decision. As clients move through a building, the network directs traffic to them via the nearest access point with available capacity. A WLAN controller is necessary to centrally manage the handoff decisions. Because all access points are set to a common RF channel, the only decision to be made is to choose the best channel for the entire network. Co-channel interference is a phenomenon where transmissions from one cell spread to a nearby cell on the same RF channel, causing errors or dropped transmissions due to interference when they coincide with transmissions to or from devices in that cell. To mitigate co-channel interference, spatial separation is effective because the greater the distance between the devices causing and suffering interference, the lower the level of the unwanted received signal. Eventually the interfering signal is reduced to such a low level that it is no longer powerful enough to disrupt the wanted transmissions. Because all access points share the same channel, single-channel architecture cannot use spatial separation, and must attempt to solve co-channel interference using stronger proprietary temporal coordination mechanisms outside of the 802.11 standards. Detailed access point placement based upon a highly accurate site survey must be used to minimize the effects of cochannel interference from channel overlap. By co-locating multiple access points in the same physical area using non-overlapping channels,
multi-channel architecture systems can provide greater overall throughput than a single-channel architecture system. For more information, read the whitepaper 'WLAN RF Architecture Primer: Single-Channel and Adaptive Multi-Channel Models' by Peter Thornycroft. 112 You are the administrator for XYZ Hospital, and you are preparing for a manual indoor site survey of your 5-floor facility. You are gathering necessary hardware, software, and other tools for the survey. Which items might assist you in performing this survey? choose 3 A B C D E F An adjustable ladder (yes) Facility blueprint (yes) An inclinometer Lightning arrestor GPS device Wireless LAN client utilities (yes)
Explanation: Ladders are often used to temporarily mount access points and antennas in a variety of facilities. Facility blueprints or floor plans are used to locate wiring closets, hallways, stairwells, elevators, and other RF obstacles. Blueprints may also be used to estimate and document the location of access points and antennas. Wireless LAN client utilities may be used in performing a manual indoor site survey. WLAN client utilities may show RSSI, SNR, Signal Strength, and Noise Level information that is important to document for the site survey report. 113 What is the difference between an active and passive site survey? choose 2 A B C D E Passive site surveys create virtual models to predict RF behavior Passive site surveys manually capture information for RF transmissions in the coverage area (yes) Active site surveys manually capture information for all RF transmissions at the client Active site surveys associate to a single access point to capture detailed connectivity information (yes) Active site surveys are based on actual radio signal tests performed at the client site
Explanation: Two types of manual site surveys are passive and active site surveys. In a passive site survey, samples of RF traffic in different sections of an area are captured and compared, typically identifying RSSI and SNR values. Active site surveys include associating to a single access point for detailed connectivity testing, and are the best representative of the true quality of a connection in that location. Both require manually walking the site sampling actual signal strength, etc. using some sort of assessment utility, and are based on actual radio signal tests performed at the WLAN client location. 114 As part of its corporate security policy, your organization requires all wireless LANs to be separated from the wired network core using a device capable of authentication, data encryption, and throughput limiting. Which device will accomplish this policy requirement?
A B C D
Wireless workgroup bridge Transparent tunneling bridge Wireless LAN controller (yes) Personal firewall software
Explanation: A Wireless LAN controller is the only segmentation device in the listed answers that is capable of performing all three functions. Examples of such devices are EWGs and WLAN switches. A Wireless workgroup bridge is incorrect because a workgroup bridge is a device that allows you to connect multiple wired devices through, essentially, a shared radio. A Transparent tunneling bridge does not exist. Personal firewall software is incorrect because it only filters packets and does not provide for authentication, data encryption, or throughput limiting. 115 What statements are true for 802.11 FHSS? choose 2 A B C D E FHSS is affected by narrowband RF interference to a lesser degree than DSSS (yes) FHSS uses all 100 MHz of the 2.4 GHz ISM band FHSS uses frequency diversity to retransmit lost frames on different frequencies (yes) FHSS is highly susceptible to interference from class 2 Bluetooth systems at a distance of up to 1 mile (1.6 km) OFDM technology, found in the IEEE ERP-OFDM standard, is based on 802.11 FHSS technology
Explanation: Frequency Hopping Spread Spectrum (FHSS) systems use frequency diversity (changing frequencies). When transmitted frames are not acknowledged when sent on one frequency, the transmitting system continues retransmitting until it is time to hop to the next frequency in its pseudorandom hop sequence. It then begins retransmission of the previous data frames on the new frequency. Frequency diversity is very effective at coping with narrowband RF interference. Since 802.11 FHSS systems must use a minimum of 75 center frequencies (1 MHz wide each) in a hop sequence, RF interference on any center frequency will pose a problem for only 1/75th of the system's entire bandwidth. DSSS systems use a single center frequency with a bandwidth of 22 MHz. Any 1 MHz-wide RF interfering signal will pose a problem for 1/22nd of the system's entire bandwidth. This one facet of FHSS/DSSS comparison shows that 802.11 FHSS systems are more than three times better at dealing with narrowband RF interference than 802.11 DSSS systems. 116 What are characteristics of frequency ranges? choose 2 A B C D E communicate (yes) Generally, higher bandwidth ranges travel farther through open space than lower bandwidth ranges The 2.4GHz ISM range extends from 2.4000 GHz to 2.4725 GHz The 2.4 GHz ISM range extends from 2.4000 GHz to 2.5 GHz The difference between the upper and lower bounds of a frequency range is its Bandwidth (yes) A wireless device operating in the 2.4 GHz frequency range can not wirelessly with a device that operates in the 5 GHz frequency range.
Explanation: The bandwidth of a frequency is the difference between the upper and lower
bounds of a frequency range. Two stations that want to talk to each other must transmit and receive on the same frequency. Therefore, devices that operate in the 2.4 GHz frequency range can not communicate with a device operating in the 5 GHz frequency range. The FCC specifies that the 2.4 GHz ISM band runs from 2.4000 GHz to 2.4835 GHz. Lower frequencies feature longer wavelengths, which travel farther. OFDM (802.11a), which operates in the 5 GHz UNII bands, does not travel as far as HR-DSSS (802.11b) or ERP-OFDM (802.11g) which both operate in the 2.4 GHz IMS bands. 117 Within RSNA Security Associations, how many station key security associations can exist at a time between the device and a given peer? A B C D One (yes) Two Three Unlimited
Explanation: The STAKeySA occurs as the result of a STAKey handshake and only one can exist at a time between the device and a given peer. 118 Given: ABC Corporation is designing a security solution for their new wireless network. Some client device applications use Layer 3 protocols other than IP. A consultant has recommended VPN technology as part of the wireless solution, but ABC does not know which VPN protocol should be used. What VPN protocol is appropriate? A B C D E EAP-TTLS Kerberos PPTP (yes) SSH2 WPA
Explanation: PPTP is a new networking protocol that supports multiprotocol virtual private networks (VPNs), enabling remote users to access corporate networks securely across the Internet by dialing into an Internet Service Provider (ISP) or by connecting directly to the Internet. PPTP offers the following advantages: * Lower Transmission Costs: PPTP uses the Internet as a connection instead of a long-distance telephone number or 800 service. This can greatly reduce transmission costs. * Lower Hardware Costs: PPTP enables modems and ISDN cards to be separated from the RAS server. Instead, they can be located at a modem pool or at a communications server (resulting in less hardware for an administrator to purchase and manage). * Lower Administrative Overhead: With PPTP, network administrators centrally manage and secure their remote access networks at the RAS server. They need to manage only user accounts instead of supporting complex hardware configurations. * Enhanced Security: Above all, the PPTP connection over the Internet is encrypted and secure, and it works with any protocol (including, IP, IPX, and NetBEUI). PPTP provides a way to route PPP packets over an IP network. Since PPTP allows multiprotocol encapsulation, you can send any type of packet over the network. For example you can send IPX packets over the Internet. PPTP treats your existing corporate network as a PSTN, ISDN, or X.25 network. This virtual WAN is supported through public carriers, such as the Internet.
None of the other options are VPN protocols. 119 Given: An inherent weakness of the original IEEE 802.11 standard is the lack of AAA (Authentication, Authorization, and Accounting) services. What technology is used as part of a network to provide AAA services to enhance wireless security? A B C D E F IEEE 802.1X EAP WEP RADIUS (yes) L2TP/IPSec PPTP
Explanation: The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and implemented to manage access to network services. It defines a standard for information exchange between a Network Access Server (NAS) and an authentication, authorization, and accounting (AAA) server for performing authentication, authorization, and accounting operations. A RADIUS AAA server can manage user profiles for authentication (verifying user name and password), configuration information that specifies the type of service to deliver, and policies to enforce that may restrict user access. 120 Data rates of up to _____ Mbps are allowed within the IEEE OFDM amendment. A B C D E 36 54 (yes) 72 100 108
Explanation: The OFDM (802.11a) and ERP-OFDM (802.11g) amendments specify data rates of up to 54 Mbps, with 6, 12, and 24 Mbps data rates being mandatory. The 54 Mbps data rate uses 64QAM/OFDM modulation. There are systems currently on the market that support data rates of up to 108 Mbps, often using channel bonding, but these systems are not OFDM (802.11a) or ERP-OFDM (802.11g) compliant. 121 Two HR-DSSS access points are located in close proximity to each other. The first access point is configured to use channel 6. The second access point should be configured to use which channel in order to introduce the least amount of adjacent channel interference? A B C D channel 1 (yes) channel 4 channel 8 channel 9
Explanation: The HR-DSSS (802.11b) amendment states in section 18.4.6.2:'In a multiple cell network topology, overlapping and/or adjacent cells using different channels can operate
simultaneously without interference if the distance between the center frequencies is at least 25 MHz.' 25 MHz spacing between center frequencies is equal to having 5 channels between 'nonoverlapping' channels. Channels 1 and 6 are considered non-overlapping, but in this question, you are asked which channel would introduce the least adjacent channel interference. The answer is the channel furthest from channel 6 which is channel 1. 122 What statements are true regarding access point firmware updates? A B C D E A WNMS distributes firmware to autonomous access points. (yes) A WIPS distributes firmware to multiple vendors' autonomous access points. A WLAN controller distributes firmware to lightweight access points. (yes) Client devices notify the WNMS when an access point's firmware is out-of-date. Autonomous access points automatically update firmware on their neighboring access points.
Explanation: Both (autonomous access point or WLAN controllers with lightweight APs) solution architectures provide a centralized many-to-one update model. The value lies in trying to obtain some 'economy of scale' for larger architectures, whether based upon autonomous (i.e. fat) or lightweight (i.e. thin) access points. The WNMS requires a centralized software device manager that simplifies the management of distributed and disparate technologies. WNMS can perform a number of functions, from 'templatizing' device configurations to updating the firmware on autonomous access points. WLAN controllers are the 'brains' behind the lightweight access point architecture. The controller device represents the centralized component used for communicating with multiple APs, managing traffic flows, and updating AP firmware when needed. 123 Given: The IEEE 802.11-1999 (R2003) standard specifies a 3 byte (24-bit) initialization vector (IV) and a 4 byte Integrity Check Value (ICV) as part of WEP frame body expansion. The 802.11i-2004 amendment specifies an additional 8 byte message integrity check (MIC) called 'Michael' and an additional 3 bytes of IV, bringing the total frame body expansion overhead to 20 bytes for TKIP. The 802.11i-2004 amendment introduced a CCMP header of _________ and a MIC of _________ to replace both TKIP and WEP. Select the answer option needed to fill in both blanks. A B C D E 8 bytes, 8 bytes (yes) 8 bytes, 12 bytes 8 bytes, 20 bytes 12 bytes, 8 bytes 12 bytes, 20 bytes
Explanation: The 802.11i amendment states: 8.3.3.2 CCMP MPDU format CCMP processing expands the original MPDU size by 16 octets, 8 octets for the CCMP Header field and 8 octets for the MIC field. The CCMP Header field is constructed from the PN, ExtIV, and Key ID subfields. PN is a 48-bit PN represented as an array of 6 octets. PN5 is the most
significant octet of the PN, and PN0 is the least significant. Note that CCMP does not use the WEP ICV. The ExtIV subfield (bit 5) of the Key ID octet signals that the CCMP Header field extends the MPDU header by a total of 8 octets, compared to the 4 octets added to the MPDU header when WEP is used. The ExtIV bit (bit 5) is always set to 1 for CCMP. 124 Using a wireless protocol analyzer, you capture a Beacon frame. A portion of the Beacon is shown in the graphic. From the information given in the graphic, what can you confirm about this wireless network? A B C D E A wireless client is attempting to use join a BSS using AES encryption Only one wireless client is associated with the BSS WEP encryption is not allowed in this BSS (yes) Client-side digital certificates are being used by 802.1X supplicants Mutual authentication is being used by 802.1X supplicants and authentication servers
Explanation: Two critical concepts in the 802.11 standard include the robust security networks (RSN) and robust security network associations (RSNA). To be considered an RSN, a system must permit only the creation of secure device associations via the RSNA process. If an RSN exists, then all client stations (STAs) will have successfully completed a 4-way handshake for RSNA authentication and will have established a Pairwise Master key (PMK) indicating none of the STAs are using WEP according to a specific RSN information element. 125 How does implementing the TKIP cipher suite improve upon the security of wireless networks currently using WEP? A B C D E F Offers per-user, per-frame encryption keying (yes) Mitigates replay attacks using a per-frame sequence counter (yes) Increases the Initialization Vector to 64 bits Includes a new integrity checking process (yes) Requires mutual authentication Replaces the RC4 stream cipher with a stronger block cipher
Explanation: As a replacement for WEP, TKIP (which is used in the WPA specification) is a stopgap solution for securing wireless networks that are not capable of supporting AES-CCMP encryption required by the WPA2 specification. It improves upon WEP by offering per-user, perframe encryption keying. Additionally, TKIP has an improved integrity check algorithm called Michael. The previous ICV (called CRC-32) was extremely weak. TKIP uses the same RC4 encryption cipher used in WEP and does not require mutual authentication. 126 you While troubleshooting the performance of several wireless stations, you suspect that their power management features are not optimally set. Which of the following things could check? A B C Verify all desktop computers are set to Active Mode and all laptops are set to Power Save Mode so that Access Points only buffer unicast and broadcast traffic from the laptops. Set all desktop and laptop computers to Power Save Mode to ensure all workstations have an equal chance to send packets across the wireless network. Make sure the desktop computers WLAN cards are set to Active Mode mode, so
that they can receive frames from other stations at any time. (yes) Verify the laptop computers WLAN cards are set to Power Save Mode to guarantee the highest throughput and lowest latency possible while roaming.
Explanation: The IEEE specified two power management modes called Active Mode and Power Save Mode. Marketing terms for these two modes are sometimes called continuous aware mode (CAM) and power save polling (PSP) mode. When in Active Mode, stations stay at full power and are able to receive frames from other stations at any time. The drawback to this approach is there is no power conservation. However, because desktops are plugged into AC power outlets, there is no need for power conservation, so desktops should always be configured for Active Mode. Laptops set to Power Save Mode power down some parts of the 802.11 card periodically (called dozing) and cannot transmit or receive frames during that time. Because of this dozing, Power Save Mode typically has lower throughput and higher latency compared to Active mode. If any station in the wireless network is in Power Save Mode, the access point must buffer all broadcasts and multicasts. 127 You have been hired as a consultant by a client that has an HR-DSSS wireless network with one access point and several laptops using HR-DSSS WLAN cards. The client is concerned with throughput, and they want to know what they can do to increase it. Which of the following would you suggest? A B C D Replace the access point with an OFDM capable access point to provide 54 Mbps. Add another HR-DSSS access point in the same physical area and configure it to avoid co-channel interference. (yes) Replace the access point with an ERP-OFDM access point and configure it for mixed mode. Configure the client adapters to use Power Save Mode instead of Active Mode.
Explanation: Co-locating multiple access points in the same physical space, while using nonoverlapping channels is a common way to increase throughput. For HR-DSSS (802.11b) access points, channels 1, 6 and 11 are considered non-overlapping, and will not create channel interference. OFDM (802.11a) access points have higher potential throughput than HR-DSSS (802.11b) access points, however, because the client WLAN cards all use HR-DSSS (802.11b), an OFDM (802.11a) access point would not be a solution. Clients using HR-DSSS (802.11b) WLAN cards would not connect with greater throughput to an ERP-OFDM (802.11g) access point than an HR-DSSS (802.11b) access point. Placing a client WLAN card that is in Active Mode into Power Save Mode would cause the client to periodically power down some parts of the card, resulting in lower throughput and higher latency. 128 ABC Company's end-user laptops are used on the corporate network using WPA2Enterprise. The end users use secure applications (POP3/SSL and FTP/SSH). These end-users also use their computers offsite, using a hotspot to access corporate network resources. What security advantage do these end-users have by utilizing this layered security approach when they are accessing corporate servers from public hotspots? Since no layer2 security protocols are present on the hotspot network, layer security still protects sensitive data from eavesdroppers. (yes) WPA2-Enterprise is capable of remote VPN connectivity to corporate network resources. Secure applications such as POP3/SSL and FTP/SSH are not usable over a wireless hotspot connection; however, WPA2-Enterprise security still protects
A application B C
sensitive data. The use of WPA2-Enterprise is required to enable encrypted VPN connectivity to remote corporate network resources.
Explanation: WLAN hotspot networks are by nature a non-secure network infrastructure. WPA2, personal or enterprise, is a layer2 authentication and key management specification that is used in private networks. WPA2 is not a VPN technology, and is used only on the local area network. Secure applications such as POP3/SSL and FTP/SSH can be used on a secure or unsecured, whether wired or wireless, to protect sensitive user data. 129 Given: An access point is designed to bridge frames between the wired and their wireless interfaces. When using an AP, both sides of the AP (wired and wireless) share the same IP subnet. A wireless router is an AP that routes packets between the wireless and the wired interfaces, instead of bridging frames. You are configuring an access point that supports different modes. Which of the following statements would be true? A B C D E In order to create a bridge link between two different manufacturer's access points, each access point must meet the IEEE bridge mode standards. An access point would use bridge mode to make point-to-point connections to other access points, not point-to-multipoint connections. An access point in repeater mode can act as an access point to clients while at the same time act as a client to an access point. (yes) An access point acting in root mode can have bridged access points as its clients or have client devices as its clients, but not both simultaneously. Configuring an access point for repeater mode is not recommended due to the low throughput and high latencies users will likely experience. (yes)
Explanation: The advantage of repeater mode is that it can act as an access point to clients while simultaneously acting as a client to the 'root' access point. The disadvantage is that users will likely experience low throughput and high latencies as a result of the access point having to communicate to clients and the upstream access point on the same channel. An access point acting in root mode can have access points as clients acting in repeater mode making a 'bridged' connection to the 'root' access point, while simultaneously having client devices connected. The IEEE does not define any access point modes. An access point acting in bridge mode could connect to multiple access points also acting in bridge mode, making a point-to-multipoint connection. 130 Given: The Wi-Fi Alliance implemented TKIP as an upgrade to WEP as part of WPA certification. What features were included in TKIP to enhance the security of WEP? A B C D E FCS ICV MIC (yes) Extended IV (yes) Encrypted PDU
Explanation: TKIP uses a MIC called Michael. Michael allows devices to confirm that their packets are uncorrupted during the sending-and-receiving transmission process. MIC prevents 'bit-flip' attacks on encrypted packets. During a bit-flip attack, an intruder intercepts an encrypted
message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC adds a few bytes to each packet to make the packets tamper-proof. MIC is similar to cyclical redundancy check (CRC) and can detect if a hacker has intercepted and changed a packet between its source and destination. WEP uses the IV along with the WEP encryption key as the input to the RC4 pseudo-random number generator (PRNG), which produces a key stream that is used to encrypt the 802.11 frame payload. With a 24-bit WEP IV, it is easy to capture multiple WEP frames with the same IV value, making real-time decryption easier. In TKIP, the IV has been doubled in size to 48 bits. 131 The IEEE 802.11-1999 (R2003) standard specifies what default privacy state for a wireless station? A B C D E F TKIP encrypted Shared Key authenticated WEP encrypted 802.1X/EAP encrypted No privacy (yes) Certificate authenticated
Explanation: Sections 8.1 and 8.1.1 of the 802.11-1999 (R2003) standard specify authentication types and more specifically, Open System authentication. 8.1 Authentication services IEEE 802.11 defines two subtypes of authentication service: Open System and Shared Key. The subtype invoked is indicated in the body of authentication management frames. Thus authentication frames are self-identifying with respect to authentication algorithm. All management frames of subtype Authentication shall be unicast frames as authentication is performed between pairs of stations (i.e., multicast authentication is not allowed). Management frames of subtype Deauthentication are advisory, and may therefore be sent as group-addressed frames. A mutual authentication relationship shall exist between two stations following a successful authentication exchange as described below. Authentication shall be used between stations and the AP in an infrastructure BSS. Authentication may be used between two STAs in an IBSS. 8.1.1 Open System authentication Open System authentication is the simplest of the available authentication algorithms. Essentially it is a null authentication algorithm. Any STA that requests authentication with this algorithm may become authenticated if dot11AuthenticationType at the recipient station is set to Open System authentication. Open System authentication is not required to be successful as a STA may decline to authenticate with any particular other STA. Open System authentication is the default authentication algorithm. Open System authentication involves a two-step authentication transaction sequence. The first step in the sequence is the identity assertion and request for authentication. The second step in the sequence is the authentication result. If the result is 'successful,' the STAs shall be mutually authenticated. 132 Which authentication and key management suites are specified in the RSN information element? A B C D E 802.1X authentication and key management (yes) No authentication; 802.1X key management (yes) Shared authentication; 802.1X key management RADIUS authentication and key management Passphase authentication and dynamic key management
Explanation: RSN begins to establish a secure communication channel by broadcasting an RSN Information Element that contains information regarding all enabled authentication suites, all enabled unicast cipher suites, and a multicast cipher suite. The RSN information element specifies the following authentication and key management suites: Code/Meaning 00:00:00:1 802.1X authentication and key management 00:00:00:2 No authentication; 802.1X key management 133 OFDM/ERP-OFDM wireless LAN client utilities may include what components? A B C D E F 134 Channel selection tool for Ad Hoc networking (yes) Scan tool for locating and displaying access points (yes) TKIP parameter modification tool Association table viewer utility Security protection mechanism configuration tool (yes) Wireless-on / Wireless-off configuration utility (yes)
After the initial WIPS installation, what task should be performed before relying on the WIPS in a production environment? A B C D Sensors should be calibrated to assure accurate identification of 802.11 frame formats. A single client device should be carried around the perimeter of the installation to verify that it can be heard by a sensor everywhere it roams. Measure sensors' category 5 cable runs to verify they do not exceed 100 meters. A baseline analysis should be performed to aid in locating and categorizing authorized and external access points. (yes)
Explanation: Wi-Fi access points are everywhere. WIPS have great antennas that can hear every access point within a significant range. The WIPS must be trained to understand the difference between an authorized access point (one that is connected to your network) and one that is not connected to your network (external). Authorized access points should adhere to a security policy, while external access points should be monitored so that authorized client devices do not accidentally connect to them. By categorizing authorized and external access points during the initial installation, rogue access points can be easily identified. 135 What is the most accurate method of WIPS indoor location tracking? A B C D E GPS Triangulation RF Fingerprinting (yes) Nearest Sensor detection TDOA
Explanation: RF fingerprinting is a sophisticated category of location tracking used in 802.11based WLANs that uses intelligent algorithms to improve location-tracking precision by accounting for the environmental effects (such as an object, human, mirrors, windows, attenuation and multi-path) on the wireless signal. A 'fingerprint' of the wireless environment is
calculated by a physical walk-around using a handheld spectrum analysis device. These measurements are later compared to deviations in the real-time environment to locate the client device. Nearest sensor is the simplest method, though by itself, it is the least precise. This capability, supported by most wireless network vendors in their management systems, determines the 802.11 access point (AP) or cellular base station to which a client device is associated. It assumes that this sensor is the closest sensor to the device. It then computes how far the signal radiates. The nearest-sensor measurement can be combined with others to pinpoint location more precisely. 'Triangulation' measures the angles between three or more nearby sensors (or other reference points). Where they intersect is calculated as the client location. Precision within 50 metres is generally accepted for triangulation, according to Diana Kelley, senior analyst at Burton Group. Trilateration measures the distance between sensors or other reference points, rather than the angles between them. GPS systems combine triangulation with a measurement called time difference of arrival (TDOA) over a network of satellites. TDOA measures the relative time delay of signals arriving at different sensors and can be used with triangulation in 802.11 networks, too. Because time is proportional to the distance traveled, the distance to each sensor within range can be estimated and, consequently, the location of the client. In addition to TDOA measurements, received signal strength indication (RSSI) can be used to measure the RF power loss between transmitter and receiver to calculate distance. GPS requires line-of-sight, so is not appropriate for indoor use. 136 What are two common software Wireless LAN discovery utilities used for locating SSIDs, signal strength, channel use, and security? choose 2 A B C D E L0phtCrack (LC5) NetStumbler (yes) WinSniffer Kismet (yes) ShareEnum
Explanation: NetStumbler and Kismet are tools used to locate and interrogate wireless LANs. L0phtCrack (LC5) and WinSniffer are used as password auditing and recovery tools. ShareEnum is a tool for discovering network shares and the permissions applied to those shares. 137 When an 802.11n draft 2.0 standard wireless device is transmitting in the 2.4 GHz band at the highest throughput possible, how wide is the channel being used? A B C D 20 MHz 22 MHz 40 MHz (yes) 60 MHz
Explanation: The 802.11n draft defines 20 and 40 MHz wide channels. 'Primary' and 'secondary' channels - each 20 MHz wide using OFDM modulation are also defined. A Secondary Channel is defined as a 20 MHz channel associated with a primary channel used by HT stations for the purpose of creating a 40 MHz channel. Also Known as Channel Bonding, 40 MHz channels can simultaneously use two separate nonoverlapping channels to transmit data. Channel bonding increases the amount of data that can be
transmitted. 40 MHz mode of operation uses 2 adjacent 20 MHz bands. This allows direct doubling of the PHY data rate from a single 20 MHz channel. 138 The 802.11i Group Master Key (GMK) is generated and may be reinitialized by which 802.1X Port Access Entity (PAE)? A B C D Supplicant Authenticator (yes) Authentication Server Uncontrolled Port
Explanation: Sections 8.5.1.3 and 5.9.2.1 of the 802.11i-2004 Amendment state that the Authenticator is responsible for generating and reinitializing the GMK. The GTK is derived from the GMK by the Authenticator during the 4-Way Handshake. The GTK is encrypted using the PTK and sent to the Supplicant during the 4-Way Handshake. 139 What is the most significant security risk of not changing the configuration of an access point from its default settings? A an B access C D Information on vendor default settings are easily obtained, making it simpler for attacker to know how to compromise the device (yes) Changing the default settings can prevent an attacker from discovering the point, making the device secure Access points are commonly shipped from the factory with security holes that allow an attacker to easily connect to and compromise the device To make them easier to configure, all access points ship without any security enabled by default, leaving them wide-open for attackers to compromise
Explanation: Default settings are readily available in product manuals as well as online. Once the attacker discovers the access point is using the default settings, he can take full control of the device or use it to take control over other devices in the enterprise. Including staging and installation procedures for WLAN infrastructure equipment in your wireless security policy will help ensure devices are not left with default or misconfigured settings. 140 The IEEE OFDM amendment specifies what number of non-overlapping channels in the upper U-NII (U-NII 3) band? A B C D 3 4 (yes) 6 8
Explanation: Bands available for use with OFDM (802.11a) systems are as follows: Bands # Channels Channel Numbers 5.150-5.250 (U-NII1) 4 36, 40, 44, 48 5.250-5.350 (U-NII2) 4 52, 56, 60, 64 5.470-5.725 11 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140 5.725-5.825 (U-NII3) 4 149, 153, 157, 161
5.825-5.850 (ISM) 1 165 141 an 'An entity at one end of a point-to-point LAN segment that seeks to be authenticated by Authenticator attached to the other end of that link' describes what role in the 802.1X2004 standard? A B C D E Authentication Server EAPoL Peer Ethernet Switch Supplicant PAE (yes) Port Access Control PDU
Explanation: The 802.1X-2004 standard calls for three specific network roles: supplicant (client) port access entity (PAE), authenticator (switch or access point) PAE, and authentication server (RADIUS or other). 142 As a network administrator, you understand the mentality of most war drivers and have implemented a very strong WLAN security solution. From your office window, you spot a war driver in your parking lot using a Yagi antenna and a laptop in his car. You correctly assume that the war driver is attempting to penetrate your WLAN. What should you do next? A B violations C D E Ignore the war driver. You have implemented a secure WLAN solution they cannot penetrate. Call the police and have the war driver apprehended. Press charges for of regulatory domain laws. Monitor the WIPS alerts and inform your organization's security personnel to ask the war driver to vacate the premises. (yes) Implement a high-powered RF jamming device on all DSSS channels. Approach the war driver and explain how his actions are illegal and unethical.
Explanation: If a break-in does occur, you will need proof that it was indeed the wardriver who did it. This will be supplied by system logs and the analysis performed by the WIPS. Also, since this is a security related event, your security personnel should be alerted because they will best know how to legally and safely deal with the potential infiltrator. 143 In an 802.11i-compliant 802.1X/EAP system, where are AAA keys generated? A B C D E F On the 802.1X Authentication Server only Manually by the network administrator Jointly negotiated between the 802.1X Supplicant and the 802.1X Authentication Server (yes) On the 802.1X Authenticator only In the Pass-phrase-to-PSK mapping algorithm On the 802.1X Supplicant only
Explanation: The 802.11i-2004 standard states:3.64 authentication, authorization, and accounting (AAA) key: Key information that is jointly negotiated between the Supplicant and the Authentication Server (AS). This key information is transported via a secure channel from the AS to the Authenticator. The pairwise master key (PMK) may be derived from the AAA key.
144
Given: As part of your wireless security policy, all access points must be placed in lockable enclosures, and all WLANs must be hidden and support only 802.1X/EAP-TLS connections using mutual authentication. Based upon the information provided, to what type of attacks may your wireless network still be vulnerable? A B C D E An attacker can perform layer-1 DoS attacks (yes) An attacker may capture sensitive data through eavesdropping An attacker may discover the SSID (yes) An attacker may perform a man-in-the-middle attack An attacker may discover weak passwords using a dictionary attack
Explanation: 802.1X/EAP-TLS uses mutual authentication and both server-side and client-side digital certificates, providing protection against dictionary and man-in-the-middle attacks. It also provides encryption to protect sensitive data from eavesdropping. In a hidden network, the SSID is removed from being broadcast in beacons, however, the SSID can still be found in other frame types which can be discovered by an attacker. For this reason, hiding the SSID is not considered a good security solution. All wireless networks are vulnerable to Layer-1 (physical) jamming attacks. 145 Given: ERP-OFDM wireless networks use Orthogonal Frequency Division Multiplexing to achieve data rates of up to 54 Mbps. What is true of OFDM technology? choose 2 A B C D E Used to communicate with HR-DSSS devices when configured for 'mixed' mode Uses four 'pilot' channels for channel monitoring (yes) Sub-divides the 2.4 GHz channels into 52 discrete sub-carriers (yes) Sub-carriers are approximately 100 kHz wide Uses Complementary Code Keying for greater reliability
Explanation: Orthogonal Frequency Division Multiplexing (OFDM) is used by OFDM (802.11a) and ERP-OFDM (802.11g) networks to achieve data rates of up to 54 Mbps, subdividing channels in to 52 discrete sub-carriers (300 kHz each in ERP-OFDM (802.11g)). Four sub-carriers are used as 'pilot' channels for monitoring the channel, and are not available for data transmissions, while 48 are used to transmit data. ERP-OFDM (802.11g) supports both OFDM and Direct Sequence Spread Spectrum (DSSS), and must use DSSS when communicating with HR-DSSS (802.11b) devices in 'mixed' mode. DSSS uses Complementary Code Keying (CCK) to achieve data rates of 5.5 and 11 Mbps. OFDM is often implemented using convolution coding, such as with OFDM (802.11a) and ERP-OFDM (802.11g). 146 A user complains that they cannot connect to the Internet through the wireless network, even though their client utility shows they are connected with a strong signal. You check their system and see they have been successfully assigned an IP address of 169.254.138.16. Other stations can access the Internet without issue. What might be the problem? choose 3
A (yes B C D E F
Their wireless card's MAC address is not filtered correctly on the access point They have a mis-configured WEP key (yes) They are not authenticated to the wireless access point They are not associated to the wireless access point The access point failed layer 2 mutual authentication The RADIUS server denied access to the supplicant (yes)
Explanation: An IP address of 169.254.x.x is assigned through Automatic Private IP Addressing (APIPA) when a DHCP client is unable to obtain an address from a DHCP server. Typically the DHCP client cannot obtain an IP address from the DHCP server due to a network issue between the two devices (although in some cases the DHCP server may be down. IP addresses are negotiated at the network layer (layer 3). In this scenario it appears that the wireless client is connecting successfully to the access point because the client's WLAN utility shows a strong signal. Most likely the client is connecting to the access point, but the access point is not allowing it to go past it onto the wired network. Generally, wireless networks use open authentication, which guarantees any authentication request is approved, allowing it onto the wireless network. Reasons why a client may not be allow past the access point include not being in the access point's MAC address filter list, an incorrect WEP key, or failing an 802.1X/EAP authentication (typically against a RADIUS server). 147 Using IEEE compliant HR-DSSS wireless LAN systems, what is the maximum cumulative data transmission rate that can be achieved in any given physical area? A B C D 11 Mbps 22 Mbps 33 Mbps (yes) 54 Mbps
Explanation: The HR-DSSS (802.11b) amendment states in section 18.4.6.2: 'In a multiple cell network topology, overlapping and/or adjacent cells using different channels can operate simultaneously without interference if the distance between the center frequencies is at least 25 MHz.' Regardless of the regulatory domain, there is a maximum of only 3 non-overlapping channels available. Each channel can support a data rate of 11 Mbps, and when three non-overlapping channels operate in the same physical space, an aggregate data transmission rate of 33 Mbps is possible. 148 Within the IPSec's ESP tunnel mode, which parts of the frame are encrypted? choose 3 A B C D E ESP Header Original IP Header (yes) IP Payload (yes) ESP Trailer (yes) ESP Authentication Trailer
Explanation: ESP tunnel mode encapsulates an IP packet with both an ESP and IP header and an ESP authentication trailer. The original header is placed after the ESP header. The entire packet is appended with an ESP trailer before encryption occurs. Everything that follows the ESP header, except for the ESP authentication trailer, is encrypted. This includes the original header which is now considered to be part of the data portion of the packet. 149 As part of its corporate security policy, your organization requires all wireless LANs to be separated from the wired network core using a device capable of authentication, data encryption, and throughput limiting. Which device will accomplish this policy requirement? A B C D Wireless workgroup bridge Transparent tunneling bridge Wireless LAN controller (yes) Personal firewall software
Explanation: A Wireless LAN controller is the only segmentation device in the listed answers that is capable of performing all three functions. Examples of such devices are EWGs and WLAN switches. A Wireless workgroup bridge is incorrect because a workgroup bridge is a device that allows you to connect multiple wired devices through, essentially, a shared radio. A Transparent tunneling bridge does not exist. Personal firewall software is incorrect because it only filters packets and does not provide for authentication, data encryption, or throughput limiting. 150 As an RF signal passes through a cement block wall, the wall primarily _______ the RF signal. A B C D E F Absorbs (yes) Refracts Scatters Attenuates (yes) Diffracts Reflects
Explanation: Absorption occurs when the RF signal strikes an object and is absorbed in to the material in such a manner that it does not pass through, reflect off, or bend around the object. A single concrete or cinderblock wall often blocks the signal entirely causing complete attenuation. Some reflection, etc. may occur as well. Reflection occurs when a wave strikes an object that has very large dimensions in comparison to the wavelength of the propagating wave, such as smooth surfaces like lakes, metal roofs, metal blinds, metal doors, likely causing multipath. Refraction is the bending of a radio wave as it passes through a medium of different density. Diffraction is the bending of a radio wave around an obstacle. Scattered waves are produced by rough surfaces, small objects, or by other irregularities in the signal path, and can be thought of as lots of little reflections. 151 A university's WLAN administrator is seeking an efficient and effective method of detecting and eliminating rogue access points and wireless Ad Hoc networks across the entire campus. The administrator's friend suggests that the he use a WLAN protocol analyzer to perform a weekly survey of the campus to discover rogues devices. The administrator considers this option and then asks you to offer advice on the subject. What is your advice to the administrator?
A B C D E
In a campus environment, manual scanning for rogues requires too much time and resources to effectively and consistently locate all rogue devices. A system is needed that can inspect the entire campus in real time. (yes) WLAN protocol analyzers will not detect rogue devices that do not use the 802.11 protocol frame format. (yes) Because WLAN protocol analyzers can see all frames on the wireless medium, they are the most comprehensive solution for detecting rogue wireless devices of any kind. By assigning one IT worker to do weekly scans using a WLAN protocol analyzer, Wi-Fi, Bluetooth, and Infrared rogue access points and Ad Hoc networks can be effectively located and removed. WLAN protocol analyzers are not a comprehensive rogue detection solution because they cannot detect access points that are configured to hide the SSID in beacons.
Explanation: In large IT environments (enterprises and campuses), doing consistent 'walk about' scans is impractical and ineffective. Wireless Intrusion Prevention Systems should be used to inspect the entire campus environment in real time using distributed sensors and a central engine/console. Additionally, WIPS can enforce policy adherence across the WLAN environment. 152 When configuring a Wi-Fi Protected Setup (WPS) network, what guidelines are recommended for PIN values by the Wi-Fi Alliance? A B C D E The recommended length for a manually entered device password is an 15-digit numeric PIN A device with multiple PINs must have values cryptographically separate from each other (yes) PIN values should be randomly generated (yes) PIN values must only be stored on integrated NFC Contactless Tokens All stored PIN values should be encrypted using SHA1
Explanation: The recommended length for a manually entered device password is an eight digit numeric PIN. This length does not provide a large amount of entropy for strong mutual authentication, but the design of the Registration Protocol protects against dictionary attacks on PINs if a fresh PIN or a rekeying key is used each time the Registration Protocol is run. PIN values should be randomly generated, and they MUST NOT be derivable from any information that can be obtained by an eavesdropper or active attacker. The device's serial number and MAC address, for example, are easily eavesdropped by an attacker on the in-band channel. Furthermore, if a device includes multiple PIN values, these values MUST be cryptographically separate from each other. If, for example, a device includes both a label-based PIN and a Device Password on an integrated NFC Contactless Token, the two Device Passwords MUST be different and uncorrelated. A Registrar may be preconfigured with a set of Enrollee PIN and UUID-E pairs as part of a packaged solution or a Registrar may choose to store PIN values. PINs stored on the Registrar may remain valid for an indeterminate amount of time, but Registrars should invalidate a PIN if a registration attempt results in a failed PIN authentication. PINs that are stored on the Registrar should be cryptographically protected and should not be read accessible via an interface on the Registrar. For more information, see the whitepaper 'Wi-Fi CERTIFIED for Wi-Fi Protected Setup: Easing
the User Experience for Home and Small Office Wi-Fi Networks'. http://www.wi-fi.org/knowledge_center_overview.php?docid=4506 153 XYZ Corporation has installed ERP-OFDM WLAN bridges in three buildings on their corporate campus. They have an omnidirectional antenna at building-1 (the IT building) and patch antennas at building-2 and building-3. Each of the ERP-OFDM bridges is configured for the manufacturer's default settings, the alignment tools show that the bridges have proper alignment, and still the administrator cannot get data traffic to flow over the bridge links. What could be the problem? A B C D E Each bridge has the same default IP address, so at least two of the three bridges must have their IP addresses changed before data traffic will flow across them. One bridge is using PoE, and the other two are using AC line power. Each bridge must have the same type of power source in order to have proper connectivity between all bridges. By default, ERP-OFDM bridges perform NAT routing. This functionality must be disabled on all three bridges before connectivity will be successful. Each of the ERP-OFDM bridges is set to root mode, and there can only be one root bridge in a network. (yes) The bridge at building-1 should have a diversity patch antenna in order to have proper connectivity to the patch antennas at building-2 and building-3.
Explanation: There must only be one 'Root' mode bridge in a network. All other bridges must be configured for 'Non-Root' mode. If all bridges had the same default IP address configured, managing the bridges using HTTP or Telnet may not work correctly, but the bridges would still pass layer 2 frames. Wireless bridges do not route (a layer 3 function), and bridge power source type is irrelevant to the passing of data traffic. It is common to use an omni antenna at the central 'hub' location and semi-directional antennas (patch, panel, yagi, etc) at 'spoke' locations in a point-to-multipoint WLAN bridged network. 154 You are a WLAN administrator for a large hospital, and quick elimination of rogue wireless devices is critical according to your new security policy. Due to the size of the facility, locating a rogue access point or client device quickly and accurately has been a problem in the past. What step can you take to meet this new security policy requirement? A B C D E Use a WLAN protocol analyzer with a Yagi antenna Use a GPS-enabled 802.11a/b/g PC card with an Omni antenna Use the rogue triangulation feature in a WIPS with an integrated floor plan (yes) Enable 802.11i-compliant rogue tracking in your access points Use a laptop spectrum analyzer capable of 2.4 GHz and 5 GHz frequency ranges
Explanation: WIDS/WIPS can use either triangulation or fingerprinting technologies to pinpoint within 10-20 feet where a rogue AP or rogue client might exist. A graphic of the building's floor plan can be imported into the WIDS/WIPS software to assist in locating the rogue devices. For either of these technologies to work accurately, an adequate number of hardware sensors will be needed. 155 What is the benefit of 'Opportunistic PMK Caching' compared to the standard 'PMK Caching'?
A B controller C client D
The same PMK identifier is cached at each AP instead of a centralized controller to reduce the time required to authenticate After the initial '4-way handshake' is completed, it can be bypassed when connecting to another access point connected to the same WLAN The 802.1X authentication can be bypassed on an access point to which the has already authenticated The wireless client station only needs to pass 802.1X authentication once while roaming to other access points managed by the same WLAN controller (yes)
Explanation: With Opportunistic PMK Caching, the PMKSA (Pairwise Master Key Security Association) is pulled from the access point to which the STA associated originally and pushed to other access points (as determined by the WLAN controller). A new PMKID is given to the same PMK based on the new access point's MAC (BSSID) address. Next, the 4-Way Handshake ensues after the new access point receives an association request with the new (and correct) PMKID included within the RSN information element. This allows a client device that has already passed 802.1X authentication to skip the 802.1X authentication at other access points managed by the same WLAN controller. Only the 4-way handshake is needed, because the PMKID is cached at the WLAN controller. 156 As a WLAN intrusion expert, you are evaluating the security of ABC Company's 802.11a network. Using a WLAN protocol analyzer, you see 10 unsecured access points each made by the same manufacturer. You attempt to log into each access point using the manufacturer's default management login parameters. You find that one access point has not had its default login changed by ABC Company's administrator yet. Once you are logged into this access point, what is the most network damage you could cause? A B reboot C D be Configure the unsecured access point with WPA-Personal, disable SNMP and Telnet services, and change the login information (yes) Disable configuration support on all interfaces including the console port and the access point Disable the PoE feature so that the access point cannot be powered up except with AC line power Change the AAA password in this access point so that authorized users will not able to authenticate against the RADIUS server using 802.1X/PEAP
Explanation: If all security configuration parameters are changed, authorized users and the administrator will be locked out of the access point. Neither end-user operation nor administration of the access point would then be possible unless the administrator connected to the console port locally on each device to reset them to factory defaults. 157 the An attacker captures a wireless frame, modifies it, recalculates its ICV, and retransmits modified frame to the intended destination. What type of attack is this, and what is the mitigating solution? A B C D E Man-in-the-middle attack - 802.11i per-frame authentication En-route attack - CRC-32 checksum Authentication attack - Replace passwords with x.509 certificates Bit-flipping attack - Strong Message Integrity Check (MIC) (yes) Hijacking attack - Mutual authentication
Explanation: A bit-flipping attack is an attack where the hacker captures a data frame, modifies it, recalculates the Integrity Check Value (ICV) of the modified frame, and retransmits the modified frame to its intended destination. When the communicating nodes use a strong Integrity Check Value (ICV), also called 'Message Integrity Check (MIC)' or 'Message Authentication Code (MAC)' modification becomes much more difficult. For example, TKIP is stronger than WEP because an additional 8-byte MIC was added to WEP's weak CRC-32 (4 bytes) ICV. 158 What 802.11 authentication is supported by the 802.1X framework? A B C D E Open System (yes) Shared Key Mutual Username and password Digital Certificate
Explanation: The IEEE 802.1X standard defines port-based, network access control that is used to provide authenticated network access for users wanting access to Ethernet and IEEE 802.11 wireless networks. With port-based network access control, a wireless station cannot send any frames on the network until access has been granted by the authenticator, (typically a wireless access point or controller). Before the 802.1X authentication process can begin, the WLAN client must first have access to the 802.1X authenticator, meaning it must first perform wireless authentication to the access point or controller. The only supported method for this type of authentication when combined with 802.1X authentication is Open System authentication, which is transparent to the user due to its automatic success. 159 on Before a client station can participate in a wireless LAN using a security solution based the WPA2-Enterprise framework, what must occur? A B C D E F The client station must be Open System authenticated and associated. (yes) The client station must be issued an IP address by a DHCP server. The client station must negotiate an authentication protocol to use with the Access Point. The client station must be associated and EAP authenticated. (yes) The client station must configure and enable its IPSec policy. The client station must derive the PMK from the PSK.
Explanation: WPA2-Enterprise is synonymous with use of 802.1X/EAP with AES-CCMP and 802.11i compliance. The Wi-Fi Alliance released a white paper in March 2005 detailing WPA and WPA2 terminology, differences, and operational procedures. http://www.wi-fi.org/membersonly/getfile.asp?f=WFA_02_27_05_WPA_WPA2_White_Paper.pdf Per section 5.9 of the 802.11i-2004 amendment (see attached figure), a client station using 802.1X/EAP must first Open System authenticate and associate. Following Open System authentication, the 802.1X port-based access control mechanism can be used to facilitate EAP authentication over an uncontrolled port. (see attached figure). Following successful EAP authentication, a 4-Way Handshake must take place between the supplicant (client) and the authenticator (AP) to derive and exchange encryption keys before the 802.1X controlled port is unblocked and secured data traffic can be transmitted over the RF
medium. The 4-Way Handshake was not listed in the answer options, but it is useful information. Encryption algorithms are not negotiated. The client devices support whatever they support, and the APs support whatever they support. The AP will announce supported authentication/encryption information in Beacons in a Robust Security Network (RSN). IPSec is a Layer-3 VPN solution, and is unrelated to WPA2-Enterprise. WPA2-Enterprise uses 802.1X/EAP, not Passphrases and Preshared Keys. When using WPA-Personal or WPA2-Personal, the Passphrase is mapped to a Preshared Key, which is then considered to be the Pairwise Master Key (PMK). IP addresses are always issued to 802.11i-compliant WLAN client devices AFTER it is 1) Open System authenticated and associated, 2) EAP authenticated and associated, and 3) has successfully completed the 4-Way Handshake. 160 What are common applications of 802.11 Ad Hoc mode? A B C D E F Testing alarm features of wireless intrusion detection systems WLAN bridging between two nearby buildings Internet access for small wireless workgroups (yes) Throughput testing of Infrastructure Basic Service Sets File sharing among personnel in a small office (yes) Wireless hotspots in conference rooms or hotel lobbies
Explanation: While Ad Hoc (IBSS) WLANs were designed with no available distribution system (DS), we often see small peer-to-peer workgroups using Ad Hoc WLANs with one computer providing distribution services (routing for example) to the Internet or other WAN services. Local area connectivity, such as file/printer sharing, is what Ad Hoc WLANs were designed to do. 161 What statements are true regarding access point firmware updates? A B C D E A WNMS distributes firmware to autonomous access points. (yes) A WIPS distributes firmware to multiple vendors' autonomous access points. A WLAN controller distributes firmware to lightweight access points. (yes) Client devices notify the WNMS when an access point's firmware is out-of-date. Autonomous access points automatically update firmware on their neighboring access points.
Explanation: Both (autonomous access point or WLAN controllers with lightweight APs) solution architectures provide a centralized many-to-one update model. The value lies in trying to obtain some 'economy of scale' for larger architectures, whether based upon autonomous (i.e. fat) or lightweight (i.e. thin) access points. The WNMS requires a centralized software device manager that simplifies the management of distributed and disparate technologies. WNMS can perform a number of functions, from 'templatizing' device configurations to updating the firmware on autonomous access points. WLAN controllers are the 'brains' behind the lightweight access point architecture. The controller device represents the centralized component used for communicating with multiple APs, managing traffic flows, and updating AP firmware when needed. 162 What conditions have to be met for a Wi-Fi client to take advantage of WMM Power Save? A The client AND access point must meet Wi-Fi CERTIFIED for WMM Power Save
B C D E F
specifications (yes) Latency-sensitive applications must support WMM Power Save (yes) All other clients within range must be Wi-Fi CERTIFIED for WMM Power Save RTS/CTS must be enabled when using WMM Power Save The client operating system must support an 802.11e supplicant The client must support long and short preambles
Explanation: The Wi-Fi Alliance has announced a new certification program for WMM Power Save driven by the market demand for converged Wi-Fi mobile devices that support voice applications. WMM (Wi-Fi Multimedia) Power Save extends the battery life of Wi-Fi devices by increasing the efficiency and flexibility of data transmission. WMM Power Save certification indicates interoperability across vendors. Furthermore, Wi-Fi CERTIFIED for WMM Power Save devices will be able to operate in any Wi-Fi network and coexist with 802.11 legacy power-save mechanisms. Per the Wi-Fi Alliance whitepaper 'WMM Power Save for Mobile and Portable Wi-Fi CERTIFIED Devices', three conditions have to be met for a Wi-Fi client to take advantage of WMM Power Save: 1. The client is Wi-Fi CERTIFIED for WMM Power Save 2. The access point is Wi-Fi CERTIFIED for WMM Power Save 3. Latency-sensitive applications support WMM Power Save. 163 What feature allows a wireless client station to skip 802.1X authentication on an access point to which it has already authenticated? A B C D Predictive roaming PMK Caching (yes) Fast authentication Opportunistic PSK Caching
Explanation: As a wireless client roams from one wireless AP to another, it must perform a full 802.1X authentication with each wireless AP. WPA2 allows the wireless client and the wireless AP to cache the results of a full 802.1X authentication so that if a client roams back to a wireless AP with which it has previously authenticated, the wireless client needs to perform only the 4-way handshake and determine new pairwise transient keys. In the Association Request frame, the wireless client includes a PMK identifier that was determined during the initial authentication and stored with both the wireless client and wireless AP's PMK cache entries. PMK cache entries are stored for a finite amount of time, as configured on the wireless client and the wireless AP. 164 You have been hired as a consultant by a client that has an HR-DSSS wireless network with one access point and several laptops using HR-DSSS WLAN cards. The client is concerned with throughput, and they want to know what they can do to increase it. Which of the following would you suggest? A B C D Replace the access point with an OFDM capable access point to provide 54 Mbps. Add another HR-DSSS access point in the same physical area and configure it to avoid co-channel interference. (yes) Replace the access point with an ERP-OFDM access point and configure it for mixed mode. Configure the client adapters to use Power Save Mode instead of Active Mode.
Explanation: Co-locating multiple access points in the same physical space, while using nonoverlapping channels is a common way to increase throughput. For HR-DSSS (802.11b) access points, channels 1, 6 and 11 are considered non-overlapping, and will not create channel interference. OFDM (802.11a) access points have higher potential throughput than HR-DSSS (802.11b) access points, however, because the client WLAN cards all use HR-DSSS (802.11b), an OFDM (802.11a) access point would not be a solution. Clients using HR-DSSS (802.11b) WLAN cards would not connect with greater throughput to an ERP-OFDM (802.11g) access point than an HR-DSSS (802.11b) access point. Placing a client WLAN card that is in Active Mode into Power Save Mode would cause the client to periodically power down some parts of the card, resulting in lower throughput and higher latency. 165 Which item acts as an interface between an unsecured wireless network segment and a secure wired network segment? A B C D E Web site using HTTPS (SSLv3) Translational Bridge performing bit reordering Default Wireless Access Gateway Enterprise Encryption Gateway (yes) RADIUS workgroup server
Explanation: Enterprise Encryption Gateways are segmentation devices that implement layer 2 VPN technology with authentication and encryption. They do not perform routing, but instead simply have encryption on the controlled (unsecured) side and plain text on the protected side. 166 will As a consultant, you have been hired to design a wireless LAN security solution. Of primary concern is a wireless man-in-the-middle (MITM) attack. Which security solution prevent this type of attack? A B C D E 802.1X/PEAP (yes) MAC filters RADIUS LDAP L2TP VPN
Explanation: PEAP stands for Protected Extensible Authentication Protocol. This protocol was developed to transmit authentication data, including passwords, over 802.11 wireless networks. PEAP uses server-side digital certificates to authenticate wireless clients by creating an encrypted SSL tunnel between the client and the authentication server, which then protects the exchange of data over the wireless network. These encrypted tunnels prevent intrusion by unwanted persons and help prevent MITM attacks as well. Most wireless access points contain some type of MAC ID filtering that allows the administrator to only permit access to computers that have wireless functionalities that contain certain MAC IDs. This can be helpful; however, IT personnel must remember that MAC IDs over a network can be spoofed (faked). There are many software utilities that allow MAC addresses to be changed easily. RADIUS is an authentication protocol, and by itself has no means to prevent MITM attacks. LDAP is a database type and protocol. In a wireless LAN, RADIUS may proxy authentication to an LDAP server to verify the identity of an authenticating user.
L2TP VPNs do not, by themselves, provide encryption. Encryption is the key component to preventing MITM attacks. 167 One year ago, ABC Company installed four access points and configured them for 802.1X/LEAP using the integrated RADIUS services in each access point. ABC has outgrown the four access points and the maximum size of the integrated RADIUS database. ABC wishes to grow their wireless solution without changing their authentication scheme. Which solution will work for ABC Company? A B C D Upgrade the existing access points to support TACACS+, which will allow for a larger integrated database size. Use an EAP-enabled external RADIUS server for user authentication. (yes) Upgrade all access points to WPA2-Personal, and give every user their own individual passphrase. Double the number of access points to 8 and add more usernames to the integrated RADIUS database on each access point.
Explanation: The most scalable security solution is a centralized EAP-enabled RADIUS server. TACACS+ does not inherently allow for a larger database than RADUIS, and TACACS+ is rarely EAP-enabled. WPA2-Personal is no more scalable than WEP and less secure and less scalable solution than WPA2-Enterprise which uses RADIUS. WPA2-Personal uses a single passphrase for all users to authenticate and is designed primarily for SOHO rather than an enterprise environment. Adding additional access points will not increase the maximum size of the integrated RADIUS server database. 168 You are considering upgrading your wireless security solution from WEP to WPAPersonal. What weakness would not be addressed in your security solution? A B C D E F Forgery attacks Jamming attacks (yes) Replay attacks Dictionary attacks (yes) Collision attacks Weak Key Attacks
Explanation: WPA-Personal (sometimes called WPA-PSK (pre-shared key)) addresses weaknesses found in WEP, including forgery, weak-key attacks, collision attacks, and replay attacks. Forgery attacks are performed by capturing encrypted packets, changing some of the data within them, and then resending the packets. WPA-Personal supports TKIP encryption, which uses an improved message-integrity check (MIC) called Michael to thwart attempts to tamper with packets en route. WEP constructs a per-packet RC4 key by concatenating an RC4 base key and the packet Initialization Vector (IV). Weak key attacks look at a series of packets with different IVs to determine the RC4 base key. TKIP uses key-mixing to derive short-lived encryption keys. Collision attacks occur when a key is repeated using the same IV, allowing the data to be recovered. TKIP expands the amount of bits used for the IV (from 24 to 48). Replay attacks occur when an attacker eavesdrops, records transmitted data, and then retransmits the data. TKIP uses a sequencing number for generated packets. WPA-Personal's implementation of TKIP has already been found to be vulnerable to dictionary attacks through an application called coWPAtty. All wireless security solutions are vulnerable to Jamming attacks.
169
Which type of wireless attack is virtually undetectable? A B C D E Eavesdropping (yes) Man-in-the-Middle Denial of Service Hijacking Jamming
Explanation: A network-connected device operating in promiscuous mode captures all frames on a network, not just frames that are addressed directly to it. A network analyzer operates in this mode to capture network traffic for evaluation and to measure traffic for statistical analysis. A hacker may also use a promiscuous mode device to capture network traffic for unscrupulous activities. Devices operating in promiscuous mode only 'listen' to the conversion and do not participate, making them nearly impossible to detect. The best defense against eavesdropping is to encrypt any valuable information. 170 What may be used for the purpose of segmenting (enabling a control point) a WLAN from the network core in the enterprise? A B C D E Ethernet Switch Dual-band Access Points WLAN Switch/Controller (yes) Wireless Intrusion Prevention System Authentication Server
Explanation: A WLAN Switch/Controller supports VLAN frame tagging, ACLs, packet filtering firewall functions, user authentication, and role-based access control (RBAC) which allow the WLAN users to be segmented from the network core. While most Ethernet switches support VLAN's, they are unable to segment and filter 802.11 client devices and users. Dual-band access points, Wireless Intrusion Prevention Systems (WIPS) and an Authentication Server do not inherently support segmentation features. 171 Which configurations are considered optional for Wi-Fi Protected Setup Certification? A B C D E Near Filed Communications (NFC) (yes) Personal Identification Number (PIN) Universal Serial Bus (USB) (yes) Push Button Configuration (PBC) Pre-shared Key (PSK)
Explanation: The Wi-Fi Protected Setup specification mandates that all Wi-Fi CERTIFIED products that support Wi-Fi Protected Setup are tested and certified to include both PIN and PBC configurations in APs, and at a minimum, PIN in client devices. A Registrar, which can be located in a variety of devices, including an AP or a client, issues the credentials necessary to enroll new clients on the network. In order to enable users to add devices from multiple locations, the specification also supports having multiple Registrars on a single network. Registrar capability is mandatory in an AP. The optional NFC and USB methods, like PBC, join devices to a network without requiring the manual entry of a PIN. In NFC configuration, Wi-Fi Protected Setup is activated simply by
touching the new device to the AP or another device with Registrar capability. The USB method transfers credentials via a USB flash drive (UFD). Both provide strong protection against adding an unintended device to the network. However, Wi-Fi certification for USB and NFC is not currently available. 172 What is a common reason the location-based identification service found in a typical wireless intrusion prevention system might fail to correctly estimate the location of a transmitter? A B C D E Transmitter is operating in promiscuous mode Transmitter is changing channels dynamically Transmitter is using a MAC spoofing attack (yes) Transmitter is using a physical-layer flood attack Transmitter is performing a layer 2 DoS attack
Explanation: Most WIPS offer some sort of location-based identification service that are commonly implemented by examining the RSSI of frames based on the source MAC address and triangulating the information with data from other sensors to estimate the location of the transmitter. This works well to identify rogue access points, but is not reliable when an attacker uses MAC spoofing. In a MAC spoofing attack, the attacker will transmit malformed frames into the network by impersonating a valid station or access point. This is problematic for location reporting algorithms, since the algorithm is unable to differentiate legitimate and illegitimate RSSI values for the same source MAC address. 173 ABC University is deploying a WLAN across 30 campus buildings to provide ubiquitous wireless network and internet access to 7,500 college students. ABC's security policy mandates physical security of infrastructure network devices. What measures could ABC take toward securing the wireless infrastructure for each of their 30 campus buildings? A B C D E theft. Install access points in lockable ceiling-mount enclosures. (yes) Enable password security on the console port of all access points. (yes) Always mount APs in redundant pairs as a precaution against tampering Use only access points with non-removable antennas to prevent antenna theft. Use only PoE powered access points to prevent unauthorized use in case of
Explanation: Many non-metal lockable enclosures are available from the manufacturers and other vendors. Many lockable enclosures include antenna mounts for better signal reception. Most console ports can be password protected and should use a strong password in case physically securing the AP fails to prevent its theft. Having access to a console port of a WLAN infrastructure device gives an intruder almost unlimited access to the network infrastructure. 174 Given: Two standard approaches for communicating in MIMO systems are spatial multiplexing and antenna diversity. How do these approaches differ? A B C Antenna diversity uses multiple antennas to improve throughput. Spatial multiplexing requires each spatial stream to be sent using a separate transmitter. (yes) Antenna diversity sends the same spatial stream across each antenna. (yes)
D E
Spatial multiplexing combines multiple channels to achieve greater throughput. Antenna diversity requires both the transmitter and receiver to support spatial streaming.
Explanation: When a signal travels over different paths to a single receiver, the time that the signal arrives atthe receiver depends on the length of the path it traveled. The signal traveling the shortest path will arrive first, followed by copies or echoes of the signal slightly delayed by each of the longer paths that the copies traveled. When traveling at the speed of light, as radio signals do, the delays between the first signal to arrive and its copies is very small, only nanoseconds. (A rule of thumb for the distance covered at the speed of light is roughly one foot per one nanosecond.) This delay is enough to be able to cause significant degradation of the signal at a single antenna because all the copies interfere with the first signal to arrive. A MIMO radio sends multiple radio signals at the same time and takes advantage of multipath. Because there is some space between each of these antennae, each signal follows a slightly different path to the receiver. With spatial diversity (aka antenna diversity) the same spatial stream is sent across each antenna, using multipath to increase the chance of correctly decoding the received signal, leading to lowering the bit error rate. With spatial multiplexing, each spatial stream is sent from its own antenna using a separate transmitter. Each radio can also send a different data stream from the other radios. The receiver has multiple antennas as well, each with its own radio. Each of the receive radios independently decode the arriving signals. Then, each radio's received signal is combined with the signals from the other receive radios, resulting in a much better receive signal than can be achieved with either a single antenna or even with transmit beamforming. 175 Given: A functional security policy describes technology-related procedures that must be followed to maintain a secure network. Which elements belong in a functional security policy? A B C D E F Password policies (yes) Training requirements (yes) Risk assessment Asset management (yes) Impact analysis Violation Reporting Procedures
Explanation: A functional security policy describes technology-related procedures that must be followed to keep the network secure, and provides specific methods of mitigating threats described in the general security policy. A functional policy should contain password policies, training requirements, acceptable usage, security configuration for devices, and asset management. 176 Examining a typical WLAN card's utilities, you would expect to see options for WEP keys with how many bits? A B C D 24 60 40 (yes) 104 (yes)
E F
168 256
Explanation: The WEP seed is created by concatenating a hardware-generated 24-bit Initialization Vector (IV) with the actual secret key length. WEP keys are typically 40 or 104 bits long, making the final WEP seed length 64 bits (24 bit IV + 40 bit secret) or 128 bits (24 bit IV + 104 bit secret). Some vendors choose to include the 24 bit IV in their utilities (allowing you to select 64 or 128 bit WEP) while others choose not to (offering 40 or 104 bit options). 40 bit and 64 bit WEP keys are the same thing, and 104 bit and 128 bit WEP keys are the same thing. 177 Your organization is using WPA2 compliant 802.1X/PEAPv0/EAP-TLS with x.509 certificates for WLAN security. What type of attacks can an intruder effectively mount if no WIPS is in place? A B C D E F WLAN hijacking attack Man-in-the-middle attack RF DoS attack (yes) Rogue access point attack (yes) MAC spoofing attack Eavesdropping attack
Explanation: 802.1X/PEAPv0/EAP-TLS uses x.509 (SSL) certificates to securely authenticate both the client and the authentication server. PEAP's mutual authentication prevents man-in-themiddle and WLAN hijacking attacks. RF DoS attacks cannot be prevented other than with physical security. Since this network is using user-based authentication, MAC spoofing would yield nothing. WPA2 networks use CCMP/AES to encrypt data, so eavesdropping attacks are thwarted. Rogue access points can be placed and used by an attacker, though they could not be used by an authorized user because their computer would try to start an 802.1X/EAP authentication and perform mutual authentication with the authentication server. 178 Given: An inherent weakness of the original IEEE 802.11 standard is the lack of AAA (Authentication, Authorization, and Accounting) services. What technology is used as part of a network to provide AAA services to enhance wireless security? A B C D E F IEEE 802.1X EAP WEP RADIUS (yes) L2TP/IPSec PPTP
Explanation: The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and implemented to manage access to network services. It defines a standard for information exchange between a Network Access Server (NAS) and an authentication, authorization, and accounting (AAA) server for performing authentication, authorization, and accounting operations. A RADIUS AAA server can manage user profiles for authentication (verifying user name and password), configuration information that specifies the type of service to deliver, and policies to enforce that may restrict user access.
179
ABC Hospital has spent a very large budget on a small 802.11g WLAN implementation to assure its security. There are layer 2, layer 3, and layer 7 security solutions in place, and no matter how many networking tools and approaches you try, you cannot circumvent their security solution. As an intruder, what is your next move in circumventing ABC's network security? A B C D E F Theft of a wireless LAN enabled laptop that contains authorized user credentials (yes) Use a wideband RF jamming device to interfere with the 2.4 GHz ISM spectrum, and then capture user credentials during reauthentication Connect your own access point to an RJ-45 wall jack in an unsecured patient room (yes) A call to ABC's help desk impersonating an authorized user in an attempt to gain network user credentials (yes) Attempt to circumvent WEP on the hospital administrator's home WLAN Theft of a lightweight (thin) access point to obtain cached user credentials
Explanation: Social Engineering is an out-of-band approach to circumvent security measures, and wireless LANs are no exception. No amount of security solutions can replace an effective security policy. Security policy will dictate training of help desk personnel to mitigate social engineering attacks such as this. Physical security of devices such as laptop computers that may hold digital certificates or username/password credentials is also imperative and should be addressed in the corporate security policy. Placing a rogue access point onto the wired network will allow the intruder to bypass all security measures in most cases. For this reason, good physical security and a quality wireless intrusion prevention system are key elements in a solid security solution. 180 Which 802.1X/EAP WLAN security solutions will interoperate with a One Time Password (OTP) server? A B C D E F LEAP PEAPv0/PAP-OTP EAP-FAST (yes) EAP-SSLv3 PEAPv1/EAP-GTC (yes) EAP-TLS
Explanation: A basic authentication scheme is for a server to request a password from the client. The client types the password and sends it over the network medium to the server. This technique is vulnerable to eavesdroppers who may be monitoring the line with protocol analyzers. Captured information can be used by a hacker in a 'replay attack' to illegally log on to a system. Even an encrypted password can be used in this manner. A challenge/response is a security mechanism for verifying the identity of a user or system without the need to send the actual password across the network medium. The server sends a challenge, which is a string of alpha or numeric characters, to a client. This client then combines the string with its password and, from this, a new password is generated. The new password is sent to the server. If the server can generate the same password from the challenge it sent the client and the client's password, then the client must be authentic. An OTP (one-time password) system generates a series of passwords that are used to log on to a specific system. Once one of the passwords is used, it cannot be used again. The logon system
will always expect a new one-time password at the next logon. This is done by decrementing a sequence number. Therefore, the possibility of replay attacks is eliminated. The series of passwords is created by the client, which combines a seed value with a secret password that only the client knows. This combination is then run through either the MD4 or MD5 hash functions repeatedly to generate the sequence of passwords. Smart cards and token-based authentication methods use one time passwords. The IETF has developed an OTP that is based on the earlier Bellcore S/KEY one-time password system. A number of Internet RFCs discuss one-time passwords. These include RFC 1760 (The S/KEY One-Time Password System, February 1995), RFC 2243 (OTP Extended Responses, November 1997), RFC 2289 (A One-Time Password System, February 1998), and RFC 2444 (The OneTime- Password SASL Mechanism, October 1998). Also see RFC 1511 (Common Authentication Technology Overview, September 1993), RFC 1704 (On Internet Authentication, October 1994), and RFC 2401 (Security Architecture for the Internet Protocol, November 1998). 181 You are trying to explain to a junior-level technician the properties of an Wi-Fi RF signal. Which of the following statements could you correctly make? A B C D E Amplitude is the most basic quality of an RF signal, and a signal's frequency, wavelength, phase, and polarity are all qualities based upon it. Stations that want to directly communicate must transmit and receive on the same frequency. (yes) Antennas are most receptive to signals that have a wavelength equal to 1/2 the length of the antenna's element. Two signals that are 180 degrees out of phase will cancel each other out, resulting in a null. (yes) Transmit and receive antennas should be polarized in the same way for the most effective communication. (yes)
Explanation: An RF signal's polarity is independent of its amplitude. Stations must use the same frequency to communicate. For example, OFDM (802.11a) (5 GHz) and HR-DSSS (802.11b) devices (2.4 GHz) operate at different frequencies, and cannot communicate with each other. A wireless station on channel 6 cannot communicate directly to another station on channel 11. Antennas are most receptive to signals that have a wavelength equal to the length of the antenna's element. Antenna elements of 1/2 & 1/4 are the next best options. Signals in phase will result in a stronger signal, while those 180 degrees out of phase will cancel each other out. The most effective communication will occur when both antenna are either in horizontal polarization or vertical polarization. However, even if two antennas are not in polarization with each other, they will still likely receive a signal's reflection. 182 You are hired by ABC Company to erect an antenna tower on top of a multi-tenant building for a 5 GHz wireless LAN bridge link. Which questions should you ask ABC Company's facility manager as part of the site survey? A B C D E F Is the roof adequate to support the weight of the tower? (yes) Are there cordless phones in use in the building? Are there strong wind gusts on the roof? (yes) Are there any cellular towers near this building? How tall is this building? (yes) Has this land lot been zoned for commercial or industrial use?
Explanation: The roof of a building may not be adequate to support the weight of a large radio tower. Often, a structural engineer must be called in to evaluate the feasibility of adding the tower. High wind velocity on the roof of the building may dictate the need to use grid antennas instead of dish antennas. Grid antennas allow the wind to pass through them, whereas dish antennas would catch the wind. Dish antennas could be moved temporarily or permanently by high wind degrading the WLAN bridge link. The U.S. Code of Federal Regulations, Part 47, Section 17 requires notification of the FAA of any towers over 200 feet. Additional regulations may apply to antenna height as shown below. TITLE 47--TELECOMMUNICATION CHAPTER I--FEDERAL COMMUNICATIONS COMMISSION PART 17--CONSTRUCTION, MARKING, AND LIGHTING OF ANTENNA STRUCTURES--Table of Contents Subpart B--Federal Aviation Administration Notification Criteria Sec. 17.7 Antenna structures requiring notification to the FAA. A notification to the Federal Aviation Administration is required, except as set forth in Sec. 17.14, for any of the following construction or alteration: (a) Any construction or alteration of more than 60.96 meters (200 feet) in height above ground level at its site. (b) Any construction or alteration of greater height than an imaginary surface extending outward and upward at one of the following slopes: (1) 100 to 1 for a horizontal distance of 6.10 kilometers (20,000 feet) from the nearest point of the nearest runway of each airport specified in paragraph (d) of this section with at least one runway more than 0.98 kilometers (3,200 feet) in actual length, excluding heliports. (2) 50 to 1 for a horizontal distance of 3.05 kilometers (10,000 feet) from the nearest point of the nearest runway of each airport specified in paragraph (d) of this section with its longest runway no more than 0.98 kilometers (3,200 feet) in actual length, excluding heliports. (3) 25 to 1 for a horizontal distance of 1.52 kilometers (5,000 feet) from the nearest point of the nearest landing and takeoff area of each heliport specified in paragraph (d) of this section. (c) When requested by the FAA, any construction or alteration that would be in an instrument approach area (defined in the FAA standards governing instrument approach procedures) and available information indicates it might exceed an obstruction standard of the FAA. (d) Any construction or alteration on any of the following airports (including heliports): (1) An airport that is available for public use and is listed in the Airport Directory of the current Airman's Information Manual or in either the Alaska or Pacific Airman's Guide and Chart Supplement. (2) An airport under construction, that is the subject of a notice or proposal on file with the Federal Aviation Administration, and except for military airports, it is clearly indicated that the airport will be available for public use.
(3) An airport that is operated by an armed force of the United States. 183 What feature in a WPA-Enterprise network mitigates wireless replay attacks? A B C D E F MIC-MAC key hashing RADIUS replay mitigation Frame sequence numbers (yes) Anti-bitflip hashed code keying Frame extension bit ordering EAP authentication
Explanation: By numbering frames, TKIP (used as the security protocol in WPA networks) can see when a frame is inserted into the data stream out of sequence or when a series of frames are replayed on the medium. TKIP designates out of sequence or replayed frames as invalid. 184 What security policies and procedures should be in place for helpdesk personnel to prevent a social engineering attack? A B C D E F Positively identify the person calling for help (yes) Use established, secure channels for passing security information (yes) Report suspicious activity (yes) Do not throw away documents containing security information Require password verification before providing assistance Never provide support using e-mail
Explanation: Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. Support centers and help desks are designed to provide help, which makes them susceptible to social engineering. To help prevent social engineering, helpdesk personnel should be well trained and should follow policies and procedures including: - Positively identify the person calling or requesting help - Use established, secure channels for passing security information (e.g. encrypted e-mail) - Report suspicious activity - Establish procedures that eliminate password exchanges. Personnel should never ask for or have access to users passwords - Shred company documents before disposing of them 185 Which data rates MUST be supported in order to comply with IEEE OFDM specifications? A B C D E 6, 12, 18 Mbps 12, 18, 24 Mbps 18, 24, 36 Mbps 6, 12, 24 Mbps (yes) 6, 24, 54 Mbps
Explanation: Section 17.1 of the OFDM (802.11a) amendment states: 'This clause specifies the PHY entity for an orthogonal frequency division multiplexing (OFDM) system and the additions that have to be made to the base standard to accommodate the OFDM
PHY. The radio frequency LAN system is initially aimed for the 5.15-5.25, 5.25-5.35 and 5.7255.825 GHz unlicensed national information structure (U-NII) bands, as regulated in the United States by the Code of Federal Regulations, Title 47, Section 15.407. The OFDM system provides a wireless LAN with data payload communication capabilities of 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. The support of transmitting and receiving at data rates of 6, 12, and 24 Mbps is mandatory. The system uses 52 subcarriers that are modulated using binary or quadrature phase shift keying (BPSK/QPSK), 16-quadrature amplitude modulation (QAM), or 64-QAM. Forward error correction coding (convolutional coding) is used with a coding rate of 1/2, 2/3, or 3/4.' 186 In what situation would use of 802.11 frame fragmentation increase WLAN throughput by decreasing frame retransmission?
A B C D 187
When using PCF mode with CF-pollable and non-pollable stations in the BSS When operating in IBSS mode and using the default MTU settings When a source of RF interference is near the ERP-OFDM transmitter or receiver (yes) When HR-DSSS clients are operating in an ERP-OFDM BSS
What security mechanism does the 802.1X protocol address? A B C D E Wireless authentication Port-based access control (yes) Layer 2 encryption Power over Ethernet Not a real protocol - should be 802.11X
Explanation: The IEEE 802.11i Task Group adopted the 802.1X port-based access control protocol used in wired switches. The 802.1X protocol does not provide for authentication, but uses EAP for authentication. Per www.whatis.com: The 802.1X standard is designed to enhance the security of wireless local area networks (WLANs) that follow the IEEE 802.11 standard. 802.1X provides an authentication framework for wireless LANs, allowing a user to be authenticated by a central authority. The actual algorithm that is used to determine whether a user is authentic is left open and multiple algorithms are possible. 802.1X uses an existing protocol, the Extensible Authentication Protocol (EAP, RFC 2284), that works on Ethernet, Token Ring, or wireless LANs, for message exchange during the authentication process. In a wireless LAN with 802.1X, a user (known as the supplicant) requests access to an access point (known as the authenticator). The access point forces the user (actually, the user's client software) into an unauthorized state that allows the client to send only an EAP start message. The access point returns an EAP message requesting the user's identity. The client returns the identity, which is then forwarded by the access point to the authentication server, which uses an algorithm to authenticate the user and then returns an accept or reject message back to the access point. Assuming an accept was received, the access point changes the client's state to authorized and normal traffic can now take place. The authentication server may use the Remote Authentication Dial-In User Service (RADIUS), although 802.1X does not specify it. 188 When using a protocol analyzer to troubleshoot an ERP-OFDM network, you occasionally see CF-Poll and CF-ACK frames. Knowing that these frames are used in a PCF mode
network, what could be a logical explanation for seeing these frames? A B C D E These frames are corrupted, and the protocol analyzer is misinterpreting the remaining frame fragments. (yes) If there are not PCF-mode client stations, the AP will periodically poll itself. You are using a PCF-mode protocol analyzer instead of a DCF-mode protocol analyzer. CF-Poll and CF-ACK frames are used by the AP to poll stations operating in Power-Save mode. When an HR-DSSS client stations associates with the BSS, the AP switches to PCF mode immediately.
Explanation: WLANs regularly experience collisions which corrupt the 802.11 frames. Analyzers typically show when 802.11 frames are corrupted by 'flagging' them. Some analyzers do not display corrupted frames at all. Analyzers always try to interpret what frame is being received, even when it's only a frame fragment (due to a collision or other problems on the RF medium). These frame fragments are often misinterpreted as frames only allowable in PCF mode such as CF-Poll. 189 Given: An 802.11i-compliant wireless client station wants to seamlessly roam between 802.11i-compliant access points. The client station and all access points are part of a Robust Security Network (RSN). The client station is running a VoIP application that is latency sensitive. In order for the client station to seamlessly and quickly roam between access points, value must be passed from the client station to the new access point in a Reassociation Request frame? A B C D E IP subnet information MSDU fragmentation threshold values Client station's configuration profile name Pairwise Master Key Identifier (yes) Wireless VLAN tag parameters
what
Explanation: The 802.11i amendment states: 7.3.2.25.4 PMKID The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP. The PMKID Count specifies the number of PMKIDs in the PMKID List field. The PMKID list contains 0 or more PMKIDs that the STA believes to be valid for the destination AP. The PMKID can refer to a) A cached PMKSA that has been obtained through preauthentication with the target AP b) A cached PMKSA from an EAP authentication c) A PMKSA derived from a PSK for the target AP 8.4.1.2.1 Security association in an ESS A STA roaming within an ESS establishes a new PMKSA by one of three schemes: - In the case of (re)association followed by IEEE 802.1X or PSK authentication, the STA repeats the same actions as for an initial contact association, but its Supplicant also deletes the PTKSA
when it roams from the old AP. The STA's Supplicant also deletes the PTKSA when it disassociates/deauthenticates from all basic service set identifiers (BSSIDs) in the ESS. - A STA (AP) can retain PMKs for APs (STAs) in the ESS to which it has previously performed a full IEEE 802.1X authentication. If a STA wishes to roam to an AP for which it has cached one or more PMKSAs, it can include one or more PMKIDs in the RSN information element of its (Re)Association Request frame. An AP whose Authenticator has retained the PMK for one or more of the PMKIDs can skip the 802.1X authentication and proceed with the 4-Way Handshake. The AP shall include the PMKID of the selected PMK in Message 1 of the 4-Way Handshake. If none of the PMKIDs of the cached PMKSAs matches any of the supplied PMKIDs, then the Authenticator shall perform another IEEE 802.1X authentication. Similarly, if the STA fails to send a PMKID, the STA and AP must perform a full IEEE 802.1X authentication. - A STA already associated with the ESS can request its IEEE 802.1X Supplicant to authenticate with a new AP before associating to that new AP. The normal operation of the DS via the old AP provides the communication between the STA and the new AP. The STA's IEEE 802.11 management entity delays reassociation with the new AP until IEEE 802.1X authentication completes via the DS. If IEEE 802.1X authentication completes successfully, then PMKSAs shared between the new AP and the STA will be cached, thereby enabling the possible usage of reassociation without requiring a subsequent full IEEE 802.1X authentication procedure. 190 Given: A functional security policy describes technology-related procedures that must be followed to maintain a secure network. Which elements belong in a functional security policy? A B C D E F Password policies (yes) Training requirements (yes) Risk assessment Asset management (yes) Impact analysis Violation Reporting Procedures
Explanation: A functional security policy describes technology-related procedures that must be followed to keep the network secure, and provides specific methods of mitigating threats described in the general security policy. A functional policy should contain password policies, training requirements, acceptable usage, security configuration for devices, and asset management. Risk assessment, impact analysis, and violation reporting procedures and enforcement belong in the general security policy. 191 When an 802.11n draft 2.0 standard wireless device is transmitting in the 2.4 GHz band at the highest throughput possible, how wide is the channel being used? A B C D 20 MHz 22 MHz 40 MHz (yes) 60 MHz
Explanation: The 802.11n draft defines 20 and 40 MHz wide channels. 'Primary' and 'secondary'
channels - each 20 MHz wide using OFDM modulation are also defined. A Secondary Channel is defined as a 20 MHz channel associated with a primary channel used by HT stations for the purpose of creating a 40 MHz channel. Also Known as Channel Bonding, 40 MHz channels can simultaneously use two separate nonoverlapping channels to transmit data. Channel bonding increases the amount of data that can be transmitted. 40 MHz mode of operation uses 2 adjacent 20 MHz bands. This allows direct doubling of the PHY data rate from a single 20 MHz channel. 192 Recently, a rogue wireless access point was discovered on your company's network, bypassing the security solutions currently in place. After removing the rogue access point, your company decides it must add a wireless security policy, including a policy on rogue equipment, to its general security policy. What steps should be included in this policy to eliminate rogue wireless equipment from the company's network? A B C D E F Training network administrators and end users (yes) Implementing a wireless intrusion prevention system (yes) Creating an audit policy (yes) Creating an acceptable use policy Developing a change management policy Implementing a hardware inventory control (asset management) solution
Explanation: A rogue access point is any access point that has been attached to a network without the network administrator's knowledge or permission. Rogue access points present a significant security threat, because the create backdoors to network security, making the network vulnerable to attackers. Rouge access points can be installed by well-intentioned and legitimate users, or by hackers looking to exploit the network. Either way, they create a potential threat to the network and policies should be implemented to address rogue access points. The rogue access policy should include scheduled auditing for rogue access points and education and awareness training for all users. Training users about wireless security makes them more apt to take actions to limit activities that put the network at risk. Wireless intrusion protection systems (WIPS) can automatically detect rogue access points and block them (or any users connected through them) from accessing the network. 193 When implementing a large WLAN switch/controller with 500 lightweight access points, where will the WLAN switch/controller be placed in the network? A B C D Connected between a Layer-3 distribution Ethernet switch and a Layer-2 access switch with Gigabit Ethernet links. Connected between the AAA server and the Layer-3 core Ethernet switch with Gigabit Ethernet links. Connected between the Layer-2 core Ethernet switch and the Layer-3 distribution Ethernet switch with Gigabit Ethernet links. Connected to the Layer-3 core Ethernet switch with redundant Gigabit Ethernet links. (yes)
Explanation: In a high user density environment, the amount of WLAN traffic can be measured in gigabits. In a WLAN switch/controller environment, all WLAN data must traverse the WLAN
switch/controller. The optimum connection point in a network for high throughput and moderate filtering capabilities is found in the Layer3 core Ethernet switch. 194 ABC Hospital has spent a very large budget on a small 802.11g WLAN implementation to assure its security. There are layer 2, layer 3, and layer 7 security solutions in place, and no matter how many networking tools and approaches you try, you cannot circumvent their security solution. As an intruder, what is your next move in circumventing ABC's network security? A B C D E F Theft of a wireless LAN enabled laptop that contains authorized user credentials (yes) Use a wideband RF jamming device to interfere with the 2.4 GHz ISM spectrum, and then capture user credentials during reauthentication Connect your own access point to an RJ-45 wall jack in an unsecured patient room (yes) A call to ABC's help desk impersonating an authorized user in an attempt to gain network user credentials (yes) Attempt to circumvent WEP on the hospital administrator's home WLAN Theft of a lightweight (thin) access point to obtain cached user credentials
Explanation: Social Engineering is an out-of-band approach to circumvent security measures, and wireless LANs are no exception. No amount of security solutions can replace an effective security policy. Security policy will dictate training of help desk personnel to mitigate social engineering attacks such as this. Physical security of devices such as laptop computers that may hold digital certificates or username/password credentials is also imperative and should be addressed in the corporate security policy. Placing a rogue access point onto the wired network will allow the intruder to bypass all security measures in most cases. For this reason, good physical security and a quality wireless intrusion prevention system are key elements in a solid security solution. 195 You have been hired by ABC Corporation to perform a WLAN security audit. ABC's network manager has attended a one-day manufacturer's seminar on WLAN security and, in your opinion, knows only enough to ask good questions of a WLAN security professional. The network manager asks you about the specific advantages of TKIP over WEP. You explain that TKIP has the following advantages over WEP: A B C D E Inclusion of SHA-HMAC authentication to prevent man-in-the-middle attacks Inclusion of a strong MIC to prevent in-transit frame tampering and replay attacks (yes) Replacement of IVs with LIVs to prevent attacks against weak passwords Replacement of CRC-32 with ICV-32 to prevent brute-force attacks against RC4 Per-packet keying to prevent weak initialization vectors from being used to derive the WEP key (yes)
Explanation: TKIP is included as an optional security protocol in the 802.11i amendment. WPAPersonal and WPA-Enterprise implement TKIP. TKIP includes an 8-byte MIC for frame tamper prevention and replay attacks in addition to the CRC-32 already included with WEP. TKIP supports per-packet keying and extended initialization vector (IV) length (from 24 bits to 48 bits) for prevention of attacks aimed at weak IVs. 196 What term indicates an increase in the amplitude of an RF signal caused by an external source?
A B C D
Attenuation Diffraction Gain (yes) VSWR
Explanation: Gain is experienced when the amplitude of the RF signal increased. There are two types of gain in a wireless LAN: passive and active. Passive gain is accomplished by an antenna by focusing the output signal in a specific direction rather than the signal propagating in all directions like an isotropic radiator. Active gain is the act of adding power to the RF signal while it is being transmitted across the wired medium. Active gain is accomplished by use of an RF amplifier. Voltage Standing Wave Ratio (VSWR) is a measure of forward power to reflected power. Power is reflected due to an impedance (resistance) mismatch between cables, connectors, antennas, transmitters, or any other WLAN device or accessory. Diffraction is a term used to describe the bending of the RF wavefront around an obstacle. Attenuation is a term used to describe the decrease in signal amplitude due to factors such as an inline resistor dissipating electricity as heat or free space path loss. 197 What spectrum analyzer feature removes the need for being able to identify wireless interference patterns through experience and knowledge of RF spectrum analysis? A B C D E Classification signatures (yes) Signal-to-Noise ratio calculators Automatic Rate Shifting Dynamic frequency adapter RF Fingerprinting
Explanation: Many solutions rely on expertise and knowledge of wireless communication signatures to identify interference sources among Wi-Fi signals, including non-Wi-Fi signals such as Bluetooth, cordless phones, baby monitors, microwave ovens, etc. Classification signatures provide pattern recognition and classification that automatically identify the interference type, making it easier for less experienced analysts to correctly solve RF interference issues. 198 What is one purpose of implementing Role-Based Access Control (RBAC) in a WLAN switch/controller? A B C D Apply protocol filtering to user groups (yes) Allow 802.1X/EAP authentication Enable SNMP polling from a WNMS Facilitate rogue access point detection and location
Explanation: RBAC is used to apply filtering at many layers of the OSI model to user groups or individual users based on their job functions within an organization. Examples of such filters might include limiting data rates for Internet access, limiting access to specific servers within the enterprise, and assigning specific security protocols (e.g., VPN) to specific user groups. 199 You have an access point capable of 'hiding' the network name to create a 'closed' system.
What is the effect of configuring the access point with this feature? A B C D E Attackers will not be able to find your wireless network Beacons are no longer transmitted Passive scanning can not be used to join a network (yes) Probe responses are encrypted on the access point The access point configuration is no longer fully IEEE 802.11 compliant (yes)
Explanation: 'Hiding' the wireless network or creating a 'closed' system are terms used for removing the SSID (network name) from a broadcasted Beacon frame, which is a violation of the IEEE 802.11 standard but has been added to most wireless infrastructure devices. Passive scanning is the process of listening for beacons on each channel for a specific period of time, for the purpose of hearing a beacon containing the SSID of a network to which it has been configured to associate. Hiding a wireless network eliminates the ability for passive scanning to identify wireless networks, increasing the difficulty of use for a wireless end user. Beacons still continue to be transmitted after hiding a wireless network, and attackers will still be able to find the SSID of a hidden wireless network, because it still gets transmitted in probe requests and responses, and association and reassociation requests. 200 The IEEE 802.11e specification adds Quality of Service functionality to contention-free wireless communications using what function? A B C D E Enhanced Distributed Channel Access Function Hybrid Coordination Function (yes) Transmit Power Control Function Point Coordination Function Distributed Coordination Function
Explanation: 802.11e defines the Hybrid Coordination Function (HCF) which must be supported by all QoS stations (QSTAs). HCF allows controlled access through polling during both the contention and contention-free periods. 201 XYZ University is installing a security camera system, and they want to use mesh routers to connect all of the security cameras back to a central Ethernet switch. Each camera has an Ethernet port and is located near an AC outlet. Each mesh router uses ERP-OFDM, AES-CCMP encryption, and has three Ethernet ports for connecting multiple cameras. Each mesh router will connect to at least two other mesh routers by design. All cameras are housed in locked enclosures, are pointed at a specific location, and cannot be rotated. A student that is participating in the installation is going to attempt to circumvent this security solution. What plausible approach might the student use to circumvent this security solution? A B C D Use an 802.11 frame generator to send spoofed deauthentication frames to the mesh router with a source address of another mesh router. Use an RF jamming device to interrupt the wireless mesh link near a mesh router.(yes) Plug an additional camera into a lower-numbered (higher priority) Ethernet port on a mesh router. This would cause the mesh router to send video from the unauthorized camera which is pointing in a different direction. Enable an HR-DSSS client adapter near the mesh router, forcing it to enable
protection mechanisms. This will result in an average bandwidth too low for fullmotion video and will cause substantial blurring.
Explanation: By interrupting the wireless mesh link near a camera, the video stream on the camera will not be sent across the mesh to the Ethernet switch. The video stream will be lost until the RF jamming device is disabled. Deauthenticating one mesh router from another will not work in this case because each mesh router is connected to two other mesh routers by design. The data stream would simply fail over to the second mesh router link (if it was not already being sent on that link). ERP-OFDM mesh router networks should be designed to accommodate the expected data traffic, even when they must use CCK modulation instead of OFDM. 202 You are trying to explain to a junior-level technician the properties of an Wi-Fi RF signal. Which of the following statements could you correctly make? A B C D E Amplitude is the most basic quality of an RF signal, and a signal's frequency, wavelength, phase, and polarity are all qualities based upon it. Stations that want to directly communicate must transmit and receive on the same frequency. (yes) Antennas are most receptive to signals that have a wavelength equal to 1/2 the length of the antenna's element. Two signals that are 180 degrees out of phase will cancel each other out, resulting in a null. (yes) Transmit and receive antennas should be polarized in the same way for the most effective communication. (yes)
Explanation: An RF signal's polarity is independent of its amplitude. Stations must use the same frequency to communicate. For example, OFDM (802.11a) (5 GHz) and HR-DSSS (802.11b) devices (2.4 GHz) operate at different frequencies, and cannot communicate with each other. A wireless station on channel 6 cannot communicate directly to another station on channel 11. Antennas are most receptive to signals that have a wavelength equal to the length of the antenna's element. Antenna elements of 1/2 & 1/4 are the next best options. Signals in phase will result in a stronger signal, while those 180 degrees out of phase will cancel each other out. The most effective communication will occur when both antenna are either in horizontal polarization or vertical polarization. However, even if two antennas are not in polarization with each other, they will still likely receive a signal's reflection. 203 Which statement is true regarding the RF Fingerprinting feature in a WIPS? A B RF Fingerprinting requires that the WIPS submit a query to a network management system to find a client based on the MAC address table. The network management system then tells the WIPS where the device is located. RF Fingerprinting requires an initial system calibration that mandates that a test client device be carried around a facility. The WIPS collects many data points and builds a map of the RF environment for later use in locating active WLAN clients. (yes) RF Fingerprinting is where a call goes out from the network management system to all APs on the network, and each AP that 'hears' the user's signal responds to the network management system with the strength of the signal. The network management system then correlates this information to find the device. RF Fingerprinting is the monitoring and tracking of each client's unique RF signature caused by variances in its radio transmissions.
Explanation: RF Fingerprinting is the latest generation in RF location and tracking tools. Detailed information can be found here: http://www.airespace.com/technology/technote_rf_fingerprinting.php 204 Even though handheld wireless scanners and protocol analyzers can detect rogue access points effectively, what are two drawbacks associated with their use in detecting rogue devices in the enterprise? A B C D Lack of enterprise-wide coverage (yes) Equipment costs are prohibitive System configuration is complex Inability to provide coverage between audits (yes)
Explanation: Handheld scanners and sniffers are limited in their usefulness by requirements of time to physically do the audit, the inability to cover the entire network, and the inability to provide coverage between audits. Cost would be much lower than the enterprise-wide solution (WIPS) and configuring one scanner or sniffer would be much easier to configure than a monitoring system for the entire network. 205 What statement is true regarding a WLAN controller/switch with lightweight (thin) access points that are not directly connected to the WLAN controller? A B C D up If the WLAN controller fails, the lightweight access points automatically revert to autonomous mode. If the WLAN controller fails, the lightweight access points power down immediately. If the WLAN controller fails, the lightweight access points operate normally but cannot accept new connections. If the WLAN controller fails, the lightweight access points may remain powered but not otherwise operate normally. (yes)
Explanation: In a WLAN controller/switch environment, lightweight APs are often distributed throughout the enterprise and not connected directly to the WLAN switch/controller. Older model WLAN switches/controllers often had 12 to 36 PoE capable data ports, but vendors have found it advantageous to distribute lightweight APs rather than connecting them directly to the WLAN controller/switch. All 802.11 data traffic will typically flow through the WLAN controller/switch, and all 802.11 management frames are exchanged with the WLAN controller/switch. Therefore, all WLAN connections and data flow will typically cease when the WLAN controller/switch fails, but the lightweight APs will remain in a powered up state so long as their power is provided locally or through the 802.3 Clause 33 PoE device to which they are physically connected. Some vendor lightweight access points may still offer limited functionality even after communication with the WLAN controller is lost. While some access points can operate in either autonomous mode or lightweight mode, they typically will not change modes automatically and often require a firmware change. 206 What component of a wireless network might use a bi-metal conductor or gas discharge tube? A PoE Injector
B C D E
Lightning arrestor (yes) Amplifier Attenuator Yagi antenna
Explanation: Lightning arrestors are used to shunt into the ground transient current that is caused by a nearby lightning strike. (Note: lightning arrestors will not protect against direct lightning strikes.) Some are reusable after a lightning strike and some are not. Examples of reusable lightning arrestors are models with replaceable gas discharge tube elements that are cheaper to replace than the entire lightning arrestor, or bi-metal conductors. A single-use lightning arrestor is like a fuse, destroying itself to protect the equipment. 207 Given: XYZ Company plans to implement a wireless network supporting a diverse group of wireless clients. Some wireless clients support HR-DSSS, some ERP-OFDM, and others support OFDM, while some support all three. You perform an HR-DSSS virtual site survey and recommend placement of IEEE HRDSSSERP-OFDMOFDM access points along with channel use and power settings. You then validate the virtual site survey by manually checking signal strength with a PDA. Clients have reported connectivity issues when connecting using OFDM. What are possible causes? A B C D E Co-channel interference from other HR-DSSS wireless networks Non-wireless interference in the 2.4 GHz ISM band Interference from 5.8 GHz cordless phones Inadequate signal strength from the access points (yes) Mis-configured wireless client utility
Explanation: Lower frequencies feature longer wavelengths, which travel farther. OFDM (802.11a), which operates in the 5 GHz UNII bands, does not travel as far as HR-DSSS (802.11b) or ERP-OFDM (802.11g) which both operate in the 2.4 GHz IMS bands. A separate site survey should be done for OFDM (802.11a) networks and ERP-OFDM (802.11g) networks to account for the differences in coverage areas. 208 Given: When using WPA or WPA2 Personal, selecting a passphrase with high entropy is critical. What is the best way to ensure you choose a high entropy passphrase? A B C D E Use a passphrase generator (yes) Select a passphrase of at least eight or more characters Use only special characters or numbers in the passphrase Use a NIST-compliant naming convention Encrypt the passphrase with an AES cipher
Explanation: Entropy, or more precisely 'information entropy', is the measure for randomness. An intuitive understanding of information entropy relates to the amount of uncertainty about picking a passphrase, i.e. an object that could be translated in a string of bits. 'If you have a 32-bit word that is completely random, then it has 32 bits of entropy. If the 32-bit word takes only four different
values, and each values has a 25% chance of occurring, then the word has 2 bits of entropy.' (Practical Cryptography, B. Schneier and N. Ferguson, p.155) The best way to ensure a passphrase has high entropy is to use a passphrase generator. 209 The measure of 100 mW of power is equivalent to what logarithmic unit of measure? A B C D E F +20 dBm (yes) -20 dBm 0 dB +20 dB 0 dBm -20 dB
Explanation: The reference point is 0 dBm and 1 mW. For every +10 dB, the mW value is multiplied by 10. 1 mW x 10 x 10 = 100 mW, thus a gain of 20 dB is needed to move from the reference point to 20 dBm. The 'm' in dBm is referenced against 1 mW and represents an actual amount of power. 210 In what frequency band does the ERP-OFDM PHY operate? A B C D E 915 MHz ISM band 2.4 GHz ISM band (yes) 5 GHz lower U-NII band 5 GHz middle U-NII band 5 GHz upper U-NII band
Explanation: The IEEE 802.11 standard (as amended), along with the HR-DSSS (802.11b) and ERP-OFDM (802.11g) amendments operate in the 2.4 GHz ISM band. Thus far, the only amendment to the IEEE 802.11 standard (as amended) that operates in any other band is the OFDM (802.11a) amendment which uses the U-NII bands. 211 In order to implement a robust security network (RSN) as defined by the 802.11i-2004 amendment, an administrator may not implement _____________________? A B C D E The Wired Equivalent Privacy (WEP) Cipher Suite (yes) The STAKey Handshake The Pass-phrase-to-Preshared Key Algorithm The Group Key Handshake The TKIP Message Integrity Check (MIC) called 'Michael'
Explanation: 802.11i-2004, Section 3.106robust security network (RSN): A security network that allows only the creation of robust security network associations (RSNAs). An RSN can be identified by the indication in the RSN Information Element (IE) of Beacon frames that the group cipher suite specified is not wired equivalent privacy (WEP). 212 What types of transmissions are protected using a group key hierarchy in an RSN network? A B Broadcast (yes) Multicast (yes)
C D E
Unicast Ad-hoc Plaintext
Explanation: A robust secure network (RSN) has two different key hierarchies used to protect traffic. The pairwise key hierarchy is used to protect unicast traffic, while broadcast and multicast traffic is protected by the group key hierarchy. 213 You are the wireless systems engineer for XYZ company. Your company wants to upgrade their wireless infrastructure to support features such as VPN endpoints, WLAN capability, centralized management, 802.1X/EAP, Captive Portal, Role-based Access Control, and rogue AP detection. Which wireless solution would best meet the criteria for XYZ company? A B C D E WLAN controller (yes) Enterprise Encryption Gateway Consumer-grade wireless router Autonomous AP infrastructure WLAN Base Station
Explanation: WLAN controllers and enterprise wireless gateways typically offer similar features, such as support for multiple authentication and encryption schemes, VPN support, centralized management, captive portal and RBAC support, and intrusion detection capabilities.
214
What security technologies, called for in the 802.11i-2004 amendment, may be implemented in an ERP-OFDM network to improve upon the security mechanisms offered by the original 802.11 standard? A B C D E F AES-CCMP (yes) 802.1X/EAP authentication (yes) 3DES block cipher 4-Way handshake (yes) Shared Key authentication RC4 stream cipher
Explanation: 802.11i calls for the default use of the CCMP encryption scheme using the AES encryption algorithm. The TKIP encryption scheme using the RC4 encryption algorithm is also allowed. 802.1X port-based access control with Extensible Authentication Protocol (EAP) support and preshared keys are both specified as authentication mechanisms. Section 5.9.1 specifies use of 802.1X as follows: 'IEEE 802.11 depends upon IEEE 802.1X to control the flow of MAC service data units (MSDUs) between the DS and STAs by use of the IEEE 802.1X Controlled/Uncontrolled Port model. IEEE 802.1X authentication frames are transmitted in IEEE 802.11 data frames and passed via the IEEE 802.1X Uncontrolled Port. The IEEE 802.1X Controlled Port is blocked from passing general data traffic between two STAs until an IEEE 802.1X authentication procedure completes
successfully over the IEEE 802.1X Uncontrolled Port. It is the responsibility of both the Supplicant and the Authenticator to implement port blocking. Each association between a pair of STAs creates a unique pair of IEEE 802.1X Ports, and authentication takes place relative to those ports alone.' 802.11i (Figure below) illustrates use of EAP authentication with 802.1X port-based access control. The 4-Way handshake is used both by 802.1X/EAP and preshared key implementations and consists of the following steps: a) The Authenticator sends an EAPOL-Key frame containing an ANonce. b) The Supplicant derives a PTK from ANonce and SNonce. c) The Supplicant sends an EAPOL-Key frame containing SNonce, the RSN information element from the (Re)Association Request frame, and a MIC. d) The Authenticator derives PTK from ANonce and SNonce and validates the MIC in the EAPOLKey frame. e) The Authenticator sends an EAPOL-Key frame containing ANonce, the RSN information element from its Beacon or Probe Response messages, MIC, whether to install the temporal keys, and the encapsulated GTK. f) The Supplicant sends an EAPOL-Key frame to confirm that the temporal keys are installed. 215 What differentiates an overlay wireless intrusion prevention system (WIPS) from WIPS integrated into a WLAN controller? A B C D Overlay WIPS is limited to accessing wireless traffic at the physical and data-link layer, while integrated WIPS has access to layers 3-7 as well. (yes) Only overlay WIPS monitors the RF for attack signatures and undesirable performance issues Only overlay WIPS can use dedicated wireless sensors to passively monitor traffic Integrated WIPS may also be used to assist with fast/secure roaming between autonomous APs.
Explanation: In an overlay WIPS monitoring deployment, organizations augment their existing WLAN infrastructure with dedicated wireless sensors. These are connected to the network in a manner similar to access points. However, while access points provide client connectivity, WIPS sensors are primarily passive devices that monitor the air for signs of attack or other undesired wireless activity. In an overlay WIPS system, the WIPS vendor provides a controller in the form of a server or appliance that collects and assesses information from the WIPS sensors that is monitored by an administrator. These devices do not otherwise participate with the rest of the wireless network, and are limited to assessing traffic at the physical layer (layer 1) and the data-link layer (layer 2). This is not true for integrated WIPS that can access all OSI layers. For more information, see Joshua Wright's whitepaper: A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model. 216 Given: An inherent weakness of the original IEEE 802.11 standard is the lack of AAA (Authentication, Authorization, and Accounting) services. What technology is used as part of a network to provide AAA services to enhance wireless security?
A B C D E F
IEEE 802.1X EAP WEP RADIUS (yes) L2TP/IPSec PPTP
Explanation: The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and implemented to manage access to network services. It defines a standard for information exchange between a Network Access Server (NAS) and an authentication, authorization, and accounting (AAA) server for performing authentication, authorization, and accounting operations. A RADIUS AAA server can manage user profiles for authentication (verifying user name and password), configuration information that specifies the type of service to deliver, and policies to enforce that may restrict user access. 217 As part of its corporate security policy, your organization requires all wireless LANs to be separated from the wired network core using a device capable of authentication, data encryption, and throughput limiting. Which device will accomplish this policy requirement? A B C D Wireless workgroup bridge Transparent tunneling bridge Wireless LAN controller (yes) Personal firewall software
Explanation: A Wireless LAN controller is the only segmentation device in the listed answers that is capable of performing all three functions. Examples of such devices are EWGs and WLAN switches. A Wireless workgroup bridge is incorrect because a workgroup bridge is a device that allows you to connect multiple wired devices through, essentially, a shared radio. A Transparent tunneling bridge does not exist. Personal firewall software is incorrect because it only filters packets and does not provide for authentication, data encryption, or throughput limiting. 218 You have been tasked with implementing your company's wireless security. Among your options are standard and non-standard solutions. What risks are increased when using a non-standard solution? You are more likely to become 'vendor-locked' (yes) Your solution may not interoperate with other parts of the system (yes) Support for your solution may be discontinued (yes) An increased amount of known vulnerabilities with your solution will be The solution will be inherently less secure than a standards-based solution Additional training will be required to successfully implement the solution
A B C D discovered E F
Explanation: When using proprietary or non-standard solutions, risks increase of your systems not interoperating with other standards-based systems now or in the future. Also, because you are basing your solution on a single vendor, you are dependent upon that vendor for future systems that may only interoperate with your current solution, 'locking' you into that vendor. Vendors often make business decisions to discontinue support for a particular solution or technology. If you are using a non-standard solution, the ability to find support from someone other than the original vendor may be difficult and expensive, forcing you to change your solution
completely. Because the market is typically larger for standards based solutions, known vulnerabilities will generally be discovered (and patched) more quickly for them. Proprietary solutions can be just as secure or more so than standards-based solutions, and additional training may or may not be required. 219 Which of the following is true regarding industry organizationsagencies? A B C D E Government agencies regulate the wireless LAN devices' use of the RF spectrum through the use of specific standards such as HR-DSSS, ERP-OFDM, and OFDM. An IEEE standard must be ratified before it can be implemented and sold in a manufacture's product. The goal of the Wi-Fi Alliance is to certify interoperability of wireless local area network products. (yes) To address the weaknesses found in WEP, the IEEE introduced WPA, followed by WPA2. Regulatory bodies such as the FCC have the ability to mandate where on the RF spectrum a wireless LAN can operate, and certify a wireless system. (yes)
Explanation: The goal of the Wi-Fi Alliance is to certify interoperability of wireless LAN devices. Regulatory bodies govern the RF spectrum. Some regulatory bodies require that 802.11 enabled products be tested at a certified lab to ensure that the radio does not exceed radiation limits and cause interference with other devices operating at these frequencies. The IEEE specifies standards such as HR-DSSS (802.11b), ERP-OFDM (802.11g), and OFDM (802.11a), not the FCC. Manufacturers often create proprietary or 'pre-standard' equipment. Examples include preG and pre-N access points. WPA and WPA2 are not IEEE standards, but were created by the WiFi Alliance based upon IEEE standards such as 802.11i. 220 You have a wireless infrastructure device that can be accessed in various methods as shown in the included graphic. The wireless infrastructure device supports all published versions of SNMP, and each can be further configured independently in other menus. Selecting a checkbox enables the respective feature. What actions can you take to remotely manage your wireless infrastructure in a secure fashion? A B C D E Enable only SNMPv3 and create an authenticated user account (yes) Only allow 'From LAN' connections Select only CLI Telnet or CLI SSH connections Choose SSH or HTTPS 'From LAN' connections Enable either SNMPv1, HTTPS, or CLI SSH 'From WAN' connections
Explanation: To securely manage a remote device, you must use some type of encrypted protocol. HTTPS, SSH, and SNMPv3 are all capable of secure communications, while HTTP, TELNET, and SNMPv1 or v2 are vulnerable to eavesdropping. 221 An intruder locates an unprotected 802.11b WLAN and gains control of two access points and a wireless bridge using the default SNMP read/write community strings. What types of wireless auditing tools are required for the intruder to locate the WLAN, discover the infrastructure devices, and exploit this particular security hole? A Netstumbler, share enumerator, wireless protocol analyzer, and spectrum
B C D E
analyzer MacStumbler, OS fingerprinting & port scanning tool, and WEP decryption software Wireless protocol analyzer, IP scanning utility, and network management software (yes) IP scanning utility, network management software, access point software, and an RF jamming device Network management software, WEP decryption software, application layer analyzer, and an SSH2 client utility
Explanation: This is a three tiered problem.1. First, you need to identify the target WLAN devices by using a tool such as a wireless protocol analyzer. Protocol analyzers monitor the RF environment in order to display a list of wireless devices and decode captured frames. 2. Second, the identified hosts need to be enumerated to identify 'listening' ports and services. There are a number of 'IP scanning tools' that can perform this function, such as nmap, SuperScan, or WS Ping ProPack. 3. Once the services have been discovered, they can potentially be exploited. In this case, SNMP was both running and was configured to use very weak, default community strings. These community strings were then tried by using network management software to exploit the discovered vulnerability. 222 You have won a contract to install a wireless network for XYZ Company based upon another consultant's wireless site survey. What things should you expect to see in the site survey report to help you with your installation? A B C D E F Client requirements and how they can be met (yes) Vendor make and model configuration settings Access point naming conventions Number of access points required (yes) Graphical representation of RF coverage areas (yes) Detailed implementation instructions
Explanation: Site surveys are used to answer how many access points are needed and where they should be located. Additionally, configuration settings such as output power and channel selection should be included. Client requirements such as throughput requirements, reliability, etc. will drive design decisions and should be noted. Today it is common to include heat map representations of RF coverage areas. 223 Given: Beacons are transmitted periodically to allow mobile stations to locate and identify a BSS, as well as keep each wireless station in sync with the access point to allow for those stations to use sleep mode. What part of the beacon is used to keep each wireless station's timer synchronized? A B C D E Beacon Interval Timestamp (yes) Traffic Indication Map (TIM) DTIM Sync Field
Explanation: Each beacon contains a timestamp value placed there by the access point. When stations receive the beacon, they change their clock to reflect the time of the clock on the access point. This allows stations to stay synchronized, ensuring time-sensitive functions are performed without error. 224 A university's WLAN administrator is seeking an efficient and effective method of detecting and eliminating rogue access points and wireless Ad Hoc networks across the entire campus. The administrator's friend suggests that the he use a WLAN protocol analyzer to perform a weekly survey of the campus to discover rogues devices. The administrator considers this option and then asks you to offer advice on the subject. What is your advice to the administrator? A B C D E In a campus environment, manual scanning for rogues requires too much time and resources to effectively and consistently locate all rogue devices. A system is needed that can inspect the entire campus in real time. (yes) WLAN protocol analyzers will not detect rogue devices that do not use the 802.11 protocol frame format. (yes) Because WLAN protocol analyzers can see all frames on the wireless medium, they are the most comprehensive solution for detecting rogue wireless devices of any kind. By assigning one IT worker to do weekly scans using a WLAN protocol analyzer, Wi-Fi, Bluetooth, and Infrared rogue access points and Ad Hoc networks can be effectively located and removed. WLAN protocol analyzers are not a comprehensive rogue detection solution because they cannot detect access points that are configured to hide the SSID in beacons.
Explanation: In large IT environments (enterprises and campuses), doing consistent 'walk about' scans is impractical and ineffective. Wireless Intrusion Prevention Systems should be used to inspect the entire campus environment in real time using distributed sensors and a central engine/console. Additionally, WIPS can enforce policy adherence across the WLAN environment. 225 You have been hired by ABC Corporation to perform a WLAN security audit. ABC's network manager has attended a one-day manufacturer's seminar on WLAN security and, in your opinion, knows only enough to ask good questions of a WLAN security professional. The network manager asks you about the specific advantages of TKIP over WEP. You explain that TKIP has the following advantages over WEP: A B C D E Inclusion of SHA-HMAC authentication to prevent man-in-the-middle attacks Inclusion of a strong MIC to prevent in-transit frame tampering and replay attacks (yes) Replacement of IVs with LIVs to prevent attacks against weak passwords Replacement of CRC-32 with ICV-32 to prevent brute-force attacks against RC4 Per-packet keying to prevent weak initialization vectors from being used to derive the WEP key (yes)
Explanation: TKIP is included as an optional security protocol in the 802.11i amendment. WPAPersonal and WPA-Enterprise implement TKIP. TKIP includes an 8-byte MIC for frame tamper prevention and replay attacks in addition to the CRC-32 already included with WEP. TKIP supports per-packet keying and extended initialization vector (IV) length (from 24 bits to 48 bits) for prevention of attacks aimed at weak IVs.
226
For which of the following tasks is the Wi-Fi Alliance responsible? A B C D E Certifying 802.11 FHSS, DSSS, and OFDM systems for interoperability. Providing the Wi-Fi logo to vendors that meet basic levels of interoperability with other wireless LAN devices. (yes) Creating the Wi-Fi Multimedia (WMM) certification based on a subset of the features described in the 802.11d draft standard. Outlining the WPA-Enterprise and WPA-Personal standards to both use TKIP. (yes) Creating the WPA2 standard based upon the 802.1X security standard.
Explanation: The Wi-Fi Alliance allows any vendor's product it grants a certification for interoperability to use the Wi-Fi logo on advertising and packaging for the certified product. The Wi-Fi Alliance created Wi-Fi Protected Access (WPA) as a solution to counteract the weaknesses in WEP, until the 802.11i standard was ratified. WPA has two distinct modes: WPA-Enterprise and WPA-Personal, which both use TKIP for encryption. The Wi-Fi Alliance does not certify FHSS systems. The WMM certification is based on a subset of features described in the 802.11e standard. The WPA2 standard is based upon the 802.11i security standard. 227 What is used by wireless LANs to overcome the problems associated with the inability to detect collisions? A B C D E Antenna diversity Acknowledgement frames (yes) Frame fragmentation Station polling StrictlyOrdered service class
Explanation: Every data frame, whether fragmented or not, is acknowledged by the receiver with an acknowledgement frame. Some management frames are also acknowledged. Since radios are half duplex (meaning they can either receive or transmit, but not both simultaneously), they cannot hear a collision with the frame they are transmitting. Antenna diversity is used to offset the negative effects of multipath. Frame fragmentation is used to decrease network overhead due to retransmissions in a noisy RF environment. Station polling happens only in PCF or HCF modes, and is unrelated to collision detection. StrictlyOrdered service requires that an AP deliver frames to stations in the order that they were received per section 6.1.3 of the IEEE 802.11 standard (as amended). 228 Within the IPSec's ESP tunnel mode, which parts of the frame are encrypted? A B C D E ESP Header Original IP Header (yes) IP Payload (yes) ESP Trailer (yes) ESP Authentication Trailer
Explanation: ESP tunnel mode encapsulates an IP packet with both an ESP and IP header and an ESP authentication trailer. The original header is placed after the ESP header. The entire packet is appended with an ESP trailer before encryption occurs. Everything that follows the ESP header, except for the ESP authentication trailer, is encrypted. This includes the original header which is now considered to
be part of the data portion of the packet. 229 Which WLAN attacks does personal firewall software prevent? A B C D E 802.11 deauthentication attacks RF jamming attacks from nearby intruders Computer viruses from peer WLAN devices (yes) Wi-Fi phishing attacks at hotspots WLAN hijacking attacks by co-workers
Explanation: Computer viruses are application layer attacks. Firewalls can prevent these attacks by preventing unauthorized layer 3-7 connectivity to a host computer. The other attacks listed are attacks against the 802.11 protocol, the RF transmission medium, and social engineering attacks.
230 in
You have a protocol analyzer that can capture both 802.11 and 802.3 transmissions. What might you expect to find in the analysis of a wireless transmission that is not seen the analysis of a transmission over a wired network? A B C D E WEP packets (yes) CSMA/CD packets MTUs of up to 2304 bytes (yes) Layer 3-7 protocols TCP fragmentation
Explanation: Wired Equivalent Privacy (WEP) encryption is only used on wireless networks, and WEP packets will not been seen on the Ethernet side. Ethernet's Maximum Transmission Unit (MTU) is 1500 bytes. An MTU is the largest physical packet size (measured in bytes) that a network may transmit. Packets larger than the MTU are fragmented into smaller packets. Wireless technology uses Carrier Sense Multiple Access / Collision Avoidance (CSMA/CA) while Ethernet uses CSMA/CD (collision detection.) 231 What is the name for a group of OFDM wireless stations communicating without the use of an access point? A B C D E F Client access mode Basic Service Set Infrastructure mode Peer Exclusive mode Independent Basic Service Set (yes) Privileged mode
Explanation: Section 3 of the IEEE 802.11 standard (as amended) defines an Ad Hoc network as follows: 3.3 ad hoc network: A network composed solely of stations within mutual communication range of each other via the wireless medium (WM). An ad hoc network is typically created in a spontaneous manner. The principal distinguishing characteristic of an ad hoc network is its limited temporal and spatial extent. These limitations allow the act of creating and dissolving the ad hoc network to be sufficiently straightforward and convenient so as to be achievable by non-technical users of
the network facilities; i.e., no specialized 'technical skills' are required and little or no investment of time or additional resources is required beyond the stations that are to participate in the ad hoc network. The term ad hoc is often used as slang to refer to an independent basic service set (IBSS). Additionally, the standard defines an IBSS as follows: 3.27 independent basic service set (IBSS): A BSS that forms a self-contained network, and in which no access to a distribution system (DS) is available. 232 What is one purpose of implementing Role-Based Access Control (RBAC) in a WLAN switch/controller? A B C D Apply protocol filtering to user groups (yes) Allow 802.1X/EAP authentication Enable SNMP polling from a WNMS Facilitate rogue access point detection and location
Explanation: RBAC is used to apply filtering at many layers of the OSI model to user groups or individual users based on their job functions within an organization. Examples of such filters might include limiting data rates for Internet access, limiting access to specific servers within the enterprise, and assigning specific security protocols (e.g., VPN) to specific user groups. 233 As part of your company's wireless security policy, you are creating several password policies to help prevent your company's passwords from being compromised. What password policy should be included to significantly reduce the likelihood that an online dictionary attack will successfully compromise a user's password? A B C D E F Passwords must be at least 15 characters long (yes) User accounts will be disabled after five unsuccessful login attempts (yes) Passwords must change after any unsuccessful login attempt Only administrators are allowed to choose user passwords Users should not share passwords with other users Passwords should consist of upper case, lower case, numbers, and special characters (yes)
Explanation: A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching a large number of possibilities. In contrast with a brute force attack, where all possibilities are searched through exhaustively, a dictionary attack only tries possibilities which are most likely to succeed, typically derived from a list of words in a dictionary. Generally, dictionary attacks succeed because most people have a tendency to choose passwords which are easy to remember, and typically choose words taken from their native language. A strong password is sufficiently long, random, or otherwise producible only by the user who chose it, that successfully guessing it will require too long a time. The length of time deemed to be too long will vary with the attacker, the attacker's resources, the ease with which a password can be tried, and the value of the password to the attacker. Another good defense against brute force or dictionary attacks is to disable the user account after
a certain number of unsuccessful login attempts. 234 What has occurred if an RF signal strikes an uneven surface causing the signal to be reflected in many directions simultaneously so that the resultant signals are less significant then the original signal? A B C D E F Return loss Interference Phase shift keying Diffraction Scattering (yes) Refraction
Explanation: Scattering occurs when an RF signal strikes an uneven surface causing the signal to be scattered as multiple reflections, each less significant then the original signal. Refraction is the bending of a radio wave as it passes through a medium of different density. Diffraction is the bending of a radio wave around an obstacle. Voltage Standing Wave Ration (VSWR) occurs when there is mismatched impedance between devices in an RF system. VSWR causes return loss, which is the loss of forward energy through a system due to some of the power being reflected back toward the transmitter. Phase shift keying is a type of encoding used by wireless networks to represent information by manipulating the phase of the signal. 235 Phishing is an example of what type of attack? A B C D E Social Engineering (yes) Man-in-the-middle Eavesdropping Bit-flipping Hijacking
Explanation: Phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. 236 ABC Company recently implemented wireless networks at many of their branch offices. To determine RF coverage areas and access point placement, they measured the signal strength as reported in their laptop's wireless network card. What limitations does this site survey method include? A B C D E Does not identify interference sources (yes) Different vendors report identical RF signals at different signal strengths (yes) Only indicates a signal's viability A laptop WLAN card does not accurately identify signal strength Does not consider impact of security overhead
Explanation: The 802.11 standard does not specify how RSSI should be calculated, only that a
vendor's hardware must be capable of reporting RSSI up to the driver, resulting in different implementations between vendors. Signal strength alone does not identify interference sources, so does not test for a signal's viability. The power level of a narrowband signal relative to the power level of the noise floor is called the signal-to-noise ratio. SNR shows the strength of the RF signal versus the background noise, and also shows the viability of the RF link. SNR is a good indicator of whether or not a client will connect and remain connected. 237 What component of a wireless network might use a bi-metal conductor or gas discharge tube? A B C D E PoE Injector Lightning arrestor (yes) Amplifier Attenuator Yagi antenna
Explanation: Lightning arrestors are used to shunt into the ground transient current that is caused by a nearby lightning strike. (Note: lightning arrestors will not protect against direct lightning strikes.) Some are reusable after a lightning strike and some are not. Examples of reusable lightning arrestors are models with replaceable gas discharge tube elements that are cheaper to replace than the entire lightning arrestor, or bi-metal conductors. A single-use lightning arrestor is like a fuse, destroying itself to protect the equipment. 238 XYZ University has recently installed a secure WLAN solution. There have been no problems with network intrusion, but due to the weekend entertainment schedule of the university's social infrastructure, many access points in the residence halls have be damaged or stolen. What are some ways to prevent this type of security event from affecting network operation and security? A B C D Put an access point in each residence hall room and make the students responsible for the access point Migrate to a WLAN switched infrastructure with lightweight (thin) access points Install web-based IP cameras in the same areas with access points to monitor theft Install access points in lockable enclosures in the ceiling or on the wall of the facilities (yes)
Explanation: Installing web-based IP cameras would only give the thief another device to steal, and would not likely deter theft of access points. Locking access points in lockable containers would prevent theft or damage of units. Putting an access point in each residence hall room would cause significant adjacent and co-channel interference due to the access points being far too close to each other. While lightweight access points would not provide useful information to a thief, they would still be considered valuable and if removed or damaged would affect network operation. 239 Bill & Jane, two IT staff professionals at ABC Corporation, are arguing over the differences between WPA2 and Layer 3 VPN technologies. George, the IT Director, settles the dispute by explaining how WPA2 secures the wireless LAN data frame payloads. Which description of this process is correct in describing how WPA2 secures wireless data transmissions?
A B C D
WPA2 encrypts layer 2 addresses and encrypts the layer 3 through layer 7 payloads. WPA2 encodes layer 2 addresses with a 64-bit offset and encrypts the layer 3 and layer 4 addresses only. WPA2 encrypts layer 3 through layer 7 payloads while leaving layer 2 source and destination addresses exposed. (yes) WPA2 leaves the layer 2 and layer 3 addresses exposed while encrypting layer 4 through layer 7 payloads.
Explanation: WPA2 (802.11i-compliant CCMP-enabled) encrypts layer 3-7 information while leaving layer 2 addresses (MAC) exposed. This is done so that layer 2 wireless devices (PCMCIA cards, access points, bridges, etc.) can communicate on the local wireless segment.
240 in
XYZ Company uses 802.1X/EAP-FAST on their ERP-OFDM network to secure wireless data transmissions. They have field agents who use the local ERP-OFDM network while the office and often need to access the corporate intranet from wireless hotspots around the country. What security protocol would be best suited for remote access from the wireless hotspots? A B C D PEAP-MS-CHAPv2 WPA2-Personal L2TP/IPSec (yes) EAP-TTLS
Explanation: PEAP-MS-CHAPv2, WPA2-Personal, and EAP-TTLS are layer 2, local-area protocols only. For this reason, they are not used for WAN access (over the Internet). L2TP/IPSec can be used to protect LAN and WAN traffic. Over an 802.11 hotspot, L2TP can be used to 'dial' the IP address of the corporate VPN concentrator. IPSec is used to encrypt the data both over the wireless network and over the Internet. 241 When reassociating between access points of two different WLAN controllers, which technology is needed to perform a fast BSS transition? A B C D E Preauthentication (yes) PMK Caching Opportunistic PMK Caching Fast Roam-Back Fast Roam-Forward
Explanation: Preauthentication is defined by the 802.11 standard and specifies performing 802.1X/EAP authentications over the wired (Ethernet) distribution system. Preauthentication allows an associated supplicant to remain connected to an AP while building a PMK with another AP, allowing the client station to only perform the 4-Way Handshake. When roaming between APs of a single WLAN controller, PMK Caching and Opportunistic PMK Caching (OPC) can be used for fast BSS transition. However, to roam quickly between WLAN controllers, a mechanism like preauthentication will need to be used. Preauthentication between WLAN controllers works on the same premise as it would between two autonomous APs. Fast Roam-Back is another name for PMK Caching, while Fast Roam-Forward is another name
for Opportunistic PMK Caching. Note: In order to use preauthentication, both the supplicant and authenticator must offer support. 242 Given: ABC Corporation has recently decided to purchase and install an 802.11a/g wireless LAN. The network administrator decides to purchase a WLAN switch because of its wide range of EAP support. ABC Corporation has no Public Key Infrastructure (PKI), but likes the EAP-TLS model of wireless security. As a hired consultant, you mention an EAP type that closely resembles the functionality EAP-TLS, without using digital certificates. What EAP type did you mention? A B C D E EAP-TTLS EAP-MD5 PEAPv0/EAP-MSCHAPv2 EAP-FAST (yes) PEAPv1/EAP-GTC
of
Explanation: EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and EAP-FAST all use tunneled authentication, but only EAP-FAST has the ability to not use x.509 certificates for server-side authentication. 243 Which are features commonly supported by WLAN controllers? A B C D E Layer 2 protocol analysis Rogue AP/Client detection (yes) Gateway Load Balancing Protocol (GLBP) HTTPS device management (yes) 802.1Q-in-Q Tag Stacking (Q-in-Q Tunneling)
Explanation: WLAN controllers are layer-23 devices. Rogue AP and client device detection (and often mitigation) is available in almost all WLAN switches/controllers. HTTP, HTTPS, SNMP, Telnet, and SSH1/2 protocols are used to manage WLAN switches/controllers. GLBP and 802.1Q-in-Q are not supported by WLAN infrastructure devices. 244 Given: The XYZ Corporation employs 20 data entry clerks that use an unencrypted IEEE 802.11 WLAN to access the main network. An intruder is using a laptop running a software access point in an attempt to hijack the wireless users. How can the intruder cause all of these clients to establish Layer 2 connectivity with the software access point? A B take C WLAN clients can be forced to reassociate if the intruder's laptop uses a WLAN card capable of emitting at least 5 times more power than the authorized access point. A higher SSID value programmed into the intruder's software access point will priority over the SSID in the authorized access point, causing the clients to reassociate. When the signal between the clients and the authorized access point is temporarily disrupted and the intruder's software access point is using the same SSID on a different channel than the authorized access point, the clients will
reassociate to the software access point. (yes) When the signal between the clients and the authorized access point is permanently disrupted and the intruder's software access point is using the same SSID and the same channel as the authorized access point, the clients will reassociate to the software access point.
Explanation: By design, when the connection between a WLAN client and access point drops below a certain threshold (determined differently by each vendor) the WLAN client will start looking for another access points on different channels with matching SSID which might provide a better connection, typically based upon RSSI values. Many devices will also continue to scan other channels for better options even while associated to an access point. Jamming the signal will drop the connection below the client's threshold, causing it to searc 245 What types of transmissions are protected using a group key hierarchy in an RSN network? A B C D E Broadcast (yes) Multicast (yes) Unicast Ad-hoc Plaintext
Explanation: A robust secure network (RSN) has two different key hierarchies used to protect traffic. The pairwise key hierarchy is used to protect unicast traffic, while broadcast and multicast traffic is protected by the group key hierarchy. 246 What 802.11 authentication is supported by the 802.1X framework? A B C D E Open System (yes) Shared Key Mutual Username and password Digital Certificate
Explanation: The IEEE 802.1X standard defines port-based, network access control that is used to provide authenticated network access for users wanting access to Ethernet and IEEE 802.11 wireless networks. With port-based network access control, a wireless station cannot send any frames on the network until access has been granted by the authenticator, (typically a wireless access point or controller). Before the 802.1X authentication process can begin, the WLAN client must first have access to the 802.1X authenticator, meaning it must first perform wireless authentication to the access point or controller. The only supported method for this type of authentication when combined with 802.1X authentication is Open System authentication, which is transparent to the user due to its automatic success. 247 XYZ University is installing a security camera system, and they want to use mesh routers to connect all of the security cameras back to a central Ethernet switch. Each camera has an Ethernet port and is located near an AC outlet. Each mesh router uses ERP-OFDM,
AES-CCMP encryption, and has three Ethernet ports for connecting multiple cameras. Each mesh router will connect to at least two other mesh routers by design. All cameras are housed in locked enclosures, are pointed at a specific location, and cannot be rotated. A student that is participating in the installation is going to attempt to circumvent this security solution. What plausible approach might the student use to circumvent this security solution? A B C D Use an 802.11 frame generator to send spoofed deauthentication frames to the mesh router with a source address of another mesh router. Use an RF jamming device to interrupt the wireless mesh link near a mesh router.(yes) Plug an additional camera into a lower-numbered (higher priority) Ethernet port on a mesh router. This would cause the mesh router to send video from the unauthorized camera which is pointing in a different direction. Enable an HR-DSSS client adapter near the mesh router, forcing it to enable protection mechanisms. This will result in an average bandwidth too low for fullmotion video and will cause substantial blurring.
Explanation: By interrupting the wireless mesh link near a camera, the video stream on the camera will not be sent across the mesh to the Ethernet switch. The video stream will be lost until the RF jamming device is disabled. Deauthenticating one mesh router from another will not work in this case because each mesh router is connected to two other mesh routers by design. The data stream would simply fail over to the second mesh router link (if it was not already being sent on that link). ERP-OFDM mesh router networks should be designed to accommodate the expected data traffic, even when they must use CCK modulation instead of OFDM. 248 What may significantly affect the amount of wireless throughput available to each station connected to a single radio access point when all stations are actively transmitting and receiving in the BSS? A B C D E The transmission delay threshold value on the access point The RTS/CTS threshold value on each station (yes) The size of the queuing buffers in the access point Data frame retransmissions due to narrowband RF interference (yes) Delay spread due to multipath
Explanation: For each DSSS or OFDM channel, there is a maximum amount of throughput available. The amount of throughput is shared among all stations on that channel. When a station enables RTS/CTS, not only does it affect the amount of throughput that station will have, but it also affects the throughput of all other stations on that channel because the station using RTS/CTS controls use of the RF medium for longer periods of time. When stations must retransmit data frames due to RF interference, their throughput goes down significantly. Additionally, stations that must retransmit data frames congest the shared medium for longer periods of time decreasing throughput for all stations on that channel. 249 The IEEE OFDM amendment specifies what number of non-overlapping channels in the upper U-NII (U-NII 3) band? A B C 3 4 (yes) 6
Explanation: Bands available for use with OFDM (802.11a) systems are as follows: Bands # Channels Channel Numbers 5.150-5.250 (U-NII1) 4 36, 40, 44, 48 5.250-5.350 (U-NII2) 4 52, 56, 60, 64 5.470-5.725 11 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140 5.725-5.825 (U-NII3) 4 149, 153, 157, 161 5.825-5.850 (ISM) 1 165 250 Which 802.11 standard (including amendments) devices use the 5.8 GHz ISM band? A B C D E OFDM HR-DSSS ERP-OFDM OFDM, HR-DSSS, and ERP-OFDM Neither OFDM, HR-DSSS, nor ERP-OFDM (yes)
Explanation: HR-DSSS (802.11b) and ERP-OFDM (802.11g) devices operate in the 2.4 GHz band. OFDM (802.11a) devices operate in the 5 GHz UNII bands. The 5.8 GHz ISM band is an unlicensed band commonly used by cordless phones. 251 One year ago, ABC Company installed four access points and configured them for 802.1X/LEAP using the integrated RADIUS services in each access point. ABC has outgrown the four access points and the maximum size of the integrated RADIUS database. ABC wishes to grow their wireless solution without changing their authentication scheme. Which solution will work for ABC Company? A B C D Upgrade the existing access points to support TACACS+, which will allow for a larger integrated database size. Use an EAP-enabled external RADIUS server for user authentication. (yes) Upgrade all access points to WPA2-Personal, and give every user their own individual passphrase. Double the number of access points to 8 and add more usernames to the integrated RADIUS database on each access point.
Explanation: The most scalable security solution is a centralized EAP-enabled RADIUS server. TACACS+ does not inherently allow for a larger database than RADUIS, and TACACS+ is rarely EAP-enabled. WPA2-Personal is no more scalable than WEP and less secure and less scalable solution than WPA2-Enterprise which uses RADIUS. WPA2-Personal uses a single passphrase for all users to authenticate and is designed primarily for SOHO rather than an enterprise environment. Adding additional access points will not increase the maximum size of the integrated RADIUS server database. 252 As an RF signal passes through a cement block wall, the wall primarily _______ the RF signal. A Absorbs (yes)
B C D E F
Refracts Scatters Attenuates (yes) Diffracts Reflects
Explanation: Absorption occurs when the RF signal strikes an object and is absorbed in to the material in such a manner that it does not pass through, reflect off, or bend around the object. A single concrete or cinderblock wall often blocks the signal entirely causing complete attenuation. Some reflection, etc. may occur as well. Reflection occurs when a wave strikes an object that has very large dimensions in comparison to the wavelength of the propagating wave, such as smooth surfaces like lakes, metal roofs, metal blinds, metal doors, likely causing multipath. Refraction is the bending of a radio wave as it passes through a medium of different density. Diffraction is the bending of a radio wave around an obstacle. Scattered waves are produced by rough surfaces, small objects, or by other irregularities in the signal path, and can be thought of as lots of little reflections. 253 Which items are features of an 802.11 wireless network management system (WNMS)? A B C D E F Network discovery (yes) EAP authentication WLAN user monitoring (yes) Rogue suppression Event alarms and notification (yes) Preauthentication
Explanation: WNMS can perform network discovery, single- or multi-vendor configuration and firmware management, WLAN policy enforcement, network and user monitoring, rogue detection, event alarms and notification, and much more. They typically communicate with infrastructure devices, such as APs, via SNMP. 254 The IEEE 802.11 standard (as amended) specifies what power management modes? A B C D E Awake Signal Standby Mode Active Mode (yes) Beacon Poll Mode Power Save Mode (yes) DTIM Alert Mode
Explanation: The 802.11-1999 (Reaffirmed 2003) standard specifies Power Save mode and Active mode. In Active mode, stations are always powered up. In Power Save mode, stations 'doze' (go into a low-power state) between beacons that contain DTIMs if there is no traffic queued at the access point for them. While in Power Save mode, stations may doze whenever they like, and PS-Poll frames are used to retrieve their queued data from the access point when they return to a full-power state. 255 ABC Company has chosen VPN technology to secure their 802.11g WLAN because employees roam both around the company's building and externally at hot spots around
the country. ABC Company's WLAN security policy requires an encryption algorithm stronger than RC4. The network manager is considering L2TP as a VPN solution and asks you, a WLAN security consultant, what types of encryption algorithms L2TP uses. What can you tell the network manager about L2TP? A B C D 256 AES-256 encryption is supported on every VPN platform that supports L2TP. L2TP does not support encryption by itself, so it must be paired with a protocol that supports encryption in order to meet security policy requirements. (yes) L2TP itself is an encryption algorithm stronger than RC4. Additionally, a connectivity solution must be chosen to compliment L2TP. L2TP can use RC5 encryption when used with 802.1X.
Which item acts as an interface between an unsecured wireless network segment and a secure wired network segment? A B C D E Web site using HTTPS (SSLv3) Translational Bridge performing bit reordering Default Wireless Access Gateway Enterprise Encryption Gateway (yes) RADIUS workgroup server
Explanation: Enterprise Encryption Gateways are segmentation devices that implement layer 2 VPN technology with authentication and encryption. They do not perform routing, but instead simply have encryption on the controlled (unsecured) side and plain text on the protected side. 257 You company purchased an application several years ago that requires the IPX transport protocol for communication between client and server. You would now like to configure some laptops to use this application over your company's wireless network. Which VPN solution would be a valid option to secure the wireless network while supporting this application? A B C D E L2TPIPSec (yes) EAP-PEAP SSH GSM PPTP (yes)
Explanation: PPTP provides a way to route PPP packets over an IP network. Since PPTP allows multiprotocol encapsulation, you can send any type of packet over the network. A common use it to send IPX packets over the Internet. While native IPSec cannot transport IPX packets, when using with L2TP in tunneling mode, or using GRE tunneling, it can also transport IPX packets. SSH, EAP-PEAP, and GSM are not valid options. 258 ABC Company has implemented WPA2-Enterprise with PEAP on their WLAN. They use POP3/SSL for email retrieval. At what OSI layers is encryption applied using these security protocols? A B Layer-1 Layer-2 (yes)
C D E
Layer-3 Layer-4 Layer-7 (yes)
Explanation: All EAP types are Layer2 protocols. POP3 is an email retrieval protocol at layer7. Other examples of secure application (layer7) protocols include FTP/SSL, FTP/SSH, SNMP/SSL, HTTPS, and SNMPv3. 259 ABC Corporation, a software development organization, wishes to test their own LDAP implementation in a live wireless environment. Choose the appropriate ways to use LDAP for user authentication in a WLAN environment. A B C D A WLAN switch using EAP-TTLS authentication sends a user authentication request to a RADIUS server. The RADIUS server queries the LDAP server for user credential information. (yes) An enterprise wireless gateway (EWG) directly queries the LDAP server for user credential information (yes) An access point using PEAPv1/EAP-GTC sends an authentication request to the LDAP server which proxies the request to a TACACS+ server for user credential authentication A enterprise encryption gateway (EEG) sends an authentication request to an access control server which proxies the request to a TACACS+ server, which in turn forwards a user credential request to the LDAP server for verification (yes)
Explanation: LDAP databases are not authentication services, though they can hold user information. An LDAP server will not proxy requests to an authentication server like TACACS+ or RADIUS. Many device types can directly interact with an LDAP database such as EWGs, EEGs, APs, and WLAN switches/controllers, etc. 260 What option best describes a Network Layer device designed to provide secure Internet or network connectivity to a small number of wireless client stations? A B C D E Wireless Residential Gateway (yes) Wireless Bridge Access Point Wireless Mesh Router Enterprise Encryption Gateway
Explanation: Wireless Residential Gateways are devices that are used in SOHO (Small Office / Home Office) and SMB (Small/Medium Business) environments for wireless, wired, and Internet connectivity as well as any of the following features: a. Firewalling b. VPN endpoint or passthrough c. NAT/NAPT d. Virtual Servers / Port Redirection e. PPPoE / DHCP / Static IP addressing f. WPA/WPA2 Wireless Security There are many other features that may be included in Wireless Residential Gateways. These units came into existence by adding an access point into a Residential Router/Gateway. The wireless features of these units continue to evolve as the WLAN market evolves.
The EEG is a layer 2 (Data-Link) device, the wireless bridge is designed for point-to-point (PtP) or point-to-multipoint (PtMP) connectivity with other wireless bridges to connect multiple subnets, and does not provide connectivity to client stations. Access points and wireless mesh routers cannot, by themselves, provide Internet connectivity for any users - they require a router function. 261 In an IEEE 802.11 RSN-enabled network, which key is used to derive all other keys used in the authentication process? A B C D E Pairwise Master Key (PMK) (yes) Group Master Key (GMK) Group Temporal Key (GTK) Pairwise Transient Key (PTK) Advanced Encryption Standard Key (AES)
Explanation: A Pairwise Master Key (PMK) is the highest order key used within the 802.11 standard. The PMK may be derived from a Master Session Key exported by an Extensible Authentication Protocol (EAP) session or may be obtained directly from a Preshared key (PSK). 262 The 802.11i-2004 amendment defines and supports what three cipher suites? A B C D E F WEP (yes) PSK CCMP (yes) TKIP (yes) IPSec SSH2
Explanation: The 802.11i-2004 amendment lists supported cipher suites in table 20da. WEP (both 40 and 104 bit), TKIP, and CCMP are each listed. 263 What are common applications of 802.11 Ad Hoc mode? A B C D E F Testing alarm features of wireless intrusion detection systems WLAN bridging between two nearby buildings Internet access for small wireless workgroups (yes) Throughput testing of Infrastructure Basic Service Sets File sharing among personnel in a small office (yes) Wireless hotspots in conference rooms or hotel lobbies
Explanation: While Ad Hoc (IBSS) WLANs were designed with no available distribution system (DS), we often see small peer-to-peer workgroups using Ad Hoc WLANs with one computer providing distribution services (routing for example) to the Internet or other WAN services. Local area connectivity, such as file/printer sharing, is what Ad Hoc WLANs were designed to do. 264 In what situation would use of 802.11 frame fragmentation increase WLAN throughput by decreasing frame retransmission? A B When using PCF mode with CF-pollable and non-pollable stations in the BSS When operating in IBSS mode and using the default MTU settings
C D
When a source of RF interference is near the ERP-OFDM transmitter or receiver (yes) When HR-DSSS clients are operating in an ERP-OFDM BSS
Explanation: 802.11 frame fragmentation is used to increase throughput by decreasing frame retransmissions. Large frames have a high probability of corruption when there is RF interference in the immediate area around the transmitter and/or receiver. By making the frames smaller, each frame has a greater chance of being completely received and acknowledged. 265 Given: An 802.11i-compliant wireless client station wants to seamlessly roam between 802.11i-compliant access points. The client station and all access points are part of a Robust Security Network (RSN). The client station is running a VoIP application that is latency sensitive. In order for the client station to seamlessly and quickly roam between access points, value must be passed from the client station to the new access point in a Reassociation Request frame? A B C D E IP subnet information MSDU fragmentation threshold values Client station's configuration profile name Pairwise Master Key Identifier (yes) Wireless VLAN tag parameters
what
Explanation: The 802.11i amendment states: 7.3.2.25.4 PMKID The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP. The PMKID Count specifies the number of PMKIDs in the PMKID List field. The PMKID list contains 0 or more PMKIDs that the STA believes to be valid for the destination AP. The PMKID can refer to a) A cached PMKSA that has been obtained through preauthentication with the target AP b) A cached PMKSA from an EAP authentication c) A PMKSA derived from a PSK for the target AP 8.4.1.2.1 Security association in an ESS A STA roaming within an ESS establishes a new PMKSA by one of three schemes: - In the case of (re)association followed by IEEE 802.1X or PSK authentication, the STA repeats the same actions as for an initial contact association, but its Supplicant also deletes the PTKSA when it roams from the old AP. The STA's Supplicant also deletes the PTKSA when it disassociates/deauthenticates from all basic service set identifiers (BSSIDs) in the ESS. - A STA (AP) can retain PMKs for APs (STAs) in the ESS to which it has previously performed a full IEEE 802.1X authentication. If a STA wishes to roam to an AP for which it has cached one or more PMKSAs, it can include one or more PMKIDs in the RSN information element of its (Re)Association Request frame. An AP whose Authenticator has retained the PMK for one or more of the PMKIDs can skip the 802.1X authentication and proceed with the 4-Way Handshake. The AP shall include the PMKID of the selected PMK in Message 1 of the 4-Way Handshake. If none of the PMKIDs of the cached PMKSAs matches any of the supplied PMKIDs, then the
Authenticator shall perform another IEEE 802.1X authentication. Similarly, if the STA fails to send a PMKID, the STA and AP must perform a full IEEE 802.1X authentication. - A STA already associated with the ESS can request its IEEE 802.1X Supplicant to authenticate with a new AP before associating to that new AP. The normal operation of the DS via the old AP provides the communication between the STA and the new AP. The STA's IEEE 802.11 management entity delays reassociation with the new AP until IEEE 802.1X authentication completes via the DS. If IEEE 802.1X authentication completes successfully, then PMKSAs shared between the new AP and the STA will be cached, thereby enabling the possible usage of reassociation without requiring a subsequent full IEEE 802.1X authentication procedure. 267 Which item acts as an interface between an unsecured wireless network segment and a secure wired network segment? A B C D E Web site using HTTPS (SSLv3) Translational Bridge performing bit reordering Default Wireless Access Gateway Enterprise Encryption Gateway (yes) RADIUS workgroup server
Explanation: Enterprise Encryption Gateways are segmentation devices that implement layer 2 VPN technology with authentication and encryption. They do not perform routing, but instead simply have encryption on the controlled (unsecured) side and plain text on the protected side. 268 802.1X/EAP-TLS supports what client authentication credential type? A B C D E Passwords x.509 Certificates (yes) Digital Security Token MD5 Hash Exchange Biometric
Explanation: EAP-TLS supports only digital certificates on the server and client. EAP-TLS is most often used for WLAN security when a Public Key Infrastructure (PKI) is already in place due to the certificate requirements. Certificates can be expensive and burdensome to implement, but provide extremely strong authentication when compared to passwords. 269 What type of wireless attack can take data and turn it into something predictable and similar, but with important information changed? A B C D E Man-in-the-Middle Evil Twin DoS Hijacking Bit-flipping (yes)
Explanation: A bit-flipping attack is an attack on a cryptographic cipher in which the attacker can change the ciphertext in such a way as to result in a predictable change of the plaintext, although the attacker is not able to learn the plaintext itself. The attack is especially dangerous when the attacker knows the format of the message. In such a
situation, the attacker can turn it into a similar message but one in which some important information is altered. For example, a change in the destination address might alter the message route in a way that will force re-encryption with a weaker cipher, thus possibly making it easier for an attacker to decipher the message. Stream ciphers, such as RC4 (found in WEP), can be vulnerable to a bit-flipping attack. Adding a message authentication code to the message is a standard way of increasing resistance of a cipher to a bit-flipping attack. 270 Given - You have a wireless network that supports several IEEE 802.11 standards or draft standards, including ERP-OFDM, OFDM, 802.11i, and 802.11s. What can you conclude regarding your wireless network? A B C D Can operate in either the 2.4 or 5.8 GHz ISM unlicensed bands Supports ESS mesh networking (yes) Supports mandatory rates of 54 Mbps Supports 128-bit or 256-bit AES-CCMP encryption
Explanation: The 802.11s ESS Mesh Networking standard shall enable interoperable formation and operation of an ESS Mesh, but shall be extensible to allow for alternative path selection metrics and/or protocols based on application requirements. OFDM (802.11a) access points operate in the 5.8 GHz UNII bands, not ISM bands. OFDM (802.11a) and ERP-OFDM (802.11g) both have mandatory data rates of 6, 12, and 24 Mbps (ERP-OFDM (802.11g) also has mandatory data rates of 1, 2, 5.5 and 11 Mbps) but not 54 Mbps. 802.11i uses a 128-bit (only) value Advanced Encryption Standard (AES) - Counter Mode Cipher Block Chaining-Message Authentication Code (CBC-MAC) protocol (CCMP). 271 XYZ Company uses 802.1X/EAP-FAST on their ERP-OFDM network to secure wireless data transmissions. They have field agents who use the local ERP-OFDM network while in the office and often need to access the corporate intranet from wireless hotspots around the country. What security protocol would be best suited for remote access from the wireless hotspots? A B C D PEAP-MS-CHAPv2 WPA2-Personal L2TP/IPSec (yes) EAP-TTLS
Explanation: PEAP-MS-CHAPv2, WPA2-Personal, and EAP-TTLS are layer 2, local-area protocols only. For this reason, they are not used for WAN access (over the Internet). L2TP/IPSec can be used to protect LAN and WAN traffic. Over an 802.11 hotspot, L2TP can be used to 'dial' the IP address of the corporate VPN concentrator. IPSec is used to encrypt the data both over the wireless network and over the Internet. 272 What are advantages of implementing a wireless intrusion prevention system (WIPS) that uses channel scanning to analyze traffic on ISM and U-NII band frequencies? A B Identifying and mitigating rogue access points (yes) Identifying denial of service (DoS) attacksAnalyzing wireless networks operating on a single channel
C D
Detecting and reporting access points that dynamically change channel configuration Detecting attacks from Bluetooth or other FHSS wireless network devices
Explanation: Dedicated wireless sensors analyze wireless communications and are typically deployed with the ability to channel scan and analyze traffic on channels supported by the sensor radios. This is a benefit when identifying rogue APs and client stations, denial of service (DoS) attacks, etc., but not when analyzing a single channel wireless network. Because the sensor can only detect attacks on the channel it is currently scanning, it may miss attacks on other channels. 273 What problems in an 802.11 WLAN can be caused by a high Voltage Standing Wave Ratio (VSWR)? A B C D E Transmitter burnout (yes) Decreased or erratic RF signal amplitude at the receiver (yes) RF antenna failure RF cable deterioration RF connectors become overheated at the point of impedance mismatch
Explanation: Output amplifiers are not typically made to receive a sustained input of any kind. Typical operation of a WLAN transceiver is for the transmitter to transmit, then for the receiver to receive. When there is a high VSWR, power from the transmitted signal is reflected back into the transmitter as it is transmitting. This can cause the transmitter's output amplitude to be decreased or erratic (if the reflected power is out of phase with the forward power), or to fail if the reflected power is high enough for a long enough period of time. 274 Which of the following is an advantage of using OFDM vs. ERP-OFDM? A B C D E OFDM will not experience co-channel interference with HR-DSSS because it operates in the 5.8 GHz ISM band, while HR-DSSS operates in the 2.4 GHz ISM band. An OFDM system can achieve greater throughput than an ERP-OFDM system, even if the ERP-OFDM system is configured for 'g-only' mode. (yes) OFDM uses modulation techniques to achieve data rates up to 54 Mbps. Because it operates in a higher RF spectrum band, Free Space Path Loss causes OFDM RF signals to attenuate less than ERP-OFDM RF signals. ERP-OFDM systems operate in the same RF spectrum as HR-DSSS systems, allowing them to be backwards compatible.
Explanation: OFDM (802.11a) systems can have 8 co-located WAPs with no interference, theoretically achieving 432 Mbps (8 x 54 Mbps), while ERP-OFDM (802.11g) systems can only have 3 co-located WAPs with no interference, achieving 162 Mbps max throughput. OFDM (802.11a) operates in the 5 GHz UNII bands, not 5.8 GHz ISM band. Both OFDM (802.11a) and ERP-OFDM (802.11g) use OFDM modulation, so it would not be an advantage. Higher frequencies are more susceptible to attenuation. While ERP-OFDM (802.11g) is backwards compatible with HR-DSSS (802.11b), this would be an advantage to ERP-OFDM (802.11g), not OFDM (802.11a). 275 When choosing a wireless spread spectrum (or similar) technology, which of the following would apply?
A B C D E
Bluetooth is used for connecting two devices in a Wireless PAN. (yes) 802.16e or 802.20 devices are used in Wireless MANs within a city. (yes) 802.15 WWAN devices are used in rural areas where laying cable is too expensive. 802.11h WLAN devices ensure that average power is less than the regulatory maximums. (yes) Narrowband transmitters are used in Wireless MANs within a city.
Explanation: A WPAN is a Wireless Personal Area Network, which is a wireless network that serves only the individual wireless user. Bluetooth is a very common WPAN technology. 802.16e describes WiMAX devices, while 802.20 describe Mobile Broadband Wireless Access (MBWA) devices, both of which are types of Wireless Metropolitan Area Network technology. 802.15 describes Bluetooth, which would be used in a WPAN, not a WWAN. Narrowband transmitters do not use spread spectrum technology so would not be an option. IEEE 802.11h-2003 refers to the amendment added to the IEEE 802.11 standard for Spectrum and Transmit Power Management Extensions. DFS ensures that channels containing radar are avoided by an Access Point (AP) and energy is spread across the band to reduce interference to satellites. TPC ensures that the average power is less than the regulatory maximum to reduce interference to satellites. 276 What features would you find on a typical wireless residential gateway? A B C D E F A NAT router (yes) Wi-Fi compliant access point (yes) An integrated switch (yes) A RADIUS Server Role-based access control Infrastructure management
Explanation: Most APs bridge frames between the wired and their wireless interfaces, acting as an extension of the wired network. Both sides of an AP share the same IP subnet. A wireless router is an access point that routes packets between the wireless and the wired interfaces, instead of bridging frames. A wireless residential gateway is another name for a wireless router, which is an access point that routes packets between the wireless and the wired interfaces, instead of bridging frames. The AP has its own IP subnet and IP address, which is separate from the IP subnet on the wired interfaces. Wireless routers provide network address translation (NAT) between the two subnets, and most of today's wireless routers also feature an integrated four-port Ethernet switch. Advanced features such as built-in RADIUS server, RBAC, and centralized infrastructure management are generally not found on wireless routers. 277 As a consultant, you are explaining the risks of WLAN Denial-of-Service (DoS) attacks to a group of engineers at ABC Corporation. They understand DoS attacks, but do not understand wireless technology very well. You inform the engineers that there are multiple WLAN DoS attacks that must be mitigated as part of a security strategy. Which DoS attacks do you mention in your discussion with the group of engineers? A B C D Use of 2.4 GHz cordless phones Wideband RF jamming (yes) 802.11 deauthentication (yes) EAP-Start flooding (yes)
E F
SSID hiding Adjacent channel interference
Explanation: 802.11 deauthentication, wideband RF jamming, and EAP-Start flooding can all cause authorized users not to be able to access network resources. DoS attacks typically take on two specific forms: physical and MAC layer. Physical DoS attacks are attacks against the RF medium, making it unusable for 802.11 stations. MAC layer attacks are attacks against the operation of the 802.11 and associated security protocols. RF jamming attacks the physical carrier sense mechanism while 802.11 deauthentication attacks 802.11 MAC layer connectivity. 278 What is true regarding the 802.1X/EAP framework as specified by 802.1X-2004 and RFC 3748? A B C D E EAPoL is commonly used to communicate between an 802.1X supplicant and authenticator (yes) RADIUS is commonly used to secure communications between an 802.1X supplicant and authenticator 802.1X supplicants cannot communicate through an authenticator's uncontrolled port until authentication has completed 802.1X provides authentication services specifically for wireless clients to access wired networks An authenticator and authentication server can refer to the same device (yes)
Explanation: 802.1X offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys. 802.1X ties a protocol called EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication. In the 802.1x architecture, there are three key components: 1) Supplicant: the user or client that wants to be authenticated; 2) The authentication server, typically a RADIUS server; 3) The authenticator: the device in between, such as a wireless access point, which can be simple and dumb. The key protocol in 802.1x is called EAP over LANs (EAPOL). It is currently defined for Ethernetlike LANs including 802.11 wireless, as well as token ring LANs (including FDDI). The operation process in 802.1X is as follows: 1. The supplicant (such as a client wireless card) sends an 'EAP-Response/Identity' packet to the authenticator (such as 802.11 access point), which is then passed on to the authentication server (RADIUS server which is located at the wired side of the access point). 2. The authentication server sends back a challenge to the authenticator. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant. 3. The supplicant responds to the challenge via the authenticator and passes the response onto the authentication server. The authentication server uses a specific authentication algorithm to verify the client's identity. This could be through the use of digital certificates or other EAP authentication type. 4. If the supplicant provides proper identity, the authentication server responds with a success message, which is then passed onto the supplicant. The authenticator now opens port for the supplicant to access to the LAN based on attributes that came back from the authentication server. The 802.1X (EAPOL) protocol provides effective authentication regardless of whether you implement 802.11 WEP keys or no encryption at all. If configured to implement dynamic key
exchange, the 802.1X authentication server can return session keys to the access point along with the accept message. The access point uses the session keys to build, sign and encrypt an EAP key message that is sent to the client immediately after sending the success message. The client can then use contents of the key message to define applicable encryption keys. 802.1X (EAPOL) is a delivery mechanism and it doesn't provide the actual authentication mechanisms. When utilizing 802.1X, you need to choose an EAP type, such as Transport Layer Security (EAPTLS) or EAP Tunneled Transport Layer Security (EAP-TTLS), which defines how the authentication takes place. The specific EAP type resides on the authentication server and within the operating system or application software on the client devices. The access point acts as a 'pass through' for 802.1X messages, which means that you can specify any EAP type without needing to upgrade an 802.1X-compliant access point. For more information, see the whitepaper 'IEEE 802.1X: EAP over LAN (EAPOL) for LAN/WLAN Authentication & Key Management' found at http://www.javvin.com/protocol8021X.html Devices such as WLAN controllers may be configured as the authenticator (the device that performs authenticaton) and the authentication server (the device that houses the stored credentials). 279 When implementing a wireless solution that includes an IEEE 802.3-2005 Clause 33 compliant PSE device, what must you consider? A B C D E Each PoE-enabled port must be capable of 400 mA at 44 volts Each port yields a maximum of only 15.4 Watts (yes) Power devices connected to PSE ports must use all power allocated by the PSE Connecting a non-PoE aware device to a PSE device will likely damage the nonPoE device Diagnosing PSE ports is difficult because they remain unpowered until a PoE compliant PD is discovered (yes)
Explanation: IEEE 802.3-2005 Power Sourcing Equipment provides power to a single connected device. Each PSE PoE port yields a maximum of 15.4 Watts, and must be capable of 350 mA at 44 volts. The PSE will allocate the full amount of power designated by class, per port, and any power allocated but not used is wasted. Troubleshooting PoE equipment should be done using specific diagnostic equipment because diagnostics are difficult due to the PSE ports being unpowered until PoE compliant power devices are discovered. 280 What are two common software Wireless LAN discovery utilities used for locating SSIDs, signal strength, channel use, and security? A B C D E L0phtCrack (LC5) NetStumbler (yes) WinSniffer Kismet (yes) ShareEnum
Explanation: NetStumbler and Kismet are tools used to locate and interrogate wireless LANs. L0phtCrack (LC5) and WinSniffer are used as password auditing and recovery tools. ShareEnum is a tool for discovering network shares and the permissions applied to those shares.
281
To prevent theft of an access point, which deterrent is used? A B C D E Install an SNMP management utility to periodically poll all wireless infrastructure devices. Mark the owner's name and contact information on the outside of the access point. Record the MAC addresses and serial number of the access point. Mount the access point out of view and out of reach. (yes) Mount the access point only in a locked equipment room.
Explanation: Access points should be mounted out of reach, bolted down or secured in locked enclosures. The access point should be kept out of plain view. This decreases the possibility that the device will be stolen, replaced with a cheaper model, or reconfigured through the console port. 282 Which protocol is used by a WNMS to gather statistics from autonomous access points? A B C D E F SSL SNMP (yes) LLC FTP TFTP HTTPS
Explanation: Simple Network Management Protocol (SNMP) is used by network management systems to poll infrastructure devices for statistics, configuration, and other parameters. WNMS is specific to wireless systems, and uses standard management information bases (MIBs) unique to specific wireless infrastructure devices. 283 How does WMM Power Save differ from legacy 802.11 Power Save mode? A B C D data E Power save behavior is negotiated during the association of a client with an access point. WMM Power Save uses Traffic Indication Map (TIM) information to tell the client whether there is any data available for download. WMM Power Save is based upon Enhanced Distributed Channel Access (EDCA) method using six Access Categories to prioritize traffic Legacy Power Save mode clients must wait for the beacon frame to initiate a download, while WMM Power Save clients can initiate a download at any time. (yes) WMM Power Save uses Enhanced Distributed Channel Access (EDCA) method Transmit Opportunities (TXOP) bursts to transmit data when not dozing. (yes)
Explanation: Per the Wi-Fi Alliance whitepaper 'WMM Power Save for Mobile and Portable Wi-Fi CERTIFIED Devices', the Wi-Fi Alliance introduced the Wi-Fi CERTIFIED for WMM program based on the Enhanced Distributed Channel Access (EDCA) method. With WMM, Wi-Fi networks can prioritize media access based on four Access Categories (AC) which define different priority levels: - Voice (highest priority)
- Video - Best effort (including legacy traffic) - Background (lowest priority). Power save behavior is negotiated during the association of a client with an access point. WMM Power Save or legacy power save is set for each WMM AC (voice, video, best effort, background) transmit queue separately1. For each AC queue, the access point will transmit all the data using either WMM Power Save or legacy power save (Figure 4), using the WMM QoS mechanism. While clients using legacy power save need to wait for the beacon frame to initiate a data download, WMM Power Save clients can initiate the download at any time, thus allowing more frequent data transmission for applications that require them. There are two ways in which the access point may send the buffered data frames to the client. If the data belongs to a legacy power-save queue, transmission follows legacy power save (Figure 3). If the data belongs to a WMM Power Save queue, data frames are downloaded according to a trigger-and-delivery mechanism. The client sends a trigger frame on any of the ACs using WMM Power Save to indicate that it is awake and ready to download any data frame that the access point may have buffered. Unlike with legacy power save, the trigger frame can be any data frame, thus eliminating the need for a separate PS-poll frame which contains only signaling data. After the client has sent a trigger frame, the access point acknowledges it is ready to send the data. Data frames are sent during an EDCA Transmit Opportunity (TXOP) burst, with each data frame interleaved with an acknowledgement frame from the client. On the last data frame, the access point indicates that no more data frames are available and the client can revert to its dozing state. To ensure backward compatibility, the beacon frame contains TIM information for WMM Power Save frames only if all transmit queues are trigger-and-delivery enabled. If one or more transmit queues uses legacy power save, the beacon frame only contains legacy power-save TIM information. 284 Given: As the wireless LAN administrator, it is part of your responsibility to detect and eliminate rogue access points. You have educated end users about the dangers of rogue devices and have implemented a security policy sufficient to deter employees from placing rogues on the network. You have located a rogue access point for which no employee will take responsibility for installing. You must assume that someone intentionally placed the rogue access point to attack your network. You determine that the rogue was not present on the network the previous day. By viewing the HTML management interface, you determine that the rogue has only been powered up for 15 minutes. What is your next task to deal with this situation? A B C D Document the incident and report it to the highest level of management as a breach of security. Contact the police. Disconnect the rogue access point's wired network connection, and save and analyze its log files. (yes) Reconfigure all authorized access points to your organization's default security settings. Leave the rogue in place as a trap for the intruder. Document the incident. Power down the access point, and take it to the police for fingerprinting tests.
Temporarily shut down the entire wireless segment of the network pending an internal criminal investigation
Explanation: Disconnecting the rogue access point's wired network connection, and saving and analyzing its log files should be done because you need to remove the rogue immediately from the network, but not disrupt normal company operations before you have all the facts from the log files. This is a measured response that should be defined in the company's security policy. It might not always be possible to recover log files from a rogue access point because it may not have the default password set. Resetting the unit to manufacturer's default settings would also clear the log files. In cases like this, the only recourse is to have a WIPS in place that has monitored activity between the rogue and any client devices. Upper management should only be contacted if there is sufficient evidence to prosecute this breach of policy internally (which this is not). Police will not be interested about an internal matter unless you can prove the rogue was placed by someone who broke a local law (like trespassing). Documenting the incident is a good idea. Reconfiguring all authorized access points to your organization's default security settings and leaving the rogue in place as a trap for the intruder is incorrect because you should check your APs for tampering, but you should also immediately remove the rogue. Temporarily shutting down the entire wireless segment of the network pending an internal criminal investigation is incorrect because it could shut-down your company's network for what might be a minimal intrusion. Such a response should already be set down in policy with regard to Business Impact Analysis and Business Continuity. 285 Given: ABC Corporation has recently decided to purchase and install an 802.11a/g wireless LAN. The network administrator decides to purchase a WLAN switch because of its wide range of EAP support. ABC Corporation has no Public Key Infrastructure (PKI), but likes the EAP-TLS model of wireless security. As a hired consultant, you mention an EAP type that closely resembles the functionality EAP-TLS, without using digital certificates. What EAP type did you mention? A B C D E EAP-TTLS EAP-MD5 PEAPv0/EAP-MSCHAPv2 EAP-FAST (yes) PEAPv1/EAP-GTC
of
Explanation: EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and EAP-FAST all use tunneled authentication, but only EAP-FAST has the ability to not use x.509 certificates for server-side authentication. 286 You have a WLAN Controller that is capable of supporting multiple WLANs using the same physical hardware. What is the most common way to configure the WLAN Controller to securely segment each WLAN's traffic? A B C D Map each WLAN to a separate VLAN (yes) Configure different EAP types for each WLAN Hide the SSID for one WLAN while allowing the other WLAN to be advertised Use different levels of encryption for each WLAN
Explanation: Similar to wired VLANs, wireless VLANs define broadcast domains and segregate broadcast and multicast traffic between VLANs. Without VLANs additional WLAN infrastructure must be installed to segment traffic between user groups or device groups. To segment traffic between employee and guest VLANs, for example, an IT administrator would have to install two APs at each location throughout an enterprise WLAN network. With the use of wireless VLANs, however, you can use one AP at each location to provide access to both groups. With most enterprise wireless products today, an 802.1Q trunk can be terminated on an AP, allowing access for multiple wired VLANs. You can also define a per-VLAN network security policy on the AP, providing different levels of security for users on different VLANs. 287 What is the maximum amount of Watts a PD device can draw from a PSE if the PD does not provide a recognized classification signature? A B C D 0 Watts 15.4 Watts 5 Watts 12.95 Watts (yes)
Explanation: A Power device (PD) can draw only a maximum of 12.95 Watts. The Difference between a Power Sourcing Equipment (PSE) maximum output and PD maximum draw is due to power drops over the Ethernet cable. Per the IEEE 802.3-2005 Clause 33 standard: 33.3.4 PD classifications A PD may be classified by the PSE based on the classification information provided by the PD. The intent of PD classification is to provide information about the maximum power required by the PD during operation. Class 0 is the default for PDs. However, to improve power management at the PSE, the PD may opt to provide a signature for Class 1 to 3. The PD is classified based on power. The classification of the PD is the maximum power that the PD will draw across all input voltages and operational modes. A PD shall return Class 0 to 3 in accordance with the maximum power draw as specified by Table 33-10. Class Usage Range of maximum power used by the PD 0 Default 0.44 W to 12.95 W 1 Optional 0.44 W to 3.84 W 2 Optional 3.84 W to 6.49 W 3 Optional 6.49 W to 12.95 W 4 Not allowed Reserved for future use NOTE-Class 4 is defined but is reserved for future use. A Class 4 signature cannot be provided by a compliant PD. 288 Which type of wireless attack is virtually undetectable? A B Eavesdropping (yes) Man-in-the-Middle
C D E
Denial of Service Hijacking Jamming
Explanation: A network-connected device operating in promiscuous mode captures all frames on a network, not just frames that are addressed directly to it. A network analyzer operates in this mode to capture network traffic for evaluation and to measure traffic for statistical analysis. A hacker may also use a promiscuous mode device to capture network traffic for unscrupulous activities. Devices operating in promiscuous mode only 'listen' to the conversion and do not participate, making them nearly impossible to detect. The best defense against eavesdropping is to encrypt any valuable information. 289 What is the most significant security risk of not changing the configuration of an access point from its default settings? A an B access C D Information on vendor default settings are easily obtained, making it simpler for attacker to know how to compromise the device (yes) Changing the default settings can prevent an attacker from discovering the point, making the device secure Access points are commonly shipped from the factory with security holes that allow an attacker to easily connect to and compromise the device To make them easier to configure, all access points ship without any security enabled by default, leaving them wide-open for attackers to compromise
Explanation: Default settings are readily available in product manuals as well as online. Once the attacker discovers the access point is using the default settings, he can take full control of the device or use it to take control over other devices in the enterprise. Including staging and installation procedures for WLAN infrastructure equipment in your wireless security policy will help ensure devices are not left with default or misconfigured settings. 290 You have been tasked with upgrading your company's wireless security. Your first requirement is to provide a security solution based upon the IEEE 802.11i standard. Your second requirement is to ensure your solution has been certified by the Wi-Fi Alliance for interoperability. Optionally, you should provide mutual authentication using server side digital certificates for server authentication with the option of using either username/password or digital certificates for client authentication. You configure your wireless clients to authenticate using 802.1X/EAP-FAST and encrypt data using AES-CCMP data encryption. Which requirements does your solution meet? A B C D E F Both requirements and the optional requirement First required and optional requirement First and Second but not optional requirement Only first but not second or optional requirement (yes) Only Second but not First or optional requirement Only the optional requirement
Explanation: The 802.11i standard calls for use of 802.1X/EAP with AES-CCMP encryption. EAP-
FAST has not been certified by the Wi-Fi Alliance. Per the Wi-Fi Alliance official website (www.wi-fi.org) Extensible Authentication Protocol is a protocol that provides an authentication framework for both wireless and wired Ethernet enterprise networks. It is typically used with a RADIUS server to authenticate users on large networks. EAP protocol types are used in the 802.1X-based authentication in WPA-Enterprise and WPA2-Enterprise. Extended EAP is an addition to the Wi-Fi Protected Access - WPA and WPA2 - Enterprise certification programs, which further ensures the interoperability of secure Wi-Fi networking products for enterprise and government users. EAP types include: EAP-TLS - Extensible Authentication Protocol Transport Layer Security EAP-TTLS/MSCHAPv2 - EAP-Tunneled TLS/Microsoft Challenge Authentication Handshake Protocol. Securely tunnels clients authentication within TLS records. PEAPv0/EAP-MSCHAPv2 - Protected EAP combined with Microsoft Challenge Authentication Handshake Protocol PEAPv1/EAP-GTC - Created as an alternative to PEAPv0/EAP-MSCHAPv2. It allows the use of an inner authentication protocol other than Microsoft's MSCHAPv2 EAP-SIM - Specifies a mechanism for mutual authentication and session key agreement using the GSM-SIM and used in SGM-based mobile phone networks. 802.1X/EAP-PEAP provides mutual authentication using server side digital certificates for server authentication with the option of using either username and password, or digital certificates for client authentication. 291 Which items are features of an 802.11 wireless intrusion prevention system (WIPS)? A B C D E F Access point management Event alerting and notification (yes) Protocol analysis with filtering (yes) VPN end-point termination IP Routing Rogue AP detection and triangulation (yes)
Explanation: The overall purpose of WIPS is WLAN policy enforcement. An 802.11 WIPS can identify, categorize, and locate rogue access points. WIPS can alarm and send notifications to a number of recipients (email, pager, console). Rogue APs can be contained using protocol attacks such as deauthentication. WIPS does not play a role in moving 802.11 frames in the network; therefore, it cannot route IP packets, perform VPN end-point termination, or manage access points. 292 Given: The maximum power provided by an IEEE 802.3 Clause 33 PSE (Power Sourcing Equipment) is 15.4 Watts. What is the maximum power an IEEE 802.3at draft PSE must be able to provide to a PD (Powered Device)?
A B C D E
24 Watts (yes) 30 Watts 20 Watts 48 Watts 100 Watts
Explanation: A future standard, commonly referred to as PoE+, is being developed by the IEEE 802.3at task force, which officially began work in September 2005. The draft standard describes extending the IEEE Power over Ethernet by using two pairs of standard Ethernet Category 5 cable to provide up to 24 W of power. The higher power available with this future standard should make self-powered equipment with higher power requirements such as WiMAX transmitters, pantilt-zoom cameras, videophones and thin clients possible. The 802.3at Task Force objectives are along the following lines: 802.3at should operate on Cat.5 and higher infrastructure, unlike 802.3 Clause 33 (formerly 802.3af), that had take into account the Cat.3 limitations. 802.3at should follow the power safety rules and limitations pertinent to 802.3af A 802.3at PSE must be backwards compatible with 802.3af, being able to power both 802.3af and 802.3at PDs. 802.3at should provide the maximum power to PDs as allowed within practical limits, at least 24 W per 802.3at task force draft 3.0. 802.3at PDs, when connected to a legacy 802.3af PSE, will provide the user an indication that a 802.3at PSE is required. Research the operation of midspans for 1000BASE-T Research the operation of midspans and endspans for 10GBASE-T 293 As a consultant, you have been hired to design a wireless LAN security solution. Of primary concern is a wireless man-in-the-middle (MITM) attack. Which security solution will prevent this type of attack? A B C D E 802.1X/PEAP (yes) MAC filters RADIUS LDAP L2TP VPN
Explanation: PEAP stands for Protected Extensible Authentication Protocol. This protocol was developed to transmit authentication data, including passwords, over 802.11 wireless networks. PEAP uses server-side digital certificates to authenticate wireless clients by creating an encrypted SSL tunnel between the client and the authentication server, which then protects the exchange of data over the wireless network. These encrypted tunnels prevent intrusion by unwanted persons and help prevent MITM attacks as well. Most wireless access points contain some type of MAC ID filtering that allows the administrator to only permit access to computers that have wireless functionalities that contain certain MAC IDs. This can be helpful; however, IT personnel must remember that MAC IDs over a network can be spoofed (faked). There are many software utilities that allow MAC addresses to be changed easily. RADIUS is an authentication protocol, and by itself has no means to prevent MITM attacks. LDAP is a database type and protocol. In a wireless LAN, RADIUS may proxy authentication to an
LDAP server to verify the identity of an authenticating user. L2TP VPNs do not, by themselves, provide encryption. Encryption is the key component to preventing MITM attacks. 294 What is the result of a DUAL CTS bit existing in the HT Information Element (IE) field of a beacon? A B C D Stations will start every transmit opportunity with an RTS frame addressed to the access point. (yes) Only STBC stations will receive a CTS and set their NAV accordingly. Only non-STBC stations will receive a CTS and set their NAV accordingly. TXOPs are ignored by non-STBC stations during contention transactions.
Explanation: When HT Dual-CTS Protection is used, beacons in a BSS have the 'Dual CTS Protection subfield' set to 1. Stations will then start every TXOP with an RTS frame addressed to the AP. The AP responds to this RTS with two CTS frames. If the RTS is an STBC frame, then the first CTS is an STBC frame back to the station and the second CTS is a non-STBC frame back to the station. This assures that all STBC and non-STBC stations receive the CTS and set their NAVs accordingly. NAVs are set to cover the entire transmission process (as always), including both CTS transmissions (which is new).CF-End Frames: This frame type, previously unused due to a lack of PCF implementations, can now be used in contention environments as a NAV reset tool. When Dual-CTS is enabled and a station doesn't have any data to transmit when it obtains a TXOP, the station can truncate (cut it short, thus giving back its remaining time) its TXOP by sending a CF-End frame. When receiving a CF-End frame with its BSSID as the destination address, the AP may resond by sending dual CF-End frames - one using STBC, one using non-STBC. This resets everyone's NAV in the BSS. 295 save A small organization is designing a low-cost, secure WLAN that uses 802.1X/EAP authentication. The network will need to support 10 users on one access point, and the organization has not yet purchased the access point. Which access point feature will the organization the most money on an authentication solution? A B C D E Integrated RADIUS server (yes) Wireless VLAN support LDAP Proxy support Integrated VPN server Integrated Certificate server
Explanation: 802.1X/EAP authentication requires a server (in this case a RADIUS server) to authenticate wireless stations. The simplest and most inexpensive solution would be an integrated RADIUS server in the access point. Wireless VLAN, LDAP Proxy, VPN server, and certificate server are not necessary for an 802.1X/EAP authentication solution. 296 When reassociating between access points of two different WLAN controllers, which technology is needed to perform a fast BSS transition? A B C Preauthentication (yes) PMK Caching Opportunistic PMK Caching
D E
Fast Roam-Back Fast Roam-Forward
Explanation: Preauthentication is defined by the 802.11 standard and specifies performing 802.1X/EAP authentications over the wired (Ethernet) distribution system. Preauthentication allows an associated supplicant to remain connected to an AP while building a PMK with another AP, allowing the client station to only perform the 4-Way Handshake. When roaming between APs of a single WLAN controller, PMK Caching and Opportunistic PMK Caching (OPC) can be used for fast BSS transition. However, to roam quickly between WLAN controllers, a mechanism like preauthentication will need to be used. Preauthentication between WLAN controllers works on the same premise as it would between two autonomous APs. Fast Roam-Back is another name for PMK Caching, while Fast Roam-Forward is another name for Opportunistic PMK Caching. Note: In order to use preauthentication, both the supplicant and authenticator must offer support. 297 What statements are true regarding the Service Set Identifier (SSID) in common practice? A B C actual D E The WLAN client utilities must be manually configured with the proper SSID before the client device can connect to an access point Each radio in an access point may have only one SSID assigned to it It is a user assignable value that is added to the pre-shared key to yield the WEP key It has a maximum length of 32 bytes, and it is case sensitive (yes) WLAN switches have the ability to set the SSID field in the beacon frame to a null value (yes)
Explanation: 'Hiding' the SSID in an 802.11 WLAN is a common practice, though not specified by the 802.11 standard. Most access points and WLAN switches are configurable for removal of the SSID from beacons and for not responding to probe request frames with null SSID values. The SSID is a maximum of 32 bytes and is case sensitive. Section 7.3.2.1 of the 802.11-1999 (R2003) standard states: 'The length of the SSID information field is between 0 and 32 octets. A 0 length information field indicates the broadcast SSID.' 298 While performing a routine security audit, you capture this 2.4 GHz RF spectrum trace. After analyzing the included graphic, what wireless network issue should concern you? A B C D Potential jamming attack with an ERP-OFDM access point (yes) Co-channel interference with a HR-DSSS access point around channel 6 Denial-of-service attack against an OFDM access point Rogue access point transmitting to an unauthorized wireless client station
Explanation: The shape of the capture around channel 6 indicates the pattern of an OFDM transmission. Because it is in the 2.4 GHz band, it must be an ERP-OFDM (formerly 802.11g) transmission. The lower pane shows a narrow but intense amount of RF energy around channel 6, indicating a narrowband signal or some type of jamming attack.
299
As part of its corporate security policy, your organization requires all wireless LANs to be separated from the wired network core using a device capable of authentication, data encryption, and throughput limiting. Which device will accomplish this policy requirement? A B C D Wireless workgroup bridge Transparent tunneling bridge Wireless LAN controller (yes) Personal firewall software
Explanation: A Wireless LAN controller is the only segmentation device in the listed answers that is capable of performing all three functions. Examples of such devices are EWGs and WLAN switches. A Wireless workgroup bridge is incorrect because a workgroup bridge is a device that allows you to connect multiple wired devices through, essentially, a shared radio. A Transparent tunneling bridge does not exist. Personal firewall software is incorrect because it only filters packets and does not provide for authentication, data encryption, or throughput limiting. 300 Using IEEE compliant HR-DSSS wireless LAN systems, what is the maximum cumulative data transmission rate that can be achieved in any given physical area? A B C D 11 Mbps 22 Mbps 33 Mbps (yes) 54 Mbps
Explanation: The HR-DSSS (802.11b) amendment states in section 18.4.6.2: 'In a multiple cell network topology, overlapping and/or adjacent cells using different channels can operate simultaneously without interference if the distance between the center frequencies is at least 25 MHz.' Regardless of the regulatory domain, there is a maximum of only 3 non-overlapping channels available. Each channel can support a data rate of 11 Mbps, and when three non-overlapping channels operate in the same physical space, an aggregate data transmission rate of 33 Mbps is possible. 301 Recently, a rogue wireless access point was discovered on your company's network, bypassing the security solutions currently in place. After removing the rogue access point, your company decides it must add a wireless security policy, including a policy on rogue equipment, to its general security policy. What steps should be included in this policy to eliminate rogue wireless equipment from the company's network? A B C D E F Training network administrators and end users (yes) Implementing a wireless intrusion prevention system (yes) Creating an audit policy (yes) Creating an acceptable use policy Developing a change management policy Implementing a hardware inventory control (asset management) solution
Explanation: A rogue access point is any access point that has been attached to a network
without the network administrator's knowledge or permission. Rogue access points present a significant security threat, because the create backdoors to network security, making the network vulnerable to attackers. Rouge access points can be installed by well-intentioned and legitimate users, or by hackers looking to exploit the network. Either way, they create a potential threat to the network and policies should be implemented to address rogue access points. The rogue access policy should include scheduled auditing for rogue access points and education and awareness training for all users. Training users about wireless security makes them more apt to take actions to limit activities that put the network at risk. Wireless intrusion protection systems (WIPS) can automatically detect rogue access points and block them (or any users connected through them) from accessing the network. 302 on Before a client station can participate in a wireless LAN using a security solution based the WPA2-Enterprise framework, what must occur? A B C D E F The client station must be Open System authenticated and associated. (yes) The client station must be issued an IP address by a DHCP server. The client station must negotiate an authentication protocol to use with the Access Point. The client station must be associated and EAP authenticated. (yes) The client station must configure and enable its IPSec policy. The client station must derive the PMK from the PSK.
Explanation: WPA2-Enterprise is synonymous with use of 802.1X/EAP with AES-CCMP and 802.11i compliance. The Wi-Fi Alliance released a white paper in March 2005 detailing WPA and WPA2 terminology, differences, and operational procedures. http://www.wi-fi.org/membersonly/getfile.asp?f=WFA_02_27_05_WPA_WPA2_White_Paper.pdf Per section 5.9 of the 802.11i-2004 amendment (see attached figure), a client station using 802.1X/EAP must first Open System authenticate and associate. Following Open System authentication, the 802.1X port-based access control mechanism can be used to facilitate EAP authentication over an uncontrolled port. (see attached figure). Following successful EAP authentication, a 4-Way Handshake must take place between the supplicant (client) and the authenticator (AP) to derive and exchange encryption keys before the 802.1X controlled port is unblocked and secured data traffic can be transmitted over the RF medium. The 4-Way Handshake was not listed in the answer options, but it is useful information. Encryption algorithms are not negotiated. The client devices support whatever they support, and the APs support whatever they support. The AP will announce supported authentication/encryption information in Beacons in a Robust Security Network (RSN). IPSec is a Layer-3 VPN solution, and is unrelated to WPA2-Enterprise. WPA2-Enterprise uses 802.1X/EAP, not Passphrases and Preshared Keys. When using WPA-Personal or WPA2-Personal, the Passphrase is mapped to a Preshared Key, which is then considered to be the Pairwise Master Key (PMK). IP addresses are always issued to 802.11i-compliant WLAN client devices AFTER it is 1) Open System authenticated and associated, 2) EAP authenticated and associated, and 3) has successfully completed the 4-Way Handshake. 303 Which Wi-Fi Protected Setup mandatory configuration option must be supported by both the access point and client device to be employed?
A B C D E
PBC (yes) PIN PIN and PBC PIN, PBC and USB PIN, PBC, USB and NFC
Explanation: With WPS-PBC (Push Button Configuration) , the user connects to the network and enables encryption by pushing buttons on both the access point and client devices. Both the access point and client device must support WPS-PBC to use it to encrypt wireless transmissions. Both WPS-PBC and WPS-PIN are mandatory configuration options of WPS, however WPS-PIN only requires support by the access point. WPS-USB and WPS-NFC are optional configuration options. 304 You are the wireless systems engineer for XYZ company. Your company wants to upgrade their wireless infrastructure to support features such as VPN endpoints, WLAN capability, centralized management, 802.1X/EAP, Captive Portal, Role-based Access Control, and rogue AP detection. Which wireless solution would best meet the criteria for XYZ company? A B C D E WLAN controller (yes) Enterprise Encryption Gateway Consumer-grade wireless router Autonomous AP infrastructure WLAN Base Station
Explanation: WLAN controllers and enterprise wireless gateways typically offer similar features, such as support for multiple authentication and encryption schemes, VPN support, centralized management, captive portal and RBAC support, and intrusion detection capabilities. 305 What is the primary difference between EAP-TLS and EAP-TTLS authentication? A B C D E F EAP-TTLS provides strong client authentication and EAP-TLS does not EAP-TLS is an authentication protocol, and EAP-TTLS is an encryption type EAP-TTLS provides support for legacy client authentication methods, and EAPTLS supports only certificates for client-side authentication (yes) EAP-TLS can use end-user certificates and EAP-TTLS cannot EAP-TLS uses a RADIUS server for authentication, and EAP-TTLS can only use Kerberos EAP-TLS uses IP-based authentication, and EAP-TTLS uses MAC-based authentication
Explanation: The primary differences between EAP-TLS and EAP-TTLS are:1) EAP-TTLS provides support for legacy client authentication methods (usernames/password protocols such as PAP, MS-CHAP, MS-CHAPv2, etc.) and EAP-TLS supports only use of client-side certificates for client authentication. 2) EAP-TTLS provides an encrypted tunnel between the client and server so that the client can securely pass its credentials to the server. The extra 'T' in EAP-TTLS stands for 'Tunneled'. EAP-
TTLS is an enhancement of EAP-TLS and provides the same networking function. 306 ABC Company has decided to install an ERP-OFDM wireless LAN, but they are concerned about the high initial implementation costs. You are ABC Company's network administrator, and while you have been to two short seminars on wireless LAN technology, you do not consider yourself qualified to design and install an optimized ERPOFDM network. You have requested that your manager hire a consultant for design and site surveying, but the request was declined due to budget constraints. You have explained to your manager that if you attempt to design and install the wireless LAN, performance might be less than optimal. Your manager did not see this as a problem. What might be reasonable options for ABC Company to get started with their new ERPOFDM wireless LAN in this situation? A Install a wireless LAN controller, connect all lightweight APs directly to the WLAN switch, import a simple floor plan into the switch, and use the WLAN controller's automatic RF management function to specify installation locations, output power, and channel assignments. (yes) Install autonomous, enterprise-class access points around the entire building and configure all access points with the same output power and channel settings. Install autonomous, SOHO-class access points all over the building, configure them for maximum power output, and place at least one on each channel in the 2.4 GHz band. Install small-footprint access points (called grid points) all over the building and a wireless switch to manage them. Configure the grid points to only turn on when clients enter their area, and use any client adapter you like as long as it conforms to IEEE 802.11h specifications. Install no access points. Instead, configure all adapters for IBSS (Ad Hoc) mode and use only ERP-OFDM client adapters from a single manufacturer to prevent interoperability and roaming problems. IBSS coalescence will manage any interclient connectivity problems.
B C D
Explanation: Many WLAN controllers have functions whereby a simple (.jpg, .bmp, or other) raster graphic can be imported and used as a layout for the facility. Then, if the WLAN APs are connected directly to the WLAN switch, the switch will auto-detect the APs through a discovery protocol. WLAN controllers have the ability to automatically assign the optimum output power and channel configuration to each lightweight AP for the environment. 307 What are common characteristics of a single-channel architecture solution? A B C D E There is no need for channel planning. Handoffs between access points are removed. All access points share the same channel, SSID, and MAC address. (yes) Co-channel interference is eliminated. A WLAN controller is required for centralized management. (yes)
Explanation: Multi-channel architecture networks deploy access points using a different RF channel or frequency for each transmitter. To provide areas of continuous coverage, access points are placed at intervals, with each providing coverage in its area, or cell, on a given RF channel. The use of different RF channels prevents co-channel interference in areas where cells overlap. This overlapping condition is avoided in the adaptive model by moving access points on the same channel physically as far apart as possible. Wireless network designers use transmit power to influence the size of each cell, and as much as possible identify the best RF channel re-
use pattern across the network to avoid areas where same-channel cells overlap. In the multi-channel architecture model, client stations choose to associate to a particular access point by selecting the appropriate RF channel and tuning out other access points transmitting on other RF channels. Roaming is accomplished by the client switching its radio to work on the new access point's RF channel. The handoff between access points is initiated by the client. The client must decide it's time to handover, then select the target access point and switch to the new RF channel, and then re-authenticate at that access point. Each of these phases of handover is difficult to accomplish quickly, accurately and consistently. Single-channel architecture networks use access points that are all tuned to the same RF channel or frequency. The simplest view of this model shows a number of access points with overlapping coverage forming a continuous region. Most implementations uses access points that also share the same SSID and MAC address, and are designed so that the clients cannot distinguish between the access points providing coverage. Instead, the network decides which access point should transmit and receive data for a particular client. In other words the client is not involved in any handoff decision. As clients move through a building, the network directs traffic to them via the nearest access point with available capacity. A WLAN controller is necessary to centrally manage the handoff decisions. Because all access points are set to a common RF channel, the only decision to be made is to choose the best channel for the entire network. Co-channel interference is a phenomenon where transmissions from one cell spread to a nearby cell on the same RF channel, causing errors or dropped transmissions due to interference when they coincide with transmissions to or from devices in that cell. To mitigate co-channel interference, spatial separation is effective because the greater the distance between the devices causing and suffering interference, the lower the level of the unwanted received signal. Eventually the interfering signal is reduced to such a low level that it is no longer powerful enough to disrupt the wanted transmissions. Because all access points share the same channel, single-channel architecture cannot use spatial separation, and must attempt to solve co-channel interference using stronger proprietary temporal coordination mechanisms outside of the 802.11 standards. Detailed access point placement based upon a highly accurate site survey must be used to minimize the effects of cochannel interference from channel overlap. By co-locating multiple access points in the same physical area using non-overlapping channels, multi-channel architecture systems can provide greater overall throughput than a single-channel architecture system. For more information, read the whitepaper 'WLAN RF Architecture Primer: Single-Channel and Adaptive Multi-Channel Models' by Peter Thornycroft. 307 While troubleshooting a wireless network, you notice a 1 meter fiber optic cable run between the wireless hardware and the rest of the network. What is the purpose of this cable? A B C D E Eliminates VSWR (Voltage Standing Wave Ratio) Protects network if a wireless access point receives a direct lightning strike(yes) Removes electromagnetic interference within the RF system Increases throughput when used with higher-bandwidth access points Allows an IEEE 802.3, Clause 33 compliant access point connectivity to a switch beyond 100 meters
Explanation: Implementing a short run of fiber optic cable between the wireless equipment and the rest of the Ethernet equipment provides complete protection for the network equipment against even a direct lightning strike since the voltage cannot travel through the optical cable. 308 According to the 802.11i-2004 amendment, when is the 802.1X controlled port placed in an 'authorized' state? A B C D E Only after the uncontrolled port has been opened for a specific period of time During user authentication, but only after the EAP-Identity/Response frame is received All the time, without regard to EAP user authentication After the EAP user has been mutually authenticated After a successful 4-Way Handshake (yes)
Explanation: In an RSNA, the IEEE 802.1X Port determines when to allow data traffic across an IEEE 802.11 link. A single IEEE 802.1X Port maps to one association, and each association maps to an IEEE 802.1X Port. An IEEE 802.1X Port consists of an IEEE 802.1X Controlled Port and an IEEE 802.1X Uncontrolled Port. The IEEE 802.1X Controlled Port is blocked (in an unauthorized state) from passing general data traffic between two STAs until a successful 4-Way Handshake is completed. Prior to the 4-Way Handshake, 802.1X/EAP authentication and key management take place to establish the user's identity and to establish and distribute encryption keys. IEEE 802.1X Supplicants and Authenticators exchange protocol information via the IEEE 802.1X Uncontrolled Port. 309 According to the IEEE 802.11 standard as amended, what is required for a wireless network to be considered a robust security network (RSN)? A B C D E The wireless network must only allow robust security network associations(yes) Client stations (STAs) must transmit data using only AES-CCMP encryption No client stations are using WEP encryption(yes) The use of pre-shared keys (PSKs) is not allowed Peer-to-peer or ad-hoc (IBSS) networks are not allowed
Explanation: Two critical concepts in the 802.11i implementation include the robust security networks (RSN) and robust security network associations (RSNA). To be considered an RSN, a system must permit only the creation of secure device associations via the RSNA process. If an RSN exists, then all client stations (STAs) will have successfully completed a 4-way handshake for RSNA authentication and will have established a Pairwise Master key (PMK) with an information element indicating none of the STAs are using WEP. Both pre-shared keys (PSKs) and 802.1X/EAP processes are supported. RSNAs can be established for wireless networks in either infrastructure or ad-hoc mode. 310 Which of the following utilities specialize in spoofing MAC addresses? A B C D E Netstumbler SMAC (yes) Kismet KisMac Lophtcrack
Explanation: SMAC is a powerful, yet easy to use MAC Address Changer (Spoofer) for Windows VISTA, 2003, XP, and 2000 systems, regardless of whether the network card manufacturers allow this option or not. 311 Given: The phases of security policy development include: 1. Communication 2. Response and enforcement 3. Define and document 4. Monitoring and auditing 5. Management buy in 6. Revise and fine tune Choose the correct order of steps for security policy development phases, from first to last. A B C D 3, 5, 1, 4, 2, 6 (yes) 5, 2, 3, 6, 4, 1 3, 4, 2, 1, 5, 6 1, 2, 4, 5, 6, 3
Explanation: The security policy needs to be defined and documented before any other steps can take place. Secondly, management needs to support the security policy. Next, the policy must be communicated to the organization. After the policy has been defined, has the support of management, and has been communicated it must be monitored and audited. The results of monitoring and auditing will dictate the response and enforcement. Lastly the policy must be revised and fine tuned. Refer to the exam objectives for this list of steps. 312 What common wireless LAN deficiency is addressed by using Antenna Diversity? A B C D E Near/Far Hidden Node Multipath (yes) Adjacent Channel Interference Narrowband Interference
Explanation: Multipath is a problem for 802.11 WLANs whereby reflected RF signals converge with the direct RF signal at the receiver and cause increased amplitude, decreased amplitude, signal nulling (zero amplitude), or corrupted signals. Antenna diversity allows an AP or station to sample two antennas instead of one in order to choose the best received signal. The station or AP antennas are located some distance apart so that the main and reflected signal combinations are different for each antenna. This is in hopes that whatever negative effect introduced by multipath present at one antenna is not present at the other antenna. Both antennas in a diversity antenna system should have the same general coverage area. 313 Given: The enhanced confidentiality, data authentication, and replay protection mechanisms of the 802.11i-2004 amendment require fresh cryptographic keys. What wireless components are compatible with the requirement of the 802.11i-2004
amendment to provide fresh cryptographic keys? A B C D E F 4-Way Handshake (yes) EAPoL Handshake Group Handshake (yes) 802.1X/EAP Handshake AES-CCMP Handshake STAKey Handshake (yes)
Explanation: The 4-Way Handshake, STAKey Handshake and the Group Handshake (a 2-way handshake) are used to generate fresh cryptographic keys whenever required. One such requirement is when the PMKID is not passed in the reassociation request frame to the new AP. Figures 11c and 11d of the 802.11i amendment illustrate the 4-Way and Group handshakes. 314 What are examples of pre-RSNA (robust secure network association) options for providing confidentiality and authentication services? A B C D E WEP (yes) Shared Key authentication (yes) TKIP/RC4 CCMP/AES 4-Way Handshake
Explanation: Two critical concepts in the 802.11 standard implementation include the robust security networks (RSN) and robust security network associations (RSNA). To be considered an RSN, a system must permit only the creation of secure device associations via the RSNA process. If an RSN exists, then all client stations (STAs) will have successfully completed a 4-way handshake for RSNA authentication and will have established a Pairwise Master key (PMK) indicating none of the STAs are using WEP. Pre-RSNA options are available for those implementations that still require the use of WEP. For confidentiality, the IEEE 802.11 standard specifies WEP for securing the WLAN without RSNA procedures. For authentication, supported pre-RSNA options include both open system and shared key authentication. 315 What common credential types might you expect to see defined or required in a wireless security policy? A B C D E F PACs (yes) Tokens (yes) X.509 Certificates (yes) Kerberos TGTs LDAPs WEP keys
Explanation: A credential provides a means of user or computer identification, and the solution used should be proportional to your security requirements based upon a risk assessment. Common credential types include username and password, certificates, privilege attribute certificates (PACs), biometrics, and tokens.
LDAP is a standard credential access method. WEP keys are used to encrypt data or part of the shared-key authentication handshake. IPSec is a VPN solution, and though passphrases can be used with IPSec, it doesn't scale well enough to be used in this manner for a wireless network.
316
You are trying to explain to a junior-level technician the properties of an Wi-Fi RF signal. Which of the following statements could you correctly make? A B Amplitude is the most basic quality of an RF signal, and a signal's frequency, wavelength, phase, and polarity are all qualities based upon it. Stations that want to directly communicate must transmit and receive on the frequency. (yes) Antennas are most receptive to signals that have a wavelength equal to 1/2 the length of the antenna's element. Two signals that are 180 degrees out of phase will cancel each other out, in a null. (yes) Transmit and receive antennas should be polarized in the same way for the most effective communication. (yes)
same C D resulting E
Explanation: An RF signal's polarity is independent of its amplitude. Stations must use the same frequency to communicate. For example, OFDM (802.11a) (5 GHz) and HR-DSSS (802.11b) devices (2.4 GHz) operate at different frequencies, and cannot communicate with each other. A wireless station on channel 6 cannot communicate directly to another station on channel 11. Antennas are most receptive to signals that have a wavelength equal to the length of the antenna's element. Antenna elements of 1/2 & 1/4 are the next best options. Signals in phase will result in a stronger signal, while those 180 degrees out of phase will cancel each other out. The most effective communication will occur when both antenna are either in horizontal polarization or vertical polarization. However, even if two antennas are not in polarization with each other, they will still likely receive a signal's reflection. 317 An access point emits a 100 mW signal. The access point is connected to a length of cable with a 3 dB loss. If the cable is then connected to a +9 dBi antenna, what is the EIRP from the antenna? A B C D E 20 dBm 23 dBm 26 dBm (yes) 29 dBm 32 dBm
Explanation: The Equivalent Isotropically Radiated Power (EIRP) is the amount of power radiated from the antenna element(s). In this situation, we need our answer in dBm, so it is easiest to start by converting the access point's output power to dBm, and adding gains and subtracting losses as we work our way toward the antenna. Using a reference point of 1 mW = 0 dBm, and the rule of 10s and 3s, we can easily deduce that 10 mW = 10 dBm and 100 mW = 20 dBm. We can now see that our AP has 20 dBm of output power. By subtracting 3 dB for the cable and adding 9 dBi for the antenna, we can see that our answer is obvious: 20 -3 + 9 = 26 dBm. If we wanted to know the EIRP in mW, we might work the problem in this fashion: In this situation, 100 mW is fed into the cable where it experiences a 3 dB loss. -3 dB means the power is divided by 2, in this case yielding 50 mW of output power from the cable. Since this
signal is then fed into the antenna, 50 mW would be considered the Intentional Radiator power. +9 dBi of antenna gain can be expressed as (+3 dB, +3 dB, + 3dB). Each 3 dB of gain equals twice (2x) the power. In this case, we start with an Intentional Radiator power of 50 mW, and multiply by 2 three times. 50 mW x 2 x 2 x 2 = 400 mW 318 What option specifies the similarity of an RF jamming attack and a wireless hijacking attack? A B C D E Both can be detected by wireless intrusion prevention systems. (yes) Both can be deterred by appropriate client security solutions. Both can be averted through the use of FHSS technology. Both can be blocked through the use of lockable enclosures for all access points. Both can be prevented through the use of 802.1X/EAP solutions.
Explanation: Wireless networks are particularly vulnerable to RF jamming attacks. Jamming attacks cannot be deterred by client security solutions, changing to FHSS technology, using lockable enclosures or 802.1X/EAP. Only physical security measures can deter jamming attacks. However, IPS systems can detect both RF jamming and wireless hijacking attacks. 319 When implementing a wireless solution that includes an IEEE 802.3-2005 Clause 33 compliant PSE device, what must you consider? A B C D E Each PoE-enabled port must be capable of 400 mA at 44 volts Each port yields a maximum of only 15.4 Watts (yes) Power devices connected to PSE ports must use all power allocated by the PSE Connecting a non-PoE aware device to a PSE device will likely damage the nonPoE device Diagnosing PSE ports is difficult because they remain unpowered until a PoE compliant PD is discovered (yes)
Explanation: IEEE 802.3-2005 Power Sourcing Equipment provides power to a single connected device. Each PSE PoE port yields a maximum of 15.4 Watts, and must be capable of 350 mA at 44 volts. The PSE will allocate the full amount of power designated by class, per port, and any power allocated but not used is wasted. Troubleshooting PoE equipment should be done using specific diagnostic equipment because diagnostics are difficult due to the PSE ports being unpowered until PoE compliant power devices are discovered. 320 of ABC Company's lightweight access points periodically go 'off channel' for a short period time to scan all 802.11a/g Wi-Fi channels to detect and locate rogue access points. When a rogue access point is found, the active security policy requires at least one access point to perform a deauthentication attack against the rogue. What type of WIPS does ABC Company have? A B C D E Hot-standby Integrated (yes) Overlay Autonomous AP-reliant
Explanation: There are 2 primary types of WIPS: integrated and overlay. An overlay WIPS is a standalone WIPS product that may be connected to the Ethernet infrastructure for the purpose of monitoring and reporting on security and wireless performance events. An overlay WIPS has its own management console and reporting features, as well as its own 802.11a/g sensors that cannot function as wireless infrastructure components. An integrated WIPS is a feature set of a WLAN switch/controller in which lightweight APs may be used as sensors in either a dedicated or hybrid mode. 321 You have been tasked with installing a grid antenna. What antenna mount type would be an appropriate choice for securing the antenna? A B C D E Tilt-and-swivel (yes) Ceiling Magnetic Corner bracket U-bolt (yes)
Explanation: Two common types of highly directional antennas are parabolic dish and grid. Grid antennas have a perforated design for resistance to wind loading. The 'holes' are invisible to RF energy at the antenna's specified frequency. Mounts for dish/grid antennas are always adjustable since these antenna types must be precisely aligned. Dish and grid antennas are typically mounted on outdoor masts or dedicated tripods due to the antenna's larger size. Tilt-and-swivel and U-bolt are commonly used mounts for these antenna types. 322 What is not a characteristic of the RC4 encryption cipher? A B C D E Used with WEP Relatively fast and efficient Block cipher (yes) Used with TKIP Key size up to 256 bits
Explanation: RC4 is a fast and efficient variable length stream cipher. It is used with both WEP and TKIP and supports key sizes of 64, 128 and up to 256 bits. 323 What kinds of lists should be included in an RF site survey report for a long distance outdoor bridge link? A B C D E A list of RF interference sources near the largest area of the Fresnel zone A list of RF dead spots around each antenna A list of above ground power lines in the immediate area around each antenna A list of physical security hazards for each bridge location A list of RF interference sources near either antenna (yes)
Explanation: In long distance outdoor 802.11 bridge links, RF interference sources only significantly affect the link if they are located near one (or both) of the radios at either end of the link. An RF source near the center of the link (the largest area of the Fresnel Zone) would likely not be heard by either radio in the bridge link. Obstructions in the Fresnel Zone, especially near the center of the link, would be important, but
that is not listed. Power lines do not cause interference because any power field around them is using low frequency. Additionally, power lines would not block the Fresnel Zone. Physical security hazards are not part of an RF site survey report. Dead spot reporting is for indoor site survey reports, and there should be no dead spots in an 802.11 bridge link - the link will either work or not work. 324 When securing a wireless Ad Hoc network, which options are practical security mechanisms? A B C D E F WEP (yes) WPA-Enterprise IPSec/ESP (yes) PPTP/MPPE VPN SSH2 VPN WPA2-Personal (yes)
Explanation: Static WEP keys are the most simple, cost-effective method of securing Ad Hoc (peer-to-peer) wireless networks, but they are also the most vulnerable to attack. Since no authentication server is available, 802.1X/EAP solutions, such as WPA-Enterprise, are not configurable for Ad Hoc networks. PPTP and SSH2 VPN solutions require a server piece, whereas IPSec can work in a peer-to-peer environment. ESP is the IPSec sub-protocol that encapsulates and encrypts the data. WPA2-Personal uses a simple pass-phrase for security, and in that capacity is configurable in much the same way as WEP without the weak security. 325 Given: As the wireless LAN administrator, it is part of your responsibility to detect and eliminate rogue access points. You have educated end users about the dangers of rogue devices and have implemented a security policy sufficient to deter employees from placing rogues on the network. You have located a rogue access point for which no employee will take responsibility for installing. You must assume that someone intentionally placed the rogue access point to attack your network. You determine that the rogue was not present on the network the previous day. By viewing the HTML management interface, you determine that the rogue has only been powered up for 15 minutes. What is your next task to deal with this situation? A B C D E Document the incident and report it to the highest level of management as a breach of security. Contact the police. Disconnect the rogue access point's wired network connection, and save and analyze its log files. (yes) Reconfigure all authorized access points to your organization's default security settings. Leave the rogue in place as a trap for the intruder. Document the incident. Power down the access point, and take it to the police for fingerprinting tests. Temporarily shut down the entire wireless segment of the network pending an internal criminal investigation
Explanation: Disconnecting the rogue access point's wired network connection, and saving and analyzing its log files should be done because you need to remove the rogue immediately from the network, but not disrupt normal company operations before you have all the facts from the log files. This is a measured response that should be defined in the company's security policy. It might not always be possible to recover log files from a rogue access point because it may not
have the default password set. Resetting the unit to manufacturer's default settings would also clear the log files. In cases like this, the only recourse is to have a WIPS in place that has monitored activity between the rogue and any client devices. Upper management should only be contacted if there is sufficient evidence to prosecute this breach of policy internally (which this is not). Police will not be interested about an internal matter unless you can prove the rogue was placed by someone who broke a local law (like trespassing). Documenting the incident is a good idea. Reconfiguring all authorized access points to your organization's default security settings and leaving the rogue in place as a trap for the intruder is incorrect because you should check your APs for tampering, but you should also immediately remove the rogue. Temporarily shutting down the entire wireless segment of the network pending an internal criminal investigation is incorrect because it could shut-down your company's network for what might be a minimal intrusion. Such a response should already be set down in policy with regard to Business Impact Analysis and Business Continuity. 326 Which IEEE 802.11 amendment attempts to address the same issues first addressed by the 802.11F recommended practice? A B C D E IEEE 802.11d IEEE 802.11e IEEE 802.11h IEEE 802.11r (yes) IEEE 802.11s
Explanation: The 802.11r Fast Roaming working group is designing a standard to speed handoffs between access points. Included are enhancements to improve BSS transitions within 802.11 ESSs and to support real time constraints of VoIP. 327 An RTS/CTS handshake is accomplished between which two network entities in a BSS? A B C D A client device and an AP only Immediate wireless receivers (yes) Two client devices only A wired node and a wireless client device
Explanation: Immediate wireless receivers exchange RTS/CTS frames as part of a 'handshake.' Whether the immediate receivers are both clients or one is a client and the other an AP is not important. If a client sends an RTS frame in a BSS, the AP will receive it and reply with a CTS frame. If the AP sends an RTS frame to a station, the station will reply with a CTS frame. In an IBSS, two client devices may exchange RTS/CTS frames in this manner. One special circumstance exists whereby two wireless client stations may exchange RTS/CTS frames within a BSS. If a STAkey is used in a BSS, client devices may communicate directly (not through the AP). 328 The IEEE OFDM amendment specifies what number of non-overlapping channels in the upper U-NII (U-NII 3) band? A B C 3 4 (yes) 6
Explanation: Bands available for use with OFDM (802.11a) systems are as follows: Bands # Channels Channel Numbers 5.150-5.250 (U-NII1) 4 36, 40, 44, 48 5.250-5.350 (U-NII2) 4 52, 56, 60, 64 5.470-5.725 11 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140 5.725-5.825 (U-NII3) 4 149, 153, 157, 161 5.825-5.850 (ISM) 1 165 329 using What might be a valid reason for not recommending transmit opportunities (TXOPs) HT L-Sig Protection? A B C D Non-HT stations are not able to receive any PPDU that starts during the L-SIG duration. (yes) HT L-Sig Protection is a proprietary solution that may cause interoperability issues. L-Sig Protection creates additional overhead, resulting in lower throughput. Extra time required by HT L-Sig Protection makes latency-sensitive applications such as VoLAN unusable.
Explanation: L-SIG TXOP protection ('PHY Layer Spoofing') In OFDM frames (clause 17), the PPDU header consists of short training fields, long training fields, and a SIGNAL field. Inside the SIGNAL field is the LENGTH subfield. In a non-HT format frame, this subfield, called L_LENGTH in 802.11n, indicates the length of the PSDU in octets in the range 1-4095. This value is used by the PHY to determine the number of octet transfers that occur between the MAC and the PHY. When the 802.11n frame format is HT Mixed (keeping in mind that there are only HT Mixed format (HT_MF) and HT Greenfield format (HT_GF)), the LENGTH subfield is used along with RATE subfield to control the duration that non-HT STAs defer transmission equaling a period of time corresponding to the length of the HT PPDU (or the L-SIG Duration when L-SIG TXOP protection is used). To restate, when using an HT Mixed format preamble, the Rate subfield in the Legacy OFDM Signal field (L-SIG) field of HT frame headers is always set to 6 Mb/s. The Length subfield of the L-SIG field of HT frames with an HT Mixed format PHY preamble always contains a value that (together with the Rate subfield) represents a duration corresponding to the length of the rest of the PPDU, with a few exceptions. This is 'PHY Layer Spoofing.' An HT STA must indicate whether it supports L-SIG TXOP Protection in its L-SIG TXOP Protection Support capability field in Association Requests and Probe Responses. The AP determines whether all HT stations associated with its BSS support L-SIG TXOP Protection and indicates this in the L-SIG TXOP Protection Full Support field of its HT Information Element. This field is set to 1 only if the L-SIG TXOP Protection field is set to 1 by all HT station in the BSS. A station is not allowed to transmit a frame using L-SIG TXOP Protection directed to a recipient that does not support L-SIG TXOP Protection. When the station is associated with an AP, support at a recipient that is associated with the same AP is indicated if the L-SIG TXOP Protection Full Support field is set to 1 in the HT Information element broadcast in Beacons transmitted by the AP with which the stations are associated. L-SIG TXOP support at the recipient may additionally be determined through examination of HT Capability elements exchanged during association.
Under L-SIG TXOP Protection operation, the L-SIG field with an HT mixed format PHY preamble represents a duration value equivalent to the sum of: a) the value of Duration/ID field contained in the MAC header, and b) the duration remaining in the current packet (from the end of the symbol containing the L-SIG field to the end of the last symbol of the packet). The maximum value of L_LENGTH is 4095 octets. Non-HT stations are not able to receive any PPDU that starts during the L-SIG duration. Therefore, no frame may be transmitted to a non-HT station during an L-SIG protected TXOP. LSIG TXOP Protection should not be used and the implementers of L-SIG TXOP Protection are advised to include a NAV based fallback mechanism, if it is determined that the mechanism fails to effectively suppress non-HT transmissions. How this is determined is outside the scope of the standard. The figure below (Example of L-SIG Duration Setting) illustrates an example of how L-SIG Durations are set when using L-SIG TXOP Protection. An L-SIG TXOP protected sequence starts with an initial handshake, which is the exchange of two short frames (each inside a HT MM PPDU) that establish protection. RTS/CTS is an example of this. Any initial frame exchange may be used that is valid for the start of a TXOP, provided the duration of the response frame within this sequence is predictable. The term L-SIG TXOP protected sequence includes these initial frames and any subsequent frames transmitted within the protected duration.
An HT station is allowed to transmit a CF-End when the TXOP is not completely used by the TXOP owner, in a BSS whose beacon contains an HT Information element with the Operating Mode field set to 0. This will reset the NAV at the HT station. An HT STA using L-SIG TXOP protection should use an accurate prediction of the TXOP duration inside the Duration/ID field of the MAC header to avoid inefficient use of the channel capability. If the initial frame handshake succeeds (i.e., upon reception of a response frame with L-SIG TXOP Protection addressed to the TXOP holder), all HT mixed format PPDUs transmitted inside an L-SIG TXOP Protection protected TXOP must contain an L-SIG Duration that extends to the endpoint indicated by the MAC Duration/ID field. 330 What scenario could cause a 'false positive' intrusion alarm in a wireless intrusion prevention system (WIPS)? A B C D A client device has a high rate of frame retransmissions due to a noisy RF environment. A client device disassociates and reassociates to an AP several times in quick succession due to a low RSSI value. (yes) A reporting delay from a remote RF sensor due to busy WAN links. A rogue access point is located and found to have the same SSID as the authorized network.
Explanation: Companies implementing WLANs typically expect to have close to 100% wireless coverage of their facility. End users, however, will invariably find areas that were not analyzed during the site survey and have little or no coverage. An end user operating in this area might be able to connect wirelessly but will have continuous associations and disassociations. This causes the WIPS to incorrectly determine there is a denial of service (DoS) event in progress and issue a 'false positive' alarm, i.e. the system determines it has analyzed something of value when it is not
(relatively speaking). Newer wireless solutions include 'coverage hole' detection that shows where authenticated clients are experiencing consistent association/disassociation events like those described and will make recommendations to increase AP power, antenna gain, or add more APs in the area affected. 331 According to its corporate security policy, ABC Company is creating a 'WLAN Security and Performance' checklist to assure that all autonomous access point deployments are consistently secure and maximize performance. What item does not belong on such a checklist? A B C D E Cipher suite is CCMP Default passwords are changed WIPS mode is enabled on each AP (yes) Preauthentication is enabled 802.1X/EAP is in use
Explanation: While APs may have scanning capabilities that allow them to report the presence of an unauthorized device and the status of the RF environment around them, autonomous APs do not have a 'WIPS mode.' CCMP is specified by the 802.11i amendment as the default cipher suite, and is presently unbreakable. Autonomous APs have many management interfaces such as HTTP, telnet, console, and SNMP. Each of these management interfaces supports a default user login. The default user login parameters should be changed prior to deployment. Preauthentication is specified by the 802.11i amendment to speed authentication with new APs by allowing client devices to authenticate to APs to which they expect to roam. 802.1X/EAP provides a scalable authentication method capable of supporting tunneled client authentication data. 802.1X/EAP is the most common authentication scheme in enterprise WLANs today. 332 How does a station operating in Point Coordination Function (PCF) mode gain priority over stations not capable of PCF mode? A B C D E During the contention period it uses shorter slot times It polls the access point during the contention-free period Before the contention-free period, it sets its NAV to 32,768 It configures itself for the highest WMM priority class It acknowledges frames sent to it by the Point Coordinator (yes)
Explanation: Wireless stations use collision avoidance (CSMA/CA), which is essentially the same thing as Distributed Coordination Function (DCF) as a way to coordinate which station may transmit in a distributed manner for all stations in a given area. One weakness of DCF is that it is contention based, and there is no guarantee of timely access to the medium. The 802.11 standard also allows for a contention-free period (working in Point Coordination Function or PCF mode) that provides managed (guaranteed) access to the medium through polling. During the contention-free period, the access point, acting as the Point Coordinator (PC) will poll and transmit to stations that are on its CF polling list (based upon the clients request to participate in the PCF), one station after another. Each station is allowed to transmit one frame per poll. All non-PCF participating stations will defer until the end of the PCF Repetition Interval. 333 To secure your wireless network, you enter a unique number you received from a fixed label (sticker) that was dynamically generated by an enrollee. You then manually entered this number into a Registrar to allow a wireless device secure wireless access.
What type of wireless security solution is being described? A B C D E F WPS-PIN (yes) WPA-Personal RSNA TSN Pre-RSN EAP
Explanation: Wi-Fi Protected Setup (WPS) is an optional certification program from the Wi-Fi Alliance that is designed to ease the task of setting up and configuring security on wireless local area networks. Introduced by the Wi-Fi Alliance in early 2007, the program provides an industrywide set of network setup solutions for homes and small office (SOHO) environments. WPS offers four options - WPS-PIN, WPS-PBC, WPS-NFC and WPS-USB. The last two options do not require mandatory support. WPS-PIN requires a PIN to be provided for each device that joins the network. A PIN can be printed on a fixed label (sticker) or dynamically generated at the enrollee. The administrator then enters the PIN into the Registrar manually. For more information refer to the following link: http://www.wi-fi.org/knowledge_center_overview.php?docid=4506 334 You have an access point capable of 'hiding' the network name to create a 'closed' system. What is the effect of configuring the access point with this feature? A B C D E Attackers will not be able to find your wireless network Beacons are no longer transmitted Passive scanning can not be used to join a network (yes) Probe responses are encrypted on the access point The access point configuration is no longer fully IEEE 802.11 compliant (yes)
Explanation: 'Hiding' the wireless network or creating a 'closed' system are terms used for removing the SSID (network name) from a broadcasted Beacon frame, which is a violation of the IEEE 802.11 standard but has been added to most wireless infrastructure devices. Passive scanning is the process of listening for beacons on each channel for a specific period of time, for the purpose of hearing a beacon containing the SSID of a network to which it has been configured to associate. Hiding a wireless network eliminates the ability for passive scanning to identify wireless networks, increasing the difficulty of use for a wireless end user. Beacons still continue to be transmitted after hiding a wireless network, and attackers will still be able to find the SSID of a hidden wireless network, because it still gets transmitted in probe requests and responses, and association and reassociation requests. 335 What is a significant difference between an 802.3-2005 Clause 33 compliant Endpoint or Midspan PSE device?
A B C D E
Endpoint PSE devices can support Gigabit Ethernet but Midspan PSE devices only support 10BASE-T or 100BASE-TX. (yes) Midspan PSE devices regenerate an Ethernet signal similar to a repeater. Ethernet signals and electrical power may both travel on the same two wire pairs when using an endpoint PSE device. (yes) Endpoint PSE devices will continuously monitor for powered device connectivity. Endpoint PSE devices withhold power until PoE compliance is determined.
Explanation: The two types of Power Sourcing Equipment (PSE) include endpoint and midspan devices. Alternative A Ethernet cabling uses the data lines (orange and green pairs) while alternative B Ethernet cabling uses the unused conductors (blue and brown pairs). An endpoint PSE is housed with a switch and has the ability to use either alternative A or alternative B power sourcing. Midspan PSE devices reside between a non-PSE switch and an end station (power device or PD) and can only send power over the non-data lines. This difference allows endpoint PSE devices to support 10BASE-T, 100BASE-TX, and 1000BASE-T connectivity, while midspan devices only support 10BASE-T and 100BASE-TX, as 1000BASE-T requires use of all eight Ethernet lines. 336 Which statements are true regarding deployment of lightweight access points? A B LayerC D controller. E F Lightweight access points support 802.3af and may connect directly to the WLAN controller or to an Ethernet switch. (yes) Lightweight access points may connect to the WLAN controller with either a 2 or a Layer-3 protocol. (yes) Lightweight access points may be controlled over either Layer-2 or Layer-3. (yes) Lightweight access points may use DNS to locate their assigned WLAN (yes) Lightweight access points cannot be deployed over the Internet due to Network Address Translation. Lightweight access points may be configured for 802.11a or 802.11g, but not both simultaneously.
Explanation: All lightweight APs support 802.3af power over Ethernet. Most, but not all, lightweight access points support both a layer 2 and a layer 3 protocol for establishing connectivity to their assigned WLAN switch/controller. Layer 3 protocols might include LWAPP, GRE, and other similar protocols. When distributed lightweight access points power up, they will receive an IP address from the local LAN segment, including DNS parameters. The DNS name of their assigned controller will be pre-configured in the lightweight AP. After a DNS lookup, the lightweight AP will have the correct IP address of its controller, which will allow the AP to establish a layer3 tunnel terminating at its controller. 337 Given: You are transmitting data using an ERP-OFDM access point connected to an 18 dBi omnidirectional antenna through a cable producing 3dB loss. If you wanted to transmit at the maximum allowed EIRP, what would be the dBm rating at the Intentional Radiator? A B C D E 18 (yes) 36 30 15 21
Explanation: Omnidirectional antennas are always treated as point-to-multipoint (PtMP) connections. Regulatory bodies such as the FCC and others mandate PtMP connections in the 2.4 GHz band (in which HR-DSSSERP-OFDM (802.11bg) operates) may not exceed 36 dBm (4 Watts). Additionally, PtMP links must follow the '1:1 Rule' which mandates the maximum 2.4 GHz PtMP power from the Intentional Radiator (an RF device specifically designed to generate and radiate RF signals, including all cabling and connectors except the antenna) is 1000 mW (1 Watt) if using an antenna capable of 6 dBi gain (1 Watt + 6 dBi = 4 Watts). For each 3 dBi antenna gain is increased, IR power must be reduced by 3 dB (keeping the total dBm at or below the 36 dBm limit). An intentional radiator is defined by the FCC and other regulatory bodies as an RF device specifically designed to generate and radiate RF signals, and includes the RF device and all cabling and connectors up to, but not including, the antenna. If the maximum is 36 dBm and the system uses an 18 dBi antenna (+18 dBi) then 36 - 18 = 18 dBm of maximum EIRP. 338 As a network administrator, you understand the mentality of most war drivers and have implemented a very strong WLAN security solution. From your office window, you spot a war driver in your parking lot using a Yagi antenna and a laptop in his car. You correctly assume that the war driver is attempting to penetrate your WLAN. What should you do next? A B violations C D E Ignore the war driver. You have implemented a secure WLAN solution they cannot penetrate. Call the police and have the war driver apprehended. Press charges for of regulatory domain laws. Monitor the WIPS alerts and inform your organization's security personnel to ask the war driver to vacate the premises. (yes) Implement a high-powered RF jamming device on all DSSS channels. Approach the war driver and explain how his actions are illegal and unethical.
Explanation: If a break-in does occur, you will need proof that it was indeed the wardriver who did it. This will be supplied by system logs and the analysis performed by the WIPS. Also, since this is a security related event, your security personnel should be alerted because they will best know how to legally and safely deal with the potential infiltrator. 339 Which protocols that are used to manage WLAN infrastructure devices support authentication and encryption? A B C D E F POP3/SSL SNMPv3 (yes) SSH2 (yes) HTTPS (yes) LDAP RIPv2
Explanation: HTTPS authenticates the server with an x.509 certificate, and the user with a
username and password. SNMPv3 requires a user login and supports simple encryption of transported data. SSH2 is a public/private key encryption scheme supporting many user authentication methods such as password and public key. 340 A small office WLAN consists of one small file server, one access point, and ten client machines. The Windows network operates in a peer-to-peer workgroup configuration. The data maintained on the network is non-critical and non-sensitive. Which wireless security solution is the most appropriate for this configuration? A B C D WPA-Personal with a strong pass-phrase (yes) PPTP/EAP-TLS VPN with x.509 certificates IPSec VPN with x.509 certificates WPA2-Enterprise with EAP-TTLS
Explanation: The secret words here are 'small', 'non-critical', and 'non-sensitive.' WPA-Personal, assuming a sufficiently long pass-phrase, provides appropriate security for this network. The four alternative solutions require substantial hardware upgrades/additions and far more setup/administration and costs than are warranted to protect this small, non-critical, non-sensitive network. 341 Based upon the included protocol analyzer capture, what can you definitively conclude about the wireless network? A B C D E WEP cannot be used for encryption (yes) WAP2-Enterprise has been implemented 802.1XEAP-TLS is used for authentication All unicast traffic is encrypted using AES (yes) A passphrase was used to generate the Master PMK
Explanation: The capture shows the RSN Information Element, which indicates this network is a Robust Secure Network. An RSN can be identified by the indication in the RSN Information Element (IE) of Beacon frames that the group cipher suite specified is not wired equivalent privacy (WEP). An RSN must support the CCMP cipher suite, may optionally allow use of the TKIP cipher suite. You can also conclude that AES is mandatory, because TKIP isn't shown as supported in the RSN information element (IE). 342 What is one purpose of the Null Function frame? A B C D Sent by client to notify an access point of an intended power state change (yes) Sent by access point to notify client it has no buffered data to transmit Used in ad hoc mode to synchronize timing Part of a broadcast or multicast management or control frame
Explanation: The Null Function frame is a special Data frame that allows wireless stations with nothing to transmit to complete a frame exchange. Vendors sometimes configure a wireless station to use the Null Function Data frame to inform an access point that it is changing its power management mode between either active or power save mode.
The Null Function Data frame is also used to answer a CF-Poll frame sent by an access point operating as a point coordinator during PCF mode. While a wireless station is roaming between access points, it may miss data frames intended for it. The Null Function Data frame may be sent by a wireless station to an access point to tell the access point it is in power save mode, indicating the access point should buffer frames for the wireless station until it is ready to receive data again. Once the station has completed the roaming process, it sends another Null Function Data frame to the access point notifying the access point it is now in active mode. The access point will then forward any buffered frames to the station. Null Function frames are only sent by wireless stations, not access points. 343 What is a key difference between the ERP-OFDM and OFDM standards? A B C D E OFDM devices can achieve data rates of up to 54 Mbps OFDM specifies mandatory support for 6, 12, and 24 Mbps data rates ERP-OFDM supports CCK, QPSK, and QAM encoding and modulation techniques. (yes) ERP-OFDM specifies mandatory support for 1, 2, 5.5, and 11 Mbps data rates (yes) OFDM operates in the 5 GHz ISM band
Explanation: OFDM (802.11a) and ERP-OFDM (802.11g) both use Orthogonal Frequency Division Multiplexing (OFDM) to achieve data rates of 6 and 9 Mbps using BPSK modulation, 12 and 18 Mbps using QPSK, 24 and 36 Mbps using 16-QAM, and 48 and 54 Mbps using 64-QAM. CCK (Complementary Code Keying) Coding is used to achieve data rates of 5.5 and 11 Mbps. The OFDM (802.11a) and ERP-OFDM (802.11g) standards both required mandatory support for 6, 12, and 24 Mbps data rates. ERP-OFDM (802.11g) also uses DSSS for backwards compatibility with HR-DSSS (802.11b). The ERP-OFDM (802.11g) standard requires additional mandatory support for 1, 2, 5.5, and 11 Mbps using DSSS. OFDM operates in the 5 GHz UNII bands, not the ISM bands. 344 You are about to deploy an application that only certain users on the wireless network should be able to access. What WLAN controller feature would most easily allow you to segment this WLAN traffic? A B C D E RBAC (yes) VLAN VPN MAC Filtering STP
network
Explanation: Role-based access control (RBAC) is an approach for restricting system access to authorized users. It is a newer and alternative approach to mandatory access control (MAC) and discretionary access control (DAC).
Within an organization, roles are created for various job functions. The permissions to perform certain operations ('permissions') are assigned to specific roles. Members of staff (or other system users) are assigned particular roles, and through those role assignments acquire the permissions to perform particular system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning the appropriate roles to the user, which simplifies common operations such as adding a user, or changing a user's department. 345 According to the 802.11i-2004 amendment, when is the 802.1X controlled port placed in an 'authorized' state? A B C D E Only after the uncontrolled port has been opened for a specific period of time During user authentication, but only after the EAP-Identity/Response frame is received All the time, without regard to EAP user authentication After the EAP user has been mutually authenticated After a successful 4-Way Handshake (yes)
Explanation: In an RSNA, the IEEE 802.1X Port determines when to allow data traffic across an IEEE 802.11 link. A single IEEE 802.1X Port maps to one association, and each association maps to an IEEE 802.1X Port. An IEEE 802.1X Port consists of an IEEE 802.1X Controlled Port and an IEEE 802.1X Uncontrolled Port. The IEEE 802.1X Controlled Port is blocked (in an unauthorized state) from passing general data traffic between two STAs until a successful 4-Way Handshake is completed. Prior to the 4-Way Handshake, 802.1X/EAP authentication and key management take place to establish the user's identity and to establish and distribute encryption keys. IEEE 802.1X Supplicants and Authenticators exchange protocol information via the IEEE 802.1X Uncontrolled Port. 346 Given: A functional security policy describes technology-related procedures that must be followed to maintain a secure network. Which elements belong in a functional security policy? A B C D E F Password policies (yes) Training requirements (yes) Risk assessment Asset management (yes) Impact analysis Violation Reporting Procedures
Explanation: A functional security policy describes technology-related procedures that must be followed to keep the network secure, and provides specific methods of mitigating threats described in the general security policy. A functional policy should contain password policies, training requirements, acceptable usage, security configuration for devices, and asset management. Risk assessment, impact analysis, and violation reporting procedures and enforcement belong in the general security policy.
347
Which type of wireless attack is virtually undetectable? A B C D E Eavesdropping (yes) Man-in-the-Middle Denial of Service Hijacking Jamming
Explanation: A network-connected device operating in promiscuous mode captures all frames on a network, not just frames that are addressed directly to it. A network analyzer operates in this mode to capture network traffic for evaluation and to measure traffic for statistical analysis. A hacker may also use a promiscuous mode device to capture network traffic for unscrupulous activities. Devices operating in promiscuous mode only 'listen' to the conversion and do not participate, making them nearly impossible to detect. The best defense against eavesdropping is to encrypt any valuable information. 348 Given: Block Ack mechanisms are used to provide data aggregation for improving performance of wireless networks. What are two different types of Block Acks? A B C D E Immediate (yes) Delayed (yes) Short Enhanced Deferred
Explanation: Two types of Block Ack mechanisms are Immediate and Delayed. Immeditate Block Acks are transmitted immediately after an aggreated transmission is completed and is most suitable for high-bandwidth, low latency traffic. Delayed Block Acks wait until an additional round of communication, and are better suited to applications that can tolerate greater latency. 349 Given: In February 2004, the FCC regulated the use of 11 additional channels in the unlicensed 5 GHz UNII band. You recently purchased an OFDM WLAN card that supports these additional channels. What is a consideration for using these additional channels? A B C D E Must use Transmitter Power Control and Dynamic Frequency Selection (yes) Not OFDM compliant (yes) Must support Direct Sequence Spread Spectrum Can not be used indoors May cause co-channel interference with current ERP-OFDM access point channels
Explanation: Some vendors that offer certified products (such as 802.11 or Wi-Fi) will also offer enhanced (sometimes proprietary) features that, when used are not IEEE compliant, but may still meet regulatory requirements. When the FCC opened up the 5 GHz UNII band to allow for 11 additional channels between 5.470 and 5.725 GHz, one stipulation for using these channels was using Transmitter Power
Control and Dynamic Frequency Selection is required. The 11 additional channels are also not currently part of the OFDM (802.11a) standard. 350 IPS? What security service is provided by integrated wireless IPS not available from overlay
A B C D E
Authorized client authentication (yes) Detecting Ad Hoc networks In-band detection of DoS attacks (yes) Preventing rogue access points Stopping client misassociation
Explanation: Integrated wireless IPS solutions provide much better protection for inlinein-band attacks than overlay solutions, because integrated solutions spend most of their time on the channel in use. In contrast, overlay solutions may need to spend equal amounts of time on each channel, and are thus more likely to not be on the channel when an attack occurs. An integrated solution that provides in-band wireless IPS delivers unique benefits that cannot be gained from an overlay wireless IPS solution. Only an inline system that provides client services can authenticate an authorized client. Overlay systems cannot accurately determine whether a client is authorized or not through over-the-air traffic monitoring. Many overlay systems rely on over-the-air detection of a client authenticating with an authorized access points; however, this is not reliable because overlay wireless IPS sensors cannot decrypt traffic to ascertain authenticity. An integrated solution is the only one that can provide inline detection of DoS attacks. 351 In which three modes may an 802.11n-draft2.0 device operate? A B C D E F Legacy (yes) Mixed (yes) Green field (yes) Duplex High-rate Compatible
Explanation: Based on the objectives that are set for 802.11n standard, the new system can operate in various modes depending on the co-existing systems. They are: Legacy mode Mixed mode Green field mode Legacy mode: In this mode, the legacy systems and the MIMO-OFDM systems shall co-exist. The transmission and reception between the legacies will be a typical 802.11 operation whereas the legacy transmission and MIMO reception enables the use of receive diversity at the MIMO receiver. When a MIMO is transmitting, only one transmit antenna is used and it will be acting as yet another SISO legacy system. This mode is mandatory to preserve the backward compatibility with the existing standard. Mixed mode: In this mode, both the MIMO-OFDM systems and the legacy systems shall co-exist. The MIMO system should have the capability to generate legacy packets for the legacy systems and high throughput packets for MIMO-OFDM systems. So, the burst structure should be decodable to legacy systems and should provide better performance to MIMO-systems.
Green field mode: This mode is similar to mixed mode where the transmission happens only between the MIMOOFDM systems in the presence of legacy receivers. However, the MIMO-OFDM packets transmitted in this mode will have only MIMO specific preambles and no legacy format preambles are present. There is no protection for the MIMO-OFDM systems from the legacy systems. No transmissions are intended to the legacy and mixed mode systems from the green field system. The MIMO-OFDM receivers should be able to decode the green field mode packets as well as legacy format packets. When the green field device is transmitting, the legacy systems will refrain from the transmission to avoid collision using physical carrier sensing mechanism. Receivers enabled with this mode should decode packets from legacy, mixed mode and green field mode transmitters. 352 You are about to deploy an application that only certain users on the wireless network should be able to access. What WLAN controller feature would most easily allow you to segment this WLAN traffic? A B C D E RBAC (yes) VLAN VPN MAC Filtering STP
network
Explanation: Role-based access control (RBAC) is an approach for restricting system access to authorized users. It is a newer and alternative approach to mandatory access control (MAC) and discretionary access control (DAC). Within an organization, roles are created for various job functions. The permissions to perform certain operations ('permissions') are assigned to specific roles. Members of staff (or other system users) are assigned particular roles, and through those role assignments acquire the permissions to perform particular system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning the appropriate roles to the user, which simplifies common operations such as adding a user, or changing a user's department. 353 Given: Block Ack mechanisms are used to provide data aggregation for improving performance of wireless networks. What are two different types of Block Acks? A B C D E Immediate (yes) Delayed (yes) Short Enhanced Deferred
Explanation: Two types of Block Ack mechanisms are Immediate and Delayed. Immeditate Block
Acks are transmitted immediately after an aggreated transmission is completed and is most suitable for high-bandwidth, low latency traffic. Delayed Block Acks wait until an additional round of communication, and are better suited to applications that can tolerate greater latency. 354 An RTS/CTS handshake is accomplished between which two network entities in a BSS? A B C D A client device and an AP only Immediate wireless receivers (yes) Two client devices only A wired node and a wireless client device
Explanation: Immediate wireless receivers exchange RTS/CTS frames as part of a 'handshake.' Whether the immediate receivers are both clients or one is a client and the other an AP is not important. If a client sends an RTS frame in a BSS, the AP will receive it and reply with a CTS frame. If the AP sends an RTS frame to a station, the station will reply with a CTS frame. In an IBSS, two client devices may exchange RTS/CTS frames in this manner. One special circumstance exists whereby two wireless client stations may exchange RTS/CTS frames within a BSS. If a STAkey is used in a BSS, client devices may communicate directly (not through the AP). 355 You have been tasked with upgrading your company's wireless security. Your first requirement is to provide a security solution based upon the IEEE 802.11i standard. Your second requirement is to ensure your solution has been certified by the Wi-Fi Alliance for interoperability. Optionally, you should provide mutual authentication using server side digital certificates for server authentication with the option of using either username/password or digital certificates for client authentication. You configure your wireless clients to authenticate using 802.1X/EAP-FAST and encrypt data using AES-CCMP data encryption. Which requirements does your solution meet? A B C D E F Both requirements and the optional requirement First required and optional requirement First and Second but not optional requirement Only first but not second or optional requirement (yes) Only Second but not First or optional requirement Only the optional requirement
Explanation: The 802.11i standard calls for use of 802.1X/EAP with AES-CCMP encryption. EAPFAST has not been certified by the Wi-Fi Alliance. Per the Wi-Fi Alliance official website (www.wi-fi.org) Extensible Authentication Protocol is a protocol that provides an authentication framework for both wireless and wired Ethernet enterprise networks. It is typically used with a RADIUS server to authenticate users on large networks. EAP protocol types are used in the 802.1X-based authentication in WPA-Enterprise and WPA2-Enterprise. Extended EAP is an addition to the Wi-Fi Protected Access - WPA and WPA2 - Enterprise certification programs, which further ensures the interoperability of secure Wi-Fi networking products for enterprise and government users. EAP types include:
EAP-TLS - Extensible Authentication Protocol Transport Layer Security EAP-TTLS/MSCHAPv2 - EAP-Tunneled TLS/Microsoft Challenge Authentication Handshake Protocol. Securely tunnels clients authentication within TLS records. PEAPv0/EAP-MSCHAPv2 - Protected EAP combined with Microsoft Challenge Authentication Handshake Protocol PEAPv1/EAP-GTC - Created as an alternative to PEAPv0/EAP-MSCHAPv2. It allows the use of an inner authentication protocol other than Microsoft's MSCHAPv2 EAP-SIM - Specifies a mechanism for mutual authentication and session key agreement using the GSM-SIM and used in SGM-based mobile phone networks. 802.1X/EAP-PEAP provides mutual authentication using server side digital certificates for server authentication with the option of using either username and password, or digital certificates for client authentication. 356 What are characteristics of frequency ranges? A B C D E communicate (yes) Generally, higher bandwidth ranges travel farther through open space than lower bandwidth ranges The 2.4GHz ISM range extends from 2.4000 GHz to 2.4725 GHz The 2.4 GHz ISM range extends from 2.4000 GHz to 2.5 GHz The difference between the upper and lower bounds of a frequency range is its Bandwidth (yes) A wireless device operating in the 2.4 GHz frequency range can not wirelessly with a device that operates in the 5 GHz frequency range.
Explanation: The bandwidth of a frequency is the difference between the upper and lower bounds of a frequency range. Two stations that want to talk to each other must transmit and receive on the same frequency. Therefore, devices that operate in the 2.4 GHz frequency range can not communicate with a device operating in the 5 GHz frequency range. The FCC specifies that the 2.4 GHz ISM band runs from 2.4000 GHz to 2.4835 GHz. Lower frequencies feature longer wavelengths, which travel farther. OFDM (802.11a), which operates in the 5 GHz UNII bands, does not travel as far as HR-DSSS (802.11b) or ERP-OFDM (802.11g) which both operate in the 2.4 GHz IMS bands. 357 What criteria must be met for a powered device (PD) to qualify as IEEE 802.3-2005 Clause 33 compliant? A B C D E F Able to accept power from data lines or unused wired pairs (yes) Provide a 'Classification Signature' Able to reply with a 'Detection Signature' (yes) Offer WMM-PS (Power Save) U-APSD support Support non-PoE 802.11 devices Able to draw 15.4 Watts of power
Explanation: Per the IEEE 802.3-2005 Clause 33 standard: 33.3 Powered devices A PD is a device that is either drawing power or requesting power by participating in the PD detection algorithm. A device that is capable of becoming a powered device may or may not have the ability to draw power from an alternate power source and, if doing so, may or may not require power from the PI. PD capable devices that are neither drawing nor requesting power are also covered in this clause. A PD is specified at the point of the physical connection to the cabling. Characteristics such as the losses due to voltage correction circuits, power supply inefficiencies, separation of internal circuits from external ground or other characteristics induced by circuits after the PI connector are not specified. Limits defined for the PD are specified at the PI, not at any point internal to the PD, unless specifically stated. 33.3.1 PD PI The PD shall be capable of accepting power on either of two sets of PI conductors. The two conductor sets are named Mode A and Mode B. In each four-wire connection, the two wires associated with a pair are at the same nominal average voltage. NOTE-PDs that implement only Mode A or Mode B are specifically not allowed by this standard. PDs that simultaneously require power from both Mode A and Mode B are specifically not allowed by this standard. The PD shall not source power on its PI. The PD shall withstand any voltage from 0 V to 57 V at the PI indefinitely without permanent damage. 33.3.3 PD valid and non-valid detection signatures A PD shall present a valid detection signature at the PI between Positive VPort and Negative VPort of PD Mode A and between Positive VPort and Negative VPort of PD Mode B as defined in 33.3.1 while it is in a state where it will accept power via the PI, but is not powered via the PI. 358 In order to implement a robust security network (RSN) as defined by the 802.11i-2004 amendment, an administrator may not implement _____________________? A B C D E The Wired Equivalent Privacy (WEP) Cipher Suite (yes) The STAKey Handshake The Pass-phrase-to-Preshared Key Algorithm The Group Key Handshake The TKIP Message Integrity Check (MIC) called 'Michael'
Explanation: 802.11i-2004, Section 3.106robust security network (RSN): A security network that allows only the creation of robust security network associations (RSNAs). An RSN can be identified by the indication in the RSN Information Element (IE) of Beacon frames that the group cipher suite specified is not wired equivalent privacy (WEP). 359 Using IEEE compliant HR-DSSS wireless LAN systems, what is the maximum cumulative data transmission rate that can be achieved in any given physical area?
A B C D
11 Mbps 22 Mbps 33 Mbps (yes) 54 Mbps
Explanation: The HR-DSSS (802.11b) amendment states in section 18.4.6.2: 'In a multiple cell network topology, overlapping and/or adjacent cells using different channels can operate simultaneously without interference if the distance between the center frequencies is at least 25 MHz.' Regardless of the regulatory domain, there is a maximum of only 3 non-overlapping channels available. Each channel can support a data rate of 11 Mbps, and when three non-overlapping channels operate in the same physical space, an aggregate data transmission rate of 33 Mbps is possible. 360 You are a wireless network administrator for ABC Corporation. Currently ABC Corp has a VPN concentrator that uses a PPTP/MS-CHAPv2/MPPE-128 VPN security solution for its 100 WLAN users. Since the WLAN was installed, there have been multiple successful attacks against ABC Corp's access points since they are using Open System authentication. ABC Corp wants to update their WLAN security solution. Which security solution would improve the security of ABC Corp's access points while increasing encryption strength and network scalability? A B C D L2TP/IPSec with AES-192 WPA2-Enterprise with EAP-TTLS (yes) SSH2 with 3DES WEP with Shared Key authentication
Explanation: This question has to do with the architecture of ABC Corp's wireless design and security implementation. The current design provides for a fully open access point, with a VPN concentrator residing behind the AP on the wired network. Security is implemented through clientto-VPN concentrator encrypted connections; however, the wireless medium is fully open. In order to address the requirement of 'improve the security of the access points' L2TP/IPSec with AES-192 and SSH2 with 3DES are out. These options (IPSec and SSH) enhance or alter the encryption tools and techniques used to connect the client and internal security devices. These options do not alter the access point itself, which is still left open. Both options WPA2-Enterprise with EAP-TTLS and WEP with Shared Key authentication provide better security to the AP itself; however, static WEP is significantly less secure than using WPA2 with EAP. Further, EAP will scale better than needing to manually configure static WEP keys on each of the clients and AP devices. 361 A GAIN of 3 dB will yield what power ratio? A B C D E 2:1 (yes) 3:1 10:1 1:10 5:1
Explanation: A gain of 3 dB will multiply the actual amount of power output by a factor of 2. A gain of 3 dB can be expressed as a ratio of 2:1 (2 to 1). 362 Based upon the included protocol analyzer capture, what can you definitively conclude about the wireless network? A B C D E WEP cannot be used for encryption (yes) WAP2-Enterprise has been implemented 802.1XEAP-TLS is used for authentication All unicast traffic is encrypted using AES (yes) A passphrase was used to generate the Master PMK
Explanation: The capture shows the RSN Information Element, which indicates this network is a Robust Secure Network. An RSN can be identified by the indication in the RSN Information Element (IE) of Beacon frames that the group cipher suite specified is not wired equivalent privacy (WEP). An RSN must support the CCMP cipher suite, may optionally allow use of the TKIP cipher suite. You can also conclude that AES is mandatory, because TKIP isn't shown as supported in the RSN information element (IE). 363 Given: An inherent weakness of the original IEEE 802.11 standard is the lack of AAA (Authentication, Authorization, and Accounting) services.
What technology is used as part of a network to provide AAA services to enhance wireless security? A B C D E F IEEE 802.1X EAP WEP RADIUS (yes) L2TP/IPSec PPTP
Explanation: The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and implemented to manage access to network services. It defines a standard for information exchange between a Network Access Server (NAS) and an authentication, authorization, and accounting (AAA) server for performing authentication, authorization, and accounting operations. A RADIUS AAA server can manage user profiles for authentication (verifying user name and password), configuration information that specifies the type of service to deliver, and policies to enforce that may restrict user access. 364 An RP-TNC connector used with 802.11 WLANs will typically have what impedance? A B C D E 25 ohms 50 ohms (yes) 62 ohms 75 ohms 93 ohms
Explanation: Most 802.11 wireless LAN system components, including transceivers, amplifiers, splitters, cables, attenuators, and antennas have 50 ohm impedance. It is important that all devices in a system have the same impedance or a high Voltage Standing Wave Ratio (VSWR) and high return loss will result. Reflected power at the point of an impedance mismatch can cause the output amplifier in transceivers such as access points and wireless bridges to fail. 365 What situation requires 802.11 protection mechanisms for optimal operation? A B others C D All client stations in an HR-DSSS basic service set are ERP-OFDM capable. Some client stations in an ERP-OFDM basic service set are HR-DSSS and are ERP-OFDM. (yes) All client stations in an ERP-OFDM basic service set are ERP-OFDM capable. Some client stations in an HR-DSSS basic service set are HR-DSSS and others are ERP-OFDM.
Explanation: Protection mechanisms are put in place to help facilitate communications in mixed HR-DSSS/ERP-OFDM (802.11b/g) WLANs. Mechanisms such as RTS/CTS or CTS-to-Self help ensure that all clients know when another device is communicating and do not simultaneously transmit causing data corruption. The issue is that HR-DSSS (802.11b) clients cannot understand OFDM transmissions and thus cannot properly assess if the wireless medium is busy or idle. Protection mechanism frames, transmitted using modulation that can be understood by HR-DSSS (802.11b) clients, are used to reserve the medium. These are then followed by the faster ERP-OFDM (802.11g) transmissions. In this way, both HR-DSSS (802.11b) and ERP-OFDM (802.11g) devices can use the WLAN; although they suffer the additional burden of the protection mechanism overhead. 366 What differentiates an overlay wireless intrusion prevention system (WIPS) from WIPS integrated into a WLAN controller? A B C traffic D Integrated WIPS may also be used to assist with fast/secure roaming between autonomous APs. Overlay WIPS is limited to accessing wireless traffic at the physical and data-link layer, while integrated WIPS has access to layers 3-7 as well. (yes) Only overlay WIPS monitors the RF for attack signatures and undesirable performance issues Only overlay WIPS can use dedicated wireless sensors to passively monitor
Explanation: In an overlay WIPS monitoring deployment, organizations augment their existing WLAN infrastructure with dedicated wireless sensors. These are connected to the network in a manner similar to access points. However, while access points provide client connectivity, WIPS sensors are primarily passive devices that monitor the air for signs of attack or other undesired wireless activity. In an overlay WIPS system, the WIPS vendor provides a controller in the form of a server or appliance that collects and assesses information from the WIPS sensors that is monitored by an administrator. These devices do not otherwise participate with the rest of the wireless network, and are limited to assessing traffic at the physical layer (layer 1) and the data-link layer (layer 2). This is not true for integrated WIPS that can access all OSI layers. For more information, see Joshua Wright's whitepaper: A Closer Look at Wireless Intrusion
Detection: How to Benefit from a Hybrid Deployment Model. 367 What type of attack includes spoofing management frames from the access point that a client is connected to, and then de-authenticating, or disassociating WLAN clients connected to that access point? A B C D E Jamming Phishing DoS (yes) Bit-flipping Hijacking
Explanation: Denial-of-service attacks are a very different type of threat to the enterprise. Instead of information or networks being exposed to unauthorized personnel, the hacker is trying to create a service disruption. Another key difference is that whereas rogue access points,client misassociation, and ad hoc networks may be unintentionally enabled by the employee, a denialof-service (DoS) attack requires specific technical knowledge and planning and therefore is almost always a malicious act. In a DoS attack, the attacker typically spoofs management frames from the access point that a client is connected to, and de-authenticates, or disassociates WLAN clients connected to that access point. These attacks are possible because, unlike Ethernet, WLAN requires management frames for media access and collision avoidance. Because they need to be used before client stations have completed authentication, these management frames are always unauthenticated and unencrypted, even if WPA, WPA2 or a VPN are used. 368 Given: When using WPA or WPA2 Personal, selecting a passphrase with high entropy is critical. What is the best way to ensure you choose a high entropy passphrase? A B C D E Use a passphrase generator (yes) Select a passphrase of at least eight or more characters Use only special characters or numbers in the passphrase Use a NIST-compliant naming convention Encrypt the passphrase with an AES cipher
Explanation: Entropy, or more precisely 'information entropy', is the measure for randomness. An intuitive understanding of information entropy relates to the amount of uncertainty about picking a passphrase, i.e. an object that could be translated in a string of bits. 'If you have a 32-bit word that is completely random, then it has 32 bits of entropy. If the 32-bit word takes only four different values, and each values has a 25% chance of occurring, then the word has 2 bits of entropy.' (Practical Cryptography, B. Schneier and N. Ferguson, p.155) The best way to ensure a passphrase has high entropy is to use a passphrase generator. 369 endABC Company's end-user laptops are used on the corporate network using WPA2Enterprise. The end users use secure applications (POP3/SSL and FTP/SSH). These users also use their computers offsite, using a hotspot to access corporate network resources. What security advantage do these end-users have by utilizing this layered security approach when they are accessing corporate servers from public hotspots? Since no layer2 security protocols are present on the hotspot network, layer security still protects sensitive data from eavesdroppers. (yes) WPA2-Enterprise is capable of remote VPN connectivity to corporate network
A application B
C D
resources. Secure applications such as POP3/SSL and FTP/SSH are not usable over a wireless hotspot connection; however, WPA2-Enterprise security still protects sensitive data. The use of WPA2-Enterprise is required to enable encrypted VPN connectivity to remote corporate network resources.
Explanation: WLAN hotspot networks are by nature a non-secure network infrastructure. WPA2, personal or enterprise, is a layer2 authentication and key management specification that is used in private networks. WPA2 is not a VPN technology, and is used only on the local area network. Secure applications such as POP3/SSL and FTP/SSH can be used on a secure or unsecured, whether wired or wireless, to protect sensitive user data. 370 Which objects may significantly interfere with an HR-DSSS access point's signal propagation to nearby client stations? A B C D E F Satellite receiver Fire door (yes) High ceiling Cement block wall (yes) Grounding stake or cable Lightning Arrestor
Explanation: Fire doors and cement block walls are thick, made of very dense materials, and absorb RF energy. There are many such RF obstructions to look for and document during an RF site survey. 371 An intruder wants to perform a WLAN hijacking attack against a wireless laptop on its layer 2 and layer 3 connections. This will be followed by a peer attack against open file shares on the wireless laptop. What items must the intruder possess to conduct this attack? A B C high D The SSID and channel of the authorized network, a narrowband RF jamming device, access point software, and subnet information of the existing network or DHCP server software (yes) The SSID and channel of the authorized network, a spectrum analyzer, protocol analyzer software, wireless frame generator software, and DHCP server software The SSID of the authorized network, Internet Connection Sharing software, a power FHSS jamming device, and DHCP server software The channel of the authorized network, a mobile microwave oven, access point software, a spectrum analyzer, and wireless protocol analysis software
Explanation: The intruder must know the SSID the wireless laptop is currently using so that he can configure his software AP to match. He must have a software access point configured on a different channel from the authorized access point so that he can use an RF jamming device to cause the wireless laptop to roam from its authorized access point. If the wireless laptop is using a static IP address, the intruder must configure his own laptop for the same subnet using a different IP address. If the wireless laptop is using DHCP, the intruder must have DHCP server software installed on his laptop computer in order to give the wireless laptop an IP address when it requests one.
372
Which security solutions can prevent intruders from obtaining an IP address from your DHCP server? A B C D E 802.1X/EAP-TTLS (yes) PPTP VPN IPSec VPN Open System authentication WPA-Personal (yes)
Explanation: 802.1X/EAP-TTLS and WPA-Personal are layer 2 authentication protocols. EAPTTLS may use TKIP or CCMP for encryption, and WPA-Personal uses TKIP for encryption. If the client cannot successfully authenticate using the correct username/password (with EAP-TTLS) or passphrase (with WPA-Personal), then no data link will exist. Without a data link, no DHCP request can be successfully issued by the client device. Open System authentication has no authentication requirement, and thus the client becomes associated immediately after authentication providing a data link. PPTP and IPSec VPNs are based on having an IP address before the VPN tunnel can be established. 373 XYZ Company has been considering installation of an OFDM wireless LAN. The network administrator is concerned about security of the wireless LAN, so he has hired you as a consultant to come in and discuss security options. Cost and ease of implementation are both implementation concerns, so the network administrator has been considering PointPoint Tunneling Protocol (PPTP) as a possible solution. He asks your opinion of the security level offered by PPTP on a wireless LAN. What is your response? A B C D E Since PPTP can use MPPE-128 encryption, you consider it a very secure and simple solution with no known vulnerabilities. PPTP tunnels and encrypts data, but the original IP connection is still open to attack without a personal firewall in place. (yes) PPTP offers strong authentication, but no data encryption making it unsuitable for wireless LANs. The strongest authentication PPTP offers is MS-CHAPv2, which has known vulnerabilities. If use of AES encryption is specified in the PPTP configuration, it is a very strong wireless LAN security option.
to-
Explanation: PPTP VPNs offer legacy authentication mechanisms such as PAP, CHAP, MSCHAP, MS-CHAPv2, and EAP-TLS with the strongest being EAP-TLS. MS-CHAPv2 is also used in Cisco's LEAP and EAP-FAST phase-0. MS-CHAPv2 can be broken using the ASLEAP cracking tool for Linux and Windows. PPTP tunnels use an IP connection to form an encrypted tunnel for data transport. The tunnel has its own IP subnet, and after the tunnel is formed between client and server, a static route is entered into both hosts so that all future data traffic is sent through the tunnel. However, the original IP subnet can still be used for data transfer, such as port scanners and other hacking tools. Without a personal firewall in place, the client and server devices are still open to IP attacks. PPTP uses Microsoft Point-to-Point Encryption, which uses the RC4 stream cipher. While MPPE128 is a reasonably strong encryption scheme, it's the typical authentication mechanism (MSCHAPv2) that makes PPTP weak. EAP-TLS should be used with PPTP instead of MS-CHAPv2 whenever possible.
374
ABC Corporation has recently hired a skilled wireless LAN security consultant to design, configure, install, and test a wireless LAN security implementation. The security implementation consists of 802.1X/PEAP, IPSec, and SSH2 solutions using the strongest available encryption. The security policy is very strict about use of the software solutions, and all end users have been sufficiently trained. When an unauthorized user tries to access the corporate WLAN from the parking lot, he cannot circumvent the existing security solutions. What are the next two steps the unauthorized user could take in order to penetrate the system's security? (Choose 2) A : Perform a distributed Internet crack against a single access point B : Perform a social engineering attack against help desk personnel (yes) C : Perform an RF jamming attack against the WIPS D : Mount an email virus campaign to unlock access points from the wired LAN segment E : Place a rogue access point on ABC Corporation's network (yes) Exam Level: CWSP Exam Objective: Wireless Network Attacks and Threat Assessment Explanation: Due to the level of security implemented, any attack against an access point will be futile. An RF jamming attack will not penetrate the network, but rather it will deny network access to authorized users. Since the security methods implemented require usernames and passwords, a social engineering attack could be possible. By placing a rogue access point on the wired network, the wireless network can be successfully penetrated by circumventing existing security mechanisms. 375 Given: As the wireless LAN administrator, it is part of your responsibility to detect and eliminate rogue access points. You have educated end users about the dangers of rogue devices and have implemented a security policy sufficient to deter employees from placing rogues on the network. You have located a rogue access point for which no employee will take responsibility for installing. You must assume that someone intentionally placed the rogue access point to attack your network. You determine that the rogue was not present on the network the previous day. By viewing the HTML management interface, you determine that the rogue has only been powered up for 15 minutes. What is your next task to deal with this situation?
(Choose 1) A : Document the incident and report it to the highest level of management as a breach of security. Contact the police. B : Disconnect the rogue access point's wired network connection, and save and analyze its log files. (yes) C : Reconfigure all authorized access points to your organization's default security settings. Leave the rogue in place as a trap for the intruder. D : Document the incident. Power down the access point, and take it to the police for
fingerprinting tests. E : Temporarily shut down the entire wireless segment of the network pending an internal criminal investigation Exam Level: CWSP Exam Objective: Monitoring and Management Explanation: Disconnecting the rogue access point's wired network connection, and saving and analyzing its log files should be done because you need to remove the rogue immediately from the network, but not disrupt normal company operations before you have all the facts from the log files. This is a measured response that should be defined in the company's security policy. It might not always be possible to recover log files from a rogue access point because it may not have the default password set. Resetting the unit to manufacturer's default settings would also clear the log files. In cases like this, the only recourse is to have a WIPS in place that has monitored activity between the rogue and any client devices. Upper management should only be contacted if there is sufficient evidence to prosecute this breach of policy internally (which this is not). Police will not be interested about an internal matter unless you can prove the rogue was placed by someone who broke a local law (like trespassing). Documenting the incident is a good idea. Reconfiguring all authorized access points to your organization's default security settings and leaving the rogue in place as a trap for the intruder is incorrect because you should check your APs for tampering, but you should also immediately remove the rogue. Temporarily shutting down the entire wireless segment of the network pending an internal criminal investigation is incorrect because it could shut-down your company's network for what might be a minimal intrusion. Such a response should already be set down in policy with regard to Business Impact Analysis and Business Continuity. 376 Which of the following is a type of WLAN Denial of Service (DoS) attack? (Choose 1) A : Peer file theft B : Active Bit flipping C : Passive WEP cracking D : Hijacking (yes) E : Eavesdropping Exam Level: CWSP Exam Objective: Monitoring and Management Explanation: At its most basic level, hijacking is a Denial of Service attack. This attack is performed by causing a client to roam to a rogue access point, which is often a software AP running on the intruder's laptop. At that point, the user has been denied service. An advanced attack is to give the user the impression that they have not been denied service. One method is accomplished by running a captive portal, where the user is redirected to a spoofed webpage to get them to enter private information. This is called Wi-Fi Phishing. Peer file theft is an active attack that does not result in
denying service. Bit-flipping is another active attack to impersonate an authorized client. Cracking WEP and eavesdropping are offline attacks that results in an unauthorized user being able eavesdrop on your WEP encrypted network. 377 As a new WLAN administrator for XYZ Corp, you notice that people are hanging around the coffee shop next door to your building aiming Yagi antennas toward your building. You assume that they are, at a minimum, attempting to passively eavesdrop on your network's traffic. How can you verify that these people are indeed passively eavesdropping on your wireless LAN? (Choose 1) A : By using a WLAN protocol analyzer to detect an increase of collisions on the wireless network B : By using a WIPS to detect rogue devices C : By using a WLAN protocol analyzer detector application D : By using a network reconnaissance tool to perform continuous PING sweeps E : It is not possible to detect passive eavesdropping (yes) Exam Level: CWSP Exam Objective: Monitoring and Management Explanation: Since wireless eavesdroppers use radio cards in RF monitor mode, there is no way to detect or verify that they are passively eavesdropping. In RF monitor mode (promiscuous mode), radio cards do not transmit frames of any kind, making them invisible to intrusion detection tools. Some WLAN discovery tools probe the network using probe request frames. These tools can be detected by their pattern of continuous probing. 378 An intruder wants to perform a WLAN hijacking attack against a wireless laptop on its layer 2 and layer 3 connections. This will be followed by a peer attack against open file shares on the wireless laptop. What items must the intruder possess to conduct this attack?
(Choose 1) A : The SSID and channel of the authorized network, a narrowband RF jamming device, access point software, and subnet information of the existing network or DHCP server software (yes) B : The SSID and channel of the authorized network, a spectrum analyzer, protocol analyzer software, wireless frame generator software, and DHCP server software C : The SSID of the authorized network, Internet Connection Sharing software, a high power FHSS jamming device, and DHCP server software D : The channel of the authorized network, a mobile microwave oven, access point software, a spectrum analyzer, and wireless protocol analysis software Exam Level: CWSP Exam Objective: Monitoring and Management
Explanation: The intruder must know the SSID the wireless laptop is currently using so that he can configure his software AP to match. He must have a software access point configured on a different channel from the authorized access point so that he can use an RF jamming device to cause the wireless laptop to roam from its authorized access point. If the wireless laptop is using a static IP address, the intruder must configure his own laptop for the same subnet using a different IP address. If the wireless laptop is using DHCP, the intruder must have DHCP server software installed on his laptop computer in order to give the wireless laptop an IP address when it requests one. 379 XYZ Corporation has hired you to audit their WLAN network security measures. XYZ Corp currently has the following security measures in place: 1. All access points have non-default management interface passwords 2. Access points have been configured not to broadcast their SSID in Beacons or to respond to Probe Request frames with null SSID values 3. 128-bit WEP is in use by all access point and wireless client devices 4. MAC filters are implemented on all access points to allow only authorized users 5. Wireless Intrusion Prevention System (WIPS) with rogue detection and prevention Your task is to compromise XYZ Corp's wireless network by gaining access to sensitive data. How do you start your initial attack against the WLAN, given the above security measures? (Choose 1) A : Locate the WLAN using Netstumbler. Compromise data security by using a narrowband RF jamming device against an access point. Use a WLAN client device to gain access to the wired network through the jammed access point. B : Locate the WLAN and obtain the SSID using Kismet. Put the SSID into a protocol analyzer, and then decode frames looking for HTTP logins to a captive portal or an access point. Use the HTTP login to gain access to the wired network. C : Locate the WLAN and obtain the WEP key using a spectrum analyzer. Put the WEP key into a WLAN client device and access the wired network. Since the correct WEP key is being used, the WIPS will not detect your client as a rogue device. D : Locate the WLAN using a WLAN protocol analyzer. Gain access to sensitive data by attacking WEP security using a WEP cracking utility and putting the WEP key into the protocol analyzer. (yes) Exam Level: CWSP Exam Objective: Monitoring and Management Explanation: Even though the SSID is not being announced in Beacons or Probe Response frames, protocol analyzers can still get the SSID because other frames include the SSID field. Protocol analyzers see all WLAN frames, provided they are within range of a WLAN transmitter. Cracking WEP has become a simple process using tools such as Aircrack. Once WEP is cracked, you can place the WEP key into the protocol analyzer to capture data in plain text. Since data security has been compromised through passive eavesdropping, the MAC filters and the non-default passwords on the APs are ineffective. WIPS cannot detect passive eavesdropping devices because they do not transmit 802.11 frames. WEP cracking tools do not require 802.11frame transmission. 380 As a consultant, you are explaining the risks of WLAN Denial-of-Service (DoS) attacks to
a group of engineers at ABC Corporation. They understand DoS attacks, but do not understand wireless technology very well. You inform the engineers that there are multiple WLAN DoS attacks that must be mitigated as part of a security strategy. Which DoS attacks do you mention in your discussion with the group of engineers? (Choose 3) A : Use of 2.4 GHz cordless phones B : Wideband RF jamming (yes) C : 802.11 deauthentication (yes) D : EAP-Start flooding (yes) E : SSID hiding F : Adjacent channel interference Exam Level: CWSP Exam Objective: Monitoring and Management Explanation: 802.11 deauthentication, wideband RF jamming, and EAP-Start flooding can all cause authorized users not to be able to access network resources. DoS attacks typically take on two specific forms: physical and MAC layer. Physical DoS attacks are attacks against the RF medium, making it unusable for 802.11 stations. MAC layer attacks are attacks against the operation of the 802.11 and associated security protocols. RF jamming attacks the physical carrier sense mechanism while 802.11 deauthentication attacks 802.11 MAC layer connectivity. 381 An attacker captures a wireless frame, modifies it, recalculates its ICV, and retransmits the modified frame to the intended destination. What type of attack is this, and what is the mitigating solution? (Choose 1) A : Man-in-the-middle attack - 802.11i per-frame authentication B : En-route attack - CRC-32 checksum C : Authentication attack - Replace passwords with x.509 certificates D : Bit-flipping attack - Strong Message Integrity Check (MIC) (yes) E : Hijacking attack - Mutual authentication Exam Level: CWSP Exam Objective: Monitoring and Management Explanation: A bit-flipping attack is an attack where the hacker captures a data frame, modifies it, recalculates the Integrity Check Value (ICV) of the modified frame, and retransmits the modified frame to its
intended destination. When the communicating nodes use a strong Integrity Check Value (ICV), also called 'Message Integrity Check (MIC)' or 'Message Authentication Code (MAC)' modification becomes much more difficult. For example, TKIP is stronger than WEP because an additional 8byte MIC was added to WEP's weak CRC-32 (4 bytes) ICV. 382 An intruder locates an unprotected 802.11b WLAN and gains control of two access points and a wireless bridge using the default SNMP read/write community strings. What types of wireless auditing tools are required for the intruder to locate the WLAN, discover the infrastructure devices, and exploit this particular security hole? (Choose 1) A : Netstumbler, share enumerator, wireless protocol analyzer, and spectrum analyzer B : MacStumbler, OS fingerprinting & port scanning tool, and WEP decryption software C : Wireless protocol analyzer, IP scanning utility, and network management software (yes) D : IP scanning utility, network management software, access point software, and an RF jamming device E : Network management software, WEP decryption software, application layer analyzer, and an SSH2 client utility Exam Level: CWSP Exam Objective: Monitoring and Management Explanation: This is a three tiered problem. 1. First, you need to identify the target WLAN devices by using a tool such as a wireless protocol analyzer. Protocol analyzers monitor the RF environment in order to display a list of wireless devices and decode captured frames. 2. Second, the identified hosts need to be enumerated to identify 'listening' ports and services. There are a number of 'IP scanning tools' that can perform this function, such as nmap, SuperScan, or WS Ping ProPack. 3. Once the services have been discovered, they can potentially be exploited. In this case, SNMP was both running and was configured to use very weak, default community strings. These community strings were then tried by using network management software to exploit the discovered vulnerability. 383 As a wireless security professional working for ABC Corporation, you have a corner office with a window. You notice someone on the roof of the building across the street pointing a Yagi antenna in your building's direction. You deduce that this person is likely trying to attack ABC Corp's WLAN. What are your first steps in thwarting this potential attack? (Choose 2) A : Monitor the intrusion prevention system closely for any alerts and carefully document any findings (yes) B : Broadcast a voice message and email to everyone in the company to refrain from using the WLAN until an intruder suspect can be apprehended
C : Shut down your WLAN until the individual on top of the other building can be identified and questioned as to his business D : Contact the facilities manager of the building across the street and inquire as to the nature of the business of the individual on top of his building (yes) E : Power up the perimeter Directional Jamming System (DJS) and focus its antennas at the individual across the street Exam Level: CWSP Exam Objective: Monitoring and Management Explanation: An intruder will likely make several failed attempts to gain access to a secure wireless network setting off intrusion system alarms. The information gained by the intrusion prevention system can be compared, in this instance, to the equipment used by the alleged intruder across the street if necessary. The facilities managers of other buildings in a metropolis area should be willing and able to account for the nature of the business of people on their roofs, especially when they are aiming antennas at your building. 384 As a wireless security professional, you are tasked by a company to quickly attempt to bypass static WEP security on their 802.11a WLAN. WEP is configured as mandatory on all devices in the network. Which approaches do you take? (Choose 2) A : Enable a wireless protocol analyzer and wait for it to gather a given amount of data traffic from multiple wireless LAN end users. You use AirCrack to look for weak IVs in the packet trace. (yes) B : Associate with an access point using Open System authentication and log in with the default username and password. You reconfigure the access point for a new WEP key. C : Record their SSID, phone number, address, and other data related to their organization and try to fit numbers and letters into patterns of 5, 10, 13, or 26 characters for use as a test WEP key (yes) D : Transmit a high volume of association frames to an access point to force it to fail into an Open System state. You use a WLAN client to associate and bypass WEP security. E : Configure Windows Zero Configuration (WZC) to have the key provided automatically to your client device. Enable a WLAN protocol analyzer to capture the WEP key. Exam Level: CWSP Exam Objective: Monitoring and Management Explanation: Tools are now available to crack static WEP keys in mere minutes. While guessing a company's WEP key is rarely possible, it is still possible if extremely weak WEP keys are used. Additionally, there are tools such as AirCrack now available to break WEP security in a very short period of time. Higher data rates (802.11a/g = 54 Mbps) and higher throughput for the average user means more traffic can be captured faster. Cracking tools such as AirCrack require a large amount of captured data to work effectively, but gathering large amounts on fast, heavily laden networks has
become reasonable. 385 ABC Company's network includes ten ERP-OFDM (802.11g) STAs connecting through a single access point. To help avoid the spread of viruses between wireless users, what should be implemented on the network? (Choose 2) A : Personal firewall software on client devices (yes) B : Wireless Intrusion Prevention System (WIPS) C : WLAN protocol analysis software on one laptop D : Peer-to-peer data blocking in the AP (yes) E : Wi-Fi Protected Access version 2 (WPA2) Exam Level: CWSP Exam Objective: Monitoring and Management Explanation: Personal firewall software can stop direct attacks from viruses that spread through means such as open ports. Peer-to-peer data blocking prevents WLAN users from communicating with each other across an access point. Since all data between wireless peers is blocked, viruses cannot spread in this fashion. WPA2, whether Personal or Enterprise, forces authentication and encryption, but still allows users on the same AP to make connections with one another. WIPS can detect different types of layer 2 attacks, but cannot prevent viruses, which is a layer 7 application. Use of protocol analysis software would be no different than use of WIPS. 386 WLAN protocol analyzers can decrypt data frames in real time when the data frames are encrypted with which security mechanisms? (Choose 2) A : WPA-Personal (yes) B : PPTP/MPPE C : WPA2-Enterprise D : IPSec/ESP E : WEP-128 (yes) Exam Level: CWSP Exam Objective: Security Design and Architecture Explanation: Most 802.11 protocol analyzers can decode both WEP (40/64 bit and 104/128 bit key lengths) and WPA-Personal. WPA-Personal decryption requires that the protocol analyzer capture a 4Way Handshake (prior to data frame decoding) for the particular wireless node for which it will
decode data frames. The passphrase is required to be entered into the protocol analyzer with WPA-Personal decoding, and with WEP, the user only needs to enter the WEP key itself. 387 ABC Company's lightweight access points periodically go 'off channel' for a short period of time to scan all 802.11a/g Wi-Fi channels to detect and locate rogue access points. When a rogue access point is found, the active security policy requires at least one access point to perform a deauthentication attack against the rogue. What type of WIPS does ABC Company have? (Choose 1) A : Hot-standby B : Integrated (yes) C : Overlay D : Autonomous E : AP-reliant Exam Level: CWSP Exam Objective: Security Design and Architecture Explanation: There are 2 primary types of WIPS: integrated and overlay. An overlay WIPS is a standalone WIPS product that may be connected to the Ethernet infrastructure for the purpose of monitoring and reporting on security and wireless performance events. An overlay WIPS has its own management console and reporting features, as well as its own 802.11a/g sensors that cannot function as wireless infrastructure components. An integrated WIPS is a feature set of a WLAN switch/controller in which lightweight APs may be used as sensors in either a dedicated or hybrid mode. 388 A university's WLAN administrator is seeking an efficient and effective method of detecting and eliminating rogue access points and wireless Ad Hoc networks across the entire campus. The administrator's friend suggests that the he use a WLAN protocol analyzer to perform a weekly survey of the campus to discover rogues devices. The administrator considers this option and then asks you to offer advice on the subject. What is your advice to the administrator? (Choose 2) A : In a campus environment, manual scanning for rogues requires too much time and resources to effectively and consistently locate all rogue devices. A system is needed that can inspect the entire campus in real time. (yes) B : WLAN protocol analyzers will not detect rogue devices that do not use the 802.11 protocol frame format. (yes) C : Because WLAN protocol analyzers can see all frames on the wireless medium, they are the most comprehensive solution for detecting rogue wireless devices of any kind. D : By assigning one IT worker to do weekly scans using a WLAN protocol analyzer, Wi-Fi, Bluetooth, and Infrared rogue access points and Ad Hoc networks can be effectively located and
removed. E : WLAN protocol analyzers are not a comprehensive rogue detection solution because they cannot detect access points that are configured to hide the SSID in beacons. Exam Level: CWSP Exam Objective: Security Design and Architecture Explanation: In large IT environments (enterprises and campuses), doing consistent 'walk about' scans is impractical and ineffective. Wireless Intrusion Prevention Systems should be used to inspect the entire campus environment in real time using distributed sensors and a central engine/console. Additionally, WIPS can enforce policy adherence across the WLAN environment. 389 ABC Company has 6 employees, each of whom uses a laptop with an 802.11a/b/g MiniPCI card configured for Ad-Hoc mode. These laptops are the only computers in the company. Why is it not possible for ABC Company to have a Wireless Intrusion Prevention System (WIPS) with the existing network configuration? (Choose 1) A : In an Ad-Hoc WLAN environment, there is no central management station to which to report intrusions. (yes) B : Most intrusion detection systems by design are incompatible with 802.11 Ad-Hoc mode. C : Intrusion detection systems use the SNMP protocol, which is incompatible with 802.11 Ad-Hoc mode. D : Intrusion detection systems work only in switched WLAN environments. Exam Level: CWSP Exam Objective: Security Design and Architecture Explanation: WIPS are generally used in the implementation of large scale enterprise networks due to expense and complex nature of IDS configuration and management. Host-based and network-based IDS both report to a central management station, which is not present in an Ad-Hoc wireless LAN implementation. 390 Wireless Intrusion Prevention Systems (WIPS) started as Wireless Intrusion Detection Systems (WIDS). WIPS can both detect and prevent some network attacks, whereas WIDS can only detect and report network intrusions. Which wireless network attacks can WIPS prevent? (Choose 1) A : Narrowband RF jamming of a spread spectrum channel B : EAP-Start flooding against an access point C : Association of authorized clients to rogue access points (yes)
D : Deauthentication attacks against access points by intruders Exam Level: CWSP Exam Objective: Security Design and Architecture Explanation: The physical layer for WLANs is the 'air' and, as such, is a shared medium. Some types of attack, particularly wireless denial of service attacks, take advantage of the difficulty in securing Layer-1 in WLANs. Further, some attacks may only take one frame to cause a disruption, which means that by the time the 'bad' frame is detected, it is already too late to stop. Some of the strengths and weaknesses with WIPS include: 1. Narrowband RF jamming cannot be directly mitigated by a WIPS since the physical medium is being flooded with what amounts to noise. The WIPS can be used to help identify and triangulate the location of the source device so that another control (i.e. a security guard) can address the RF jammer. 2. EAP-Start flooding can be detected, but again, not directly prevented by a WIPS. Since this attack is intended to waste AP resources by beginning a large number of wireless 'conversations' there is no connection or association for the WIPS to block. This attack is somewhat analogous to the old SYN-Flood attacks that were intended to create a large number of embryonic connections on servers and thus use up available resources. 3. Deauthentication attacks are going to pose a similar problem to WIPS as the EAP-Start flooding mode. These attacks use a short, fire-and-forget method to cause problems in the WLAN. The WIPS can identify the attacker and then other means can be used to take it down. 4. Since association takes a number of exchanges and has the intent of establishing connectivity with the rogue AP, the WIPS can step into the middle of the exchange and shut it down. By monitoring the RF environment for new APs (and new beacons) the WIPS can remain aware of changes and new potential sources of attack. Once and AP has been designated as hostile, clients can be effectively blocked from successfully associating until the rogue device can be tracked down and removed. 390 Two IT administrators at ABC Corporation are debating the differences between WPA2 and Layer 3 VPN technologies. The IT Director settles the dispute by explaining how WPA2 secures the WLAN data frame payloads. Which description of this process is correct in describing how WPA2 secures wireless data transmissions? (Choose 1) A : WPA2 encrypts layer 2 addresses and encrypts the layer 3 through layer 7 payloads. B : WPA2 encodes layer 2 addresses with a 64-bit offset and encrypts the layer 3 and layer 4 addresses only. C : WPA2 encrypts layer 3 through layer 7 payloads while leaving layer 2 source and destination addresses exposed. (yes) D : WPA2 leaves the layer 2 and layer 3 addresses exposed while encrypting layer 4 through layer 7 payloads. Exam Level: CWSP Exam Objective: Security Policy Explanation: WPA2 (802.11i-compliant CCMP-enabled) encrypts layer 3-7 information while leaving layer 2 addresses (MAC) exposed. This is done so that layer 2 wireless devices (PCMCIA cards, access
points, bridges, etc.) can communicate on the local wireless segment. 391 What statements describe the AES-CCMP data protection mechanism implemented by the 802.11i-2004 amendment? (Choose 1) A : Uses the 256-bit Rijndael encryption algorithm to protect the MPDU Data field. B : Protects the integrity of both the MPDU Data field and selected portions of the MPDU header. (yes) C : Has support for CCMP using a 128-bit key that is mandatory for Robust Security Network (RSN) compliance when not using TKIP. D : Uses either the RC4 stream cipher or 3DES block cipher to encrypt the MPDU Data field. E : Uses a 192-bit encryption algorithm to protect authentication between the supplicant and authentication server. Exam Level: CWSP Exam Objective: Security Policy Explanation: The 802.11i amendment states the following: 8.3.3.1 CCMP overview CCMP is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The AES algorithm is defined in FIPS PUB 197. All AES processing used within CCMP uses AES with a 128-bit key and a 128-bit block size. 392 You have been hired by ABC Corporation to perform a WLAN security audit. ABC's network manager has attended a one-day manufacturer's seminar on WLAN security and, in your opinion, knows only enough to ask good questions of a WLAN security professional. The network manager asks you about the specific advantages of TKIP over WEP. You explain that TKIP has the following advantages over WEP: (Choose 2) A : Inclusion of SHA-HMAC authentication to prevent man-in-the-middle attacks B : Inclusion of a strong MIC to prevent in-transit frame tampering and replay attacks (yes) C : Replacement of IVs with LIVs to prevent attacks against weak passwords D : Replacement of CRC-32 with ICV-32 to prevent brute-force attacks against RC4 E : Improved per-packet keying to prevent weak IVs from being used to derive the WEP key (yes) Exam Level: CWSP Exam Objective: Security Policy
Explanation: TKIP is included as an optional security protocol in the 802.11i amendment. WPA-Personal and WPA-Enterprise implement TKIP. TKIP includes an 8-byte MIC for frame tamper prevention and replay attacks in addition to the CRC-32 already included with WEP. TKIP supports per-packet keying and extended initialization vector (IV) length (from 24 bits to 48 bits) for prevention of attacks aimed at weak IVs. 393 The 802.11i-2004 amendment defines and supports what three cipher suites?
(Choose 3) A : WEP (yes) B : PSK C : CCMP (yes) D : TKIP (yes) E : IPSec F : SSH2 Exam Level: CWSP Exam Objective: Security Policy Explanation: The 802.11i-2004 amendment lists supported cipher suites in table 20da. WEP (both 40 and 104 bit), TKIP, and CCMP are each listed. 394 What is one method of implementing RADIUS-based VLAN assignment?
(Choose 1) A : VSA access lists B : SSID assignment (yes) C : Roaming profiles D : VLAN map matrix Exam Level: CWSP Exam Objective: Security Policy Explanation: There are two methods of using RADIUS to assign users to specific VLANs after successful authentication: SSID assignment: Upon successful EAP authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or WLAN switch. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the
user is disassociated from the access point or WLAN switch. VLAN assignment: Upon successful EAP authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side of the wireless infrastructure device. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID. In order to have RADIUS return the appropriate attributes to the access point, the RADIUS server must implement the access point vendor's Vendor Specific Attributes (VSA) that defines the allowed SSIDs or static VLAN assignment. 395 ABC Company has a Microsoft Windows 2003 Active Directory (AD) environment with IAS (an EAP-enabled RADIUS server) installed at their corporate headquarters (HQ) and at all branch locations. The HQ IAS server is currently used to authenticate HQ 802.11g WLAN users. ABC is installing an 802.11g WLAN at a branch office, and they have hired you to advise them on the best way to implement authentication for branch WLAN users. How will you configure access points at the branch office for maximized authentication speed and reliability? (Choose 1) A : Authenticate against the HQ IAS server. The HQ IAS will look up the user on the HQ AD servers. B : Authenticate against the branch IAS server. The branch IAS server will look up the user on the branch AD server. (yes) C : Authenticate against the branch IAS server. The branch IAS server will proxy the request to the HQ IAS server. The HQ IAS server will look up the user on the HQ AD servers. D : Authenticate against the branch IAS server. The branch IAS server will look up the user on the HQ AD servers. Exam Level: CWSP Exam Objective: Security Policy Explanation: EAP authentications should always remain on the LAN segment. Having an EAP session extend over a WAN introduces latency and unreliability. Proxying RADIUS authentication requests over a WAN introduces latency and unreliability, but it is better than extending the EAP session over the WAN. The optimum configuration in this scenario is to let the network operating system (NOS) extend a partition of the user directory to each branch office so that branch employees can be authenticated with EAP locally. 396 In an 802.11i-compliant 802.1X/EAP system, where are AAA keys generated?
(Choose 1) A : On the 802.1X Authentication Server only B : Manually by the network administrator C : Jointly negotiated between the 802.1X Supplicant and the 802.1X Authentication Server (yes) D : On the 802.1X Authenticator only
E : In the Pass-phrase-to-PSK mapping algorithm F : On the 802.1X Supplicant only Exam Level: CWSP Exam Objective: Security Policy Explanation: The 802.11i-2004 standard states: 3.64 authentication, authorization, and accounting (AAA) key: Key information that is jointly negotiated between the Supplicant and the Authentication Server (AS). This key information is transported via a secure channel from the AS to the Authenticator. The pairwise master key (PMK) may be derived from the AAA key. 397 Given: The enhanced confidentiality, data authentication, and replay protection mechanisms of the 802.11i-2004 amendment require fresh cryptographic keys. What wireless components are defined by the 802.11i-2004 amendment to provide fresh cryptographic keys? (Choose 3) A : 4-Way Handshake (yes) B : EAPoL Handshake C : Group Handshake (yes) D : 802.1X/EAP Handshake E : AES-CCMP Handshake F : STAKey Handshake (yes) Exam Level: CWSP Exam Objective: Security Policy Explanation: The 4-Way Handshake, STAKey Handshake and the Group Handshake (a 2-way handshake) are used to generate fresh cryptographic keys whenever required. One such requirement is when the PMKID is not passed in the reassociation request frame to the new AP. Figures 11c and 11d of the 802.11i amendment illustrate the 4-Way and Group handshakes. 398 The 802.11i 4-way handshake process is used with which secure WLAN implementations? (Choose 2) A : When WPA-Personal is used on a SOHO WLAN router (yes) B : When static WEP-128 is used on a WLAN switch C : When IPSec is used on an Enterprise Wireless Gateway
D : When WPA2-Enterprise is used on an enterprise class thick AP (yes) E : When HTTPS is used for a WLAN hotspot login Exam Level: CWSP Exam Objective: Security Policy Explanation: The 802.11i 4-way handshake takes the Pairwise Master Key (PMK) and Group Master Key (GMK) and produces the Pairwise Transient Key (PTK) and the Group Temporal Key (GTK) for data encryption. This process is used for key generation for WPA-Personal, WPA-Enterprise, WPA2-Personal, and WPA2-Enterprise. WPA- and WPA2-Enterprise use the 802.1X/EAP process to generate the PMK. WPA- and WPA2-Personal take the passphrase entered by the user, put it through the 802.11i passphrase-to-PSK mapping formula, and produce a preshared key (PSK). The PSK is used as the PMK. Once a PMK is available, the 4-way handshake can be used. For more detailed information, refer to the CWNP Learning Center, and search for 'AKM'. This whitepaper explains this process in detail. 399 Which statement describes a potential architectural performance disadvantage of some WLAN controllers with centralized forwarding and controller-based access points in a large-scale WLAN deployment? (Choose 1) A : Data encryption/decryption is always performed on the WLAN controller. B : The 802.11 distribution system (DS) is located in the WLAN controller software. C : All WLAN traffic must flow through the WLAN controller. (yes) D : Management frames and Control frames are always encapsulated in 802.3 frames. Exam Level: CWSP Exam Objective: Security Policy Explanation: Where the encryption/decryption is performed in a WLAN switch/controller environment is dependent upon the manufacturer; however, all data in such an environment must flow through the WLAN switch/controller. For this reason, if the amount of WLAN data exceeds the capability of the switch's network interfaces or CPU processing power, then a bottleneck will be created. In a large scale WLAN deployment, WLAN data can easily exceed the WLAN switch's throughput capabilities, if the WLAN data volume is not carefully monitored. 400 Which statements are true regarding deployment of lightweight access points?
(Choose 4) A : Lightweight access points support 802.3af and may connect directly to the WLAN controller or to an Ethernet switch. (yes) B : Lightweight access points may connect to the WLAN controller with either a Layer-2 or a Layer-3 protocol. (yes)
C : Lightweight access points may be controlled over either Layer-2 or Layer-3. (yes) D : Lightweight access points may use DNS to locate their assigned WLAN controller. (yes) E : Lightweight access points cannot be deployed over the Internet due to Network Address Translation. F : Lightweight access points may be configured for 802.11a or 802.11g, but not both simultaneously. Exam Level: CWSP Exam Objective: Security Policy Explanation: All lightweight APs support 802.3af power over Ethernet. Most, but not all, lightweight access points support both a layer 2 and a layer 3 protocol for establishing connectivity to their assigned WLAN switch/controller. Layer 3 protocols might include LWAPP, GRE, and other similar protocols. When distributed lightweight access points power up, they will receive an IP address from the local LAN segment, including DNS parameters. The DNS name of their assigned controller will be pre-configured in the lightweight AP. After a DNS lookup, the lightweight AP will have the correct IP address of its controller, which will allow the AP to establish a layer3 tunnel terminating at its controller. 401 What is the primary difference between EAP-TLS and EAP-TTLS authentication?
(Choose 1) A : EAP-TTLS provides strong client authentication and EAP-TLS does not B : EAP-TLS is an authentication protocol, and EAP-TTLS is an encryption type C : EAP-TTLS provides support for legacy client authentication methods, and EAP-TLS requires certificates for client-side authentication (yes) D : EAP-TLS uses a RADIUS server for authentication, and EAP-TTLS can only use Kerberos E : EAP-TLS uses IP-based authentication, and EAP-TTLS uses MAC-based authentication Exam Level: CWSP Exam Objective: Security Policy Explanation: The primary differences between EAP-TLS and EAP-TTLS are: 1) EAP-TTLS provides support for legacy client authentication methods (usernames/password protocols such as PAP, MS-CHAP, MS-CHAPv2, etc.) and EAP-TLS supports only use of clientside certificates for client authentication. 2) EAP-TTLS provides an encrypted tunnel between the client and server so that the client can securely pass its credentials to the server. The extra 'T' in EAP-TTLS stands for 'Tunneled'. EAPTTLS is an enhancement of EAP-TLS and provides the same networking function. 402 Which 802.1X/EAP type allows a maximum of three phases of authentication?
(Choose 1) A : EAP-FAST (yes) B : EAP-TTLS/MS-CHAPv2 C : PEAPv0/EAP-MSCHAPv2 D : PEAPv1/EAP-GTC E : EAP-TLS Exam Level: CWSP Exam Objective: Security Policy Explanation: EAP-TTLS and PEAP (v0 and v1) each have two phases (building the tunnel and user authentication). EAP-FAST has an optional Phase 0 for Protected Access Credential (PAC) provisioning using MS-CHAPv2. EAP-FAST also has Phase 1 (TLS-tunnel building), and Phase 2 (user authentication) for a total of three phases of authentication.
403 According to the 802.11i-2004 amendment, when is the 802.1X controlled port placed in an 'authorized' state? (Choose 1) A : Only after the uncontrolled port has been opened for a specific period of time B : During user authentication, but only after the EAP-Identity/Response frame is received C : All the time, without regard to EAP user authentication D : After the EAP user has been mutually authenticated E : After a successful 4-Way Handshake (yes) Exam Level: CWSP Exam Objective: Security Policy Explanation: In an RSNA, the IEEE 802.1X Port determines when to allow data traffic across an IEEE 802.11 link. A single IEEE 802.1X Port maps to one association, and each association maps to an IEEE 802.1X Port. An IEEE 802.1X Port consists of an IEEE 802.1X Controlled Port and an IEEE 802.1X Uncontrolled Port. The IEEE 802.1X Controlled Port is blocked (in an unauthorized state) from passing general data traffic between two STAs until a successful 4-Way Handshake is completed. Prior to the 4-Way Handshake, 802.1X/EAP authentication and key management take place to establish the user's identity and to establish and distribute encryption keys. IEEE 802.1X Supplicants and Authenticators exchange protocol information via the IEEE 802.1X Uncontrolled Port.
404
Which encryption algorithm can use two keys to encrypt wireless data payloads?
(Choose 1) A : 3DES (yes) B : RC4 C : RC5 D : DES E : AES Exam Level: CWSP Exam Objective: Security Policy Explanation: 3DES (Triple DES) encrypts an object three times with 1 or more keys. The first encryption takes place when the clear object is first encrypted by key-1. Now that the object is encrypted, a second key is used to further encrypt the object and then the object is encrypted by a third key hence the 'Triple' moniker. The 3 levels of encryption may utilize 2 or 3 separate keys for enhanced security. All 3 keys could be the same to allow 3DES to be backward compatible with DES (legacy encryption). 405 Which protocols that are used to manage WLAN infrastructure devices support authentication and encryption? (Choose 3) A : POP3/SSL B : SNMPv3 (yes) C : SSH2 (yes) D : HTTPS (yes) E : LDAP F : RIPv2 Exam Level: CWSP Exam Objective: Security Policy Explanation: HTTPS authenticates the server with an x.509 certificate, and the user with a username and password. SNMPv3 requires a user login and supports simple encryption of transported data. SSH2 is a public/private key encryption scheme supporting many user authentication methods such as password and public key. 406 You are a consultant, hired by ABC Corporation to perform a risk assessment and impact
analysis for intrusions on their new 802.11g WLAN. Which areas would you weigh most heavily while performing these tasks for ABC Corp? (Choose 2) A : The sensitivity of information sent over the wireless network (yes) B : The types of operating systems in use by WLAN end users C : The legal implications of an intruder stealing sensitive data (yes) D : The layer 2 and layer 3 roaming mechanisms currently in place E : The type of wired infrastructure supporting the wireless network Exam Level: CWSP Exam Objective: Fast Secure Roaming Explanation: If the data is highly sensitive, stronger authentication and encryption should be used to minimize the risk of exposure. The legal implications of an intruder stealing sensitive data could be disastrous for ABC Corp and should be weighed heavily in the impact analysis. While the other answers may have some impact, it would be very small in comparison to the type of information sent over the WLAN and the legal implications of compromised sensitive data. 407 ABC Hospital has spent a very large budget on a small 802.11g WLAN implementation to assure its security. There are layer 2, layer 3, and layer 7 security solutions in place, and no matter how many networking tools and approaches you try, you cannot circumvent their security solution. As an intruder, what is your next move in circumventing ABC's network security? (Choose 3) A : Theft of a wireless LAN enabled laptop that contains authorized user credentials (yes) B : Use a wideband RF jamming device to interfere with the 2.4 GHz ISM spectrum, and then capture user credentials during reauthentication C : Connect your own access point to an RJ-45 wall jack in an unsecured patient room (yes) D : A call to ABC's help desk impersonating an authorized user in an attempt to gain network user credentials (yes) E : Attempt to circumvent WEP on the hospital administrator's home WLAN F : Theft of a lightweight (thin) access point to obtain cached user credentials 408 An organization's security policy should address social engineering prevention and should include instructions not to divulge which items to unauthorized individuals? (Choose 2) A : DSSS channel numbers in use
B : Physical locations of wireless infrastructure devices (yes) C : Wireless client device types in use D : ISM or UNII bands in use E : SNMP strings (yes) F : Business justification for the wireless network Exam Level: CWSP Exam Objective: Wireless Network Attacks and Threat Assessment Explanation: SNMP are network management passwords which can be used to control wireless infrastructure devices from management software utilities. If physical locations of access points and bridges are known by hackers, they might be susceptible to theft, console access, or replacement attacks. 405 Before designing and installing a WLAN, XYZ Corporation wants to create a corporate security policy. XYZ Corp hires you to help write their policy. When asked by the IT Manager how to best address mitigation of RF jamming attacks, what advice do you offer? (Choose 1) A : RF jamming attacks are rare, and very little emphasis should be placed on their mitigation. You consider mitigating RF jamming attacks a point of diminishing returns. B : RF jamming attacks can cause severe disruption in production processes and should be the most important security concern addressed by the security policy C : Very high RF barriers such as chain-link fences should be placed around a facility at a great distance, and the walls within the facility should have mesh wire placed inside. D : While RF jamming attacks can only be prevented by physical security, WIPS can assist in detection and location of these attacks. (yes) Exam Level: CWSP Exam Objective: Monitoring and Management Explanation: RF jamming attacks can disrupt users' connectivity to the network and can be part of other attacks such as hijacking. By strengthening physical security in and around a facility, people instigating such RF jamming attacks can be hindered or caught. WIPS can detect and help locate, though not prevent, RF jamming attacks. Placing high chain-link fences might not be feasible in many cases, especially since most network attacks originate from within the organization. Placing mesh wire inside facility walls is very expensive and time-consuming making it impractical. 406 An intruder is able to associate to an access point on your network, but the intruder is unable to obtain an IP address from your DHCP server due to a MAC filter you have in place on the access point. What software tools can the intruder use to circumvent the MAC filter?
(Choose 2) A : WLAN protocol analyzer (yes) B : 802.11 frame generator sending deauthentication frames C : WLAN discovery application D : Utility that can change the MAC address of a WLAN radio card (yes) E : Application layer analyzer Exam Level: CWSP Exam Objective: Monitoring and Management Explanation: A WLAN protocol analyzer would allow the intruder to obtain the MAC address of a valid client on the wireless network. A utility, such as SMAC, would be needed to change the intruder's MAC address software value in the Windows registry. A frame generator sending deauthentication frames would represent a Denial of Service attack, not a MAC spoofing attack. A WLAN discovery application and an application layer analyzer would not yield the information necessary to circumvent a MAC filter and to perform a MAC spoofing attack. 407 Which statement is true regarding the RF Fingerprinting feature in a WIPS?
(Choose 1) A : RF Fingerprinting requires that the WIPS submit a query to a network management system to find a client based on the MAC address table. The network management system then tells the WIPS where the device is located. B : RF Fingerprinting requires an initial system calibration that mandates that a test client device be carried around a facility. The WIPS collects many data points and builds a map of the RF environment for later use in locating active WLAN clients. (yes) C : RF Fingerprinting is where a call goes out from the network management system to all APs on the network, and each AP that 'hears' the user's signal responds to the network management system with the strength of the signal. The network management system then correlates this information to find the device. D : RF Fingerprinting is the monitoring and tracking of each client's unique RF signature caused by variances in its radio transmissions. Exam Level: CWSP Exam Objective: Security Design and Architecture Explanation: RF Fingerprinting is the latest generation in RF location and tracking tools. Detailed information can be found here: http://www.airespace.com/technology/technote_rf_fingerprinting.php 408 After the initial WIPS installation, what task should be performed before relying on the
WIPS in a production environment? (Choose 1) A : Sensors should be calibrated to assure accurate identification of 802.11 frame formats. B : A single client device should be carried around the perimeter of the installation to verify that it can be heard by a sensor everywhere it roams. C : Measure sensors' category 5 cable runs to verify they do not exceed 100 meters. D : A baseline analysis should be performed to aid in locating and categorizing authorized and external access points. (yes) Exam Level: CWSP Exam Objective: Security Design and Architecture Explanation: Wi-Fi access points are everywhere. WIPS have great antennas that can hear every access point within a significant range. The WIPS must be trained to understand the difference between an authorized access point (one that is connected to your network) and one that is not connected to your network (external). Authorized access points should adhere to a security policy, while external access points should be monitored so that authorized client devices do not accidentally connect to them. By categorizing authorized and external access points during the initial installation, rogue access points can be easily identified. 409 Which security solutions can prevent intruders from obtaining an IP address from your DHCP server? (Choose 2) A : 802.1X/EAP-TTLS (yes) B : PPTP VPN C : IPSec VPN D : Open System authentication E : WPA-Personal (yes) Exam Level: CWSP Exam Objective: Security Policy Explanation: 802.1X/EAP-TTLS and WPA-Personal are layer 2 authentication protocols. EAP-TTLS may use TKIP or CCMP for encryption, and WPA-Personal uses TKIP for encryption. If the client cannot successfully authenticate using the correct username/password (with EAP-TTLS) or passphrase (with WPA-Personal), then no data link will exist. Without a data link, no DHCP request can be successfully issued by the client device. Open System authentication has no authentication requirement, and thus the client becomes associated immediately after authentication providing a data link. PPTP and IPSec VPNs are based on having an IP address before the VPN tunnel can be established.
410
What feature in a WPA-Enterprise network mitigates wireless replay attacks?
(Choose 1) A : MIC-MAC key hashing B : RADIUS replay mitigation C : Frame sequence numbers (yes) D : Anti-bitflip hashed code keying E : Frame extension bit ordering F : EAP authentication Exam Level: CWSP Exam Objective: Security Policy Explanation: By numbering frames, TKIP (used as the security protocol in WPA networks) can see when a frame is inserted into the data stream out of sequence or when a series of frames are replayed on the medium. TKIP designates out of sequence or replayed frames as invalid. 411 Given: An 802.11i-compliant wireless client station wants to seamlessly roam between 802.11i-compliant access points. The client station and all access points are part of a Robust Security Network (RSN). The client station is running a VoIP application that is latency sensitive. In order for the client station to seamlessly and quickly roam between access points, what value must be passed from the client station to the new access point in a Reassociation Request frame? (Choose 1) A : IP subnet information B : MSDU fragmentation threshold values C : Client station's configuration profile name D : Pairwise Master Key Identifier (yes) E : Wireless VLAN tag parameters Exam Level: CWSP Exam Objective: Security Policy Explanation: The 802.11i amendment states: 7.3.2.25.4 PMKID The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP. The PMKID Count specifies the number of PMKIDs in
the PMKID List field. The PMKID list contains 0 or more PMKIDs that the STA believes to be valid for the destination AP. The PMKID can refer to a) A cached PMKSA that has been obtained through preauthentication with the target AP b) A cached PMKSA from an EAP authentication c) A PMKSA derived from a PSK for the target AP 8.4.1.2.1 Security association in an ESS A STA roaming within an ESS establishes a new PMKSA by one of three schemes: - In the case of (re)association followed by IEEE 802.1X or PSK authentication, the STA repeats the same actions as for an initial contact association, but its Supplicant also deletes the PTKSA when it roams from the old AP. The STA's Supplicant also deletes the PTKSA when it disassociates/deauthenticates from all basic service set identifiers (BSSIDs) in the ESS. - A STA (AP) can retain PMKs for APs (STAs) in the ESS to which it has previously performed a full IEEE 802.1X authentication. If a STA wishes to roam to an AP for which it has cached one or more PMKSAs, it can include one or more PMKIDs in the RSN information element of its (Re)Association Request frame. An AP whose Authenticator has retained the PMK for one or more of the PMKIDs can skip the 802.1X authentication and proceed with the 4-Way Handshake. The AP shall include the PMKID of the selected PMK in Message 1 of the 4-Way Handshake. If none of the PMKIDs of the cached PMKSAs matches any of the supplied PMKIDs, then the Authenticator shall perform another IEEE 802.1X authentication. Similarly, if the STA fails to send a PMKID, the STA and AP must perform a full IEEE 802.1X authentication. - A STA already associated with the ESS can request its IEEE 802.1X Supplicant to authenticate with a new AP before associating to that new AP. The normal operation of the DS via the old AP provides the communication between the STA and the new AP. The STA's IEEE 802.11 management entity delays reassociation with the new AP until IEEE 802.1X authentication completes via the DS. If IEEE 802.1X authentication completes successfully, then PMKSAs shared between the new AP and the STA will be cached, thereby enabling the possible usage of reassociation without requiring a subsequent full IEEE 802.1X authentication procedure. 412 As a consultant, you have been hired to design a wireless LAN security solution. Of primary concern is a wireless man-in-the-middle (MITM) attack. Which security solution will prevent this type of attack? (Choose 1) A : 802.1X/PEAP (yes) B : MAC filters C : RADIUS D : LDAP E : L2TP VPN Exam Level: CWSP Exam Objective: Security Policy Explanation:
PEAP stands for Protected Extensible Authentication Protocol. This protocol was developed to transmit authentication data, including passwords, over 802.11 wireless networks. PEAP uses server-side digital certificates to authenticate wireless clients by creating an encrypted SSL tunnel between the client and the authentication server, which then protects the exchange of data over the wireless network. These encrypted tunnels prevent intrusion by unwanted persons and help
prevent MITM attacks as well. Most wireless access points contain some type of MAC ID filtering that allows the administrator to only permit access to computers that have wireless functionalities that contain certain MAC IDs. This can be helpful; however, IT personnel must remember that MAC IDs over a network can be spoofed (faked). There are many software utilities that allow MAC addresses to be changed easily. RADIUS is an authentication protocol, and by itself has no means to prevent MITM attacks. LDAP is a database type and protocol. In a wireless LAN, RADIUS may proxy authentication to an LDAP server to verify the identity of an authenticating user. L2TP VPNs do not, by themselves, provide encryption. Encryption is the key component to preventing MITM attacks. 413 Which 802.1X/EAP WLAN security solutions will interoperate with a One Time Password (OTP) server? (Choose 2) A : LEAP B : PEAPv0/PAP-OTP C : EAP-FAST(yes) D : EAP-SSLv3 E : PEAPv1/EAP-GTC (yes) F : EAP-TLS Exam Level: CWSP Exam Objective: Security Policy Explanation: A basic authentication scheme is for a server to request a password from the client. The client types the password and sends it over the network medium to the server. This technique is vulnerable to eavesdroppers who may be monitoring the line with protocol analyzers. Captured information can be used by a hacker in a 'replay attack' to illegally log on to a system. Even an encrypted password can be used in this manner. A challenge/response is a security mechanism for verifying the identity of a user or system without the need to send the actual password across the network medium. The server sends a challenge, which is a string of alpha or numeric characters, to a client. This client then combines the string with its password and, from this, a new password is generated. The new password is sent to the server. If the server can generate the same password from the challenge it sent the client and the client's password, then the client must be authentic. An OTP (one-time password) system generates a series of passwords that are used to log on to a specific system. Once one of the passwords is used, it cannot be used again. The logon system will always expect a new one-time password at the next logon. This is done by decrementing a sequence number. Therefore, the possibility of replay attacks is eliminated. The series of passwords is created by the client, which combines a seed value with a secret password that only the client knows. This combination is then run through either the MD4 or MD5 hash functions repeatedly to generate the sequence of passwords. Smart cards and token-based authentication methods use one time passwords. The IETF has developed an OTP that is based on the earlier Bellcore S/KEY one-time password system. A number of Internet RFCs discuss one-time passwords. These include RFC 1760 (The S/KEY
One-Time Password System, February 1995), RFC 2243 (OTP Extended Responses, November 1997), RFC 2289 (A One-Time Password System, February 1998), and RFC 2444 (The OneTime- Password SASL Mechanism, October 1998). Also see RFC 1511 (Common Authentication Technology Overview, September 1993), RFC 1704 (On Internet Authentication, October 1994), and RFC 2401 (Security Architecture for the Internet Protocol, November 1998). 414 Choose the statement that accurately describes the weaknesses of 802.1X/EAP-MD5 when used to secure a wireless LAN. (Choose 2) A : No interoperability between vendors B : No per-session encryption keys (yes) C : No mutual authentication (yes) D : No IEEE standards compliance E : No support of passphrase authentication Exam Level: CWSP Exam Objective: Security Policy Explanation: 802.1X/EAP-MD5 uses static encryption keys and does not support mutual authentication (between the supplicant and authentication server), thus the encryption can be cracked and rogue access points can be easily placed on a network using EAP-MD5. Secure encryption mechanisms frequently change keys by means such as 'per-user, per-packet' or 'per-session.' 415 ABC Corporation is a startup technology company that is designing a security solution for their wireless LAN. The network will serve hundreds of wireless users over the next 12 months. Which authentication methods will require the greatest amount of time for the initial configuration and ongoing management of the client machines? (Choose 2) A : PEAPv0/EAP-MSCHAPv2 B : EAP-TLS (yes) C : EAP-TTLS/MS-CHAPv2 D : EAP-FAST (yes) E : PEAPv1/EAP-AES Exam Level: CWSP Exam Objective: Security Policy Explanation: EAP-TLS requires both server-side and client-side x.509 certificates. Creating and managing
these certificates is both time-consuming and expensive. Client certificates may have to be revoked due to security breaches, and a certificate revocation list (CRL) must be maintained. EAP-TTLS and PEAP require only a server-side certificate for server authentication. EAP-FAST uses client-side Protected Access Credentials (PACs) created by the authentication server. For a truly secure environment, the EAP-FAST authentication server should also use an x.509 certificate. Whether X.509 certificates or PACs are distributed to the clients, both can be considered high maintenance. 416 What VLAN segmentation strategies are typically used to improve security in a Wi-Fi network? (Choose 3) A : By device types (yes) B : By VPN types C : By encryption types (yes) D : By user groups (yes) E : By OSI layer F : By QoS access category Exam Level: CWSP Exam Objective: Security Policy Explanation:
Segmentation by user groups: Segmentation of the WLAN user community and enforcement of specific security policies per user group. For example, three wired and wireless VLANs in an enterprise environment could be created for full-time employee, part-time employee, and guest access. Segmentation by device types and encryption types: Segmentation of the WLAN to allow devices with varying security robustness to access the WLAN. For example, it is not recommended to allow handheld clients that support only WEP to co-exist with other WLAN client devices using WPA-Enterprise in the same VLAN. When this security risk is present, devices should be segmented into seperate VLANs to isolate the risk from devices with weak security mechanisms. Each VLAN would then be filtered according to the strength of the security. 417 You are a new WLAN administrator that has been on the job for less than 30 days when your WIPS discovers a rogue access point. How should you respond in order to assess any existing damage done by this rogue device and to mitigate further damage? (Choose 2) A : Immediately call the police to report an electronic intrusion B : Detach the rogue access point from your network's Ethernet switch or power it down (yes) C : Verify the WIPS was able to prevent connections to the rogue access point from WLAN clients (yes)
D : Take the rogue access point to your company's security department for fingerprinting E : Log into the rogue access point and change its management password Exam Level: CWSP Exam Objective: Fast Secure Roaming Explanation: The first step that should be taken when a rogue wireless access point is found is to detach it from the network's Ethernet switch leaving it as a stand alone unit or to power it off. Either of these steps will deny rogue clients from reaching your wired network resources. Leaving it powered on may cause interference with your production network, so this is not a good idea. Every organization should have a wireless intrusion prevention system (WIPS) to detect and to prevent connectivity to rogue access points. The WIPS will alarm and notify the administrator (if properly configured) when a rogue access point is located. 418 Which pair of statements describes one advantage of a proprietary security solution and one advantage of a standards-based security solution? (Choose 1) A : Proprietary: Time sensitive applications such as VoIP are often more efficiently transported. Standards-based: Allows implementation of layered security. B : Proprietary: Unrecognizable by eavesdropping intruders. Standards-based: Desktop protocols such as IP can only be transported on standards-based layer 2 frame formats. C : Proprietary: May incorporate compression and encryption simultaneously. Standards-based: Can interoperate with Ethernet distribution systems. D : Proprietary: additional security strength from unpublished security mechanisms Standards-based: Interoperability between security solutions (yes) Exam Level: CWSP Exam Objective: Fast Secure Roaming Explanation: Proprietary wireless security solutions, by definition, rule out vendor interoperability. The purpose of standards is to enable and promote vendor interoperability. Intruders may gain an advantage by understanding standard security implementations when sufficient documentation exists from the standards body. Proprietary security solutions are almost always kept private, reducing this security weakness. 419 What is a disadvantage of using a Wi-Fi network as a high-availability production network? (Choose 1) A : Attacks against the 802.11 protocol can be detected, but not prevented. (yes) B : The only method of troubleshooting a Wi-Fi network is verifying configuration parameters.
C : Reliable site surveys cannot be performed in some environments. D : WLAN switches/controllers cannot be installed in a redundant configuration. Exam Level: CWSP Exam Objective: Fast Secure Roaming Explanation: Attacks against an 802.11 network such as a deauthentication attack are detectable but cannot be prevented by WIPS or any other device. WLAN implementation troubleshooting can be done using analyzers, site survey tools, and client utilities in most cases. A site survey can be reliably performed in any environment; however, it is possible for a site survey to reveal that the environment is not reliable. WLAN switches and autonomous APs can be installed in a redundant (failover) configuration for high availability environments.

CWNP Message of The Day

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

CWNP Message of The Day

Diunggah oleh

Hak Cipta:

Format Tersedia

1

What is an example of a valid 802.11n draft PPDU format?

EAP-TTLS EAP-MD5 PEAPv0/EAP-MSCHAPv2 EAP-FAST (yes) PEAPv1/EAP-GTC

To prevent theft of an access point, which deterrent is used?

EAP-TLS EAP-MD5 LEAP (yes) PEAPv1/EAP-GTC PEAPv0/EAP-MSCHAPv2 EAP-FAST

Hot-standby Integrated (yes) Overlay Autonomous AP-reliant

2 Watts (yes) 10.4 Watts 0 Watts 7 Watts 15.4 Watts

Which protocol is NOT supported on an HR-DSSS wireless LAN?

IPX/SPX TCP/IP ISDN (yes) Netbeui DECnet

802.1X/PEAP (yes) MAC filters RADIUS LDAP L2TP VPN

Secure Shell (yes)

D response for use in E association F

5 Watts 12.95 Watts (yes)

EAP-TTLS Kerberos PPTP (yes) SSH2 WPA

Attenuation Diffraction Gain (yes) VSWR

Lightning arrestor (yes) Amplifier Attenuator Yagi antenna

Unicast Ad-hoc Plaintext

IEEE 802.1X EAP WEP RADIUS (yes) L2TP/IPSec PPTP

Refracts Scatters Attenuates (yes) Diffracts Reflects

Layer-3 Layer-4 Layer-7 (yes)

SSID hiding Adjacent channel interference

Denial of Service Hijacking Jamming

24 Watts (yes) 30 Watts 20 Watts 48 Watts 100 Watts

Fast Roam-Back Fast Roam-Forward

11 Mbps 22 Mbps 33 Mbps (yes) 54 Mbps

What feature in a WPA-Enterprise network mitigates wireless replay attacks?

Anda mungkin juga menyukai