CWSP-205 - Certified Wireless Security Professional (CWSP)
Go back to CWNP - Certified Wireless Security Professional
What security vulnerabilities may result from a lack of staging, change management, and installation procedures for WLAN infrastructure equipment? (Choose 2)
WIPS may not classify authorized, rogue, and neighbor APs accurately
Management interface exploits due to the use of default usernames and passwords for AP management
Given: ABC Company secures their network with WPA2-Personal authentication and AES- CCMP encryption. What part of the 802.11 frame is always protected from eavesdroppers by this type of security?
All MSDU contents
A WLAN is implemented using WPA-Personal and MAC filtering. To what common wireless network attacks is this network potentially vulnerable? (Choose 3)
Offline dictionary attacks
You have been recently hired as the wireless network administrator for an organization spread across seven locations. They have deployed more than 100 APs, but they have not been managed in either an automated or manual process for more than 18 months. Given this length of time, what is one of the first things you should evaluate from a security perspective?
The firmware revision
What elements should be addressed by a WLAN security policy? (Choose 2)
End-user training for password selection and acceptable network use
Social engineering recognition and mitigation techniques
Given: One of the security risks introduced by WPA2-Personal is an attack conducted by an authorized network user who knows the passphrase. In order to decrypt other users' traffic, the attacker must obtain certain information from the 4-way handshake of the other users. In addition to knowing the Pairwise Master Key (PMK) and the supplicant's address (SA), what other three inputs must be collected with a protocol analyzer to recreate encryption keys? (Choose 3)
Authenticator address (BSSID)
Given: You are the WLAN administrator in your organization and you are required to monitor the network and ensure all active WLANs are providing RSNs. You have a laptop protocol analyzer configured. In what frame could you see the existence or non-existence of proper RSN configuration parameters for each BSS through the RSN IE?
Given: The Marketing department's WLAN users need to reach their file and email server as well as the Internet, but should not have access to any other network resources. What single WLAN security feature should be implemented to comply with these requirements?
Role-based access control
Given: A network security auditor is preparing to perform a comprehensive assessment of an 802.11ac network's security. What task should be performed at the beginning of the audit to maximize the auditor's ability to expose network vulnerabilities?
Identify the wireless security solution(s) currently in use.
Given: AAA is an architectural framework used to provide three separate security components in a network. Listed below are three phrases that each describe one aspect of the AAA framework. Option-1 -- This AAA function is performed first and validates user identify prior to determining the network resources to which they will be granted access. Option-2 -- This function is used for monitoring and auditing purposes and includes the collection of data that identifies what a user has done while connected. Option-3 -- This function is used to designate permissions to a particular user. What answer correctly pairs the AAA component with the descriptions provided above?
Option-1 Authentication Option-2 Accounting Option-3 Authorization
While performing a manual scan of your environment using a spectrum analyzer on a laptop computer, you notice a signal in the real time FFT view. The signal is characterized by having peak power centered on channel 11 with an approximate width of 20 MHz at its peak. The signal widens to approximately 40 MHz after it has weakened by about 30 dB. What kind of signal is displayed in the spectrum analyzer?
An 802.11g AP operating normally in 2.4 GHz
Given: ABC Company is an Internet Service Provider with thousands of customers. ABC's customers are given login credentials for network access when they become a customer. ABC uses an LDAP server as the central user credential database. ABC is extending their service to existing customers in some public access areas and would like to use their existing database for authentication. How can ABC Company use their existing user database for wireless user authentication as they implement a large-scale WPA2-Enterprise WLAN security solution?
Implement a RADIUS server and query user authentication requests through the LDAP server.
Role-Based Access Control (RBAC) allows a WLAN administrator to perform what network function?
Provide two or more user groups connected to the same SSID with different levels of network privileges.
An attack is under way on the network. The attack is preventing users from accessing resources required for business operations, but the attacker has not gained access to any files or data. What kind of attack is described?
ABC Company requires the ability to identify and quickly locate rogue devices. ABC has chosen an overlay WIPS solution with sensors that use dipole antennas to perform this task. Use your knowledge of location tracking techniques to answer the question. In what ways can this 802.11-based WIPS platform determine the location of rogue laptops or APs? (Choose 3)
Time Difference of Arrival (TDoA)
Trilateration of RSSI measurements
What drawbacks initially prevented the widespread acceptance and use of Opportunistic Key Caching (OKC)?
Because OKC is not defined by any standards or certification body, client support was delayed and sporadic early on.
Given: In XYZ's small business, two autonomous 802.11ac APs and 12 client devices are in use with WPA2-Personal. What statement about the WLAN security of this company is true?
A successful attack against all unicast traffic on the network would require a weak passphrase dictionary attack and the capture of the latest 4-Way Handshake for each client.
Given: ABC Company has recently installed a WLAN controller and configured it to support WPA2-Enterprise security. The administrator has configured a security profile on the WLAN controller for each group within the company (Marketing, Sales, and Engineering). How are authenticated users assigned to groups so that they receive the correct security profile within the WLAN controller?
The RADIUS server sends a group name return list attribute to the WLAN controller during every successful user authentication.
Given: You are installing 6 APs on the outside of your facility. They will be mounted at a height of 6 feet. What must you do to implement these APs in a secure manner beyond the normal indoor AP implementations? (Choose the single best answer.)
Ensure proper physical and environmental security using outdoor ruggedized APs or enclosures.
Given: Your company has just completed installation of an IEEE 802.11 WLAN controller with 20 controller-based APs. The CSO has specified PEAPv0/EAP-MSCHAPv2 as the only authorized WLAN authentication mechanism. Since an LDAP-compliant user database was already in use, a RADIUS server was installed and is querying authentication requests to the LDAP server. Where must the X.509 server certificate and private key be installed in this network?
What wireless authentication technologies may build a TLS tunnel between the supplicant and the authentication server before passing client authentication credentials to the authentication server? (Choose 3)
What policy would help mitigate the impact of peer-to-peer attacks against wireless-enabled corporate laptop computers when the laptops are also used on public access networks such as wireless hot-spots?
Require VPN software for connectivity to the corporate network.
What is one advantage of using EAP-TTLS instead of EAP-TLS as an authentication mechanism in an 802.11 WLAN?
EAP-TTLS does not require the use of a certificate for each STA as authentication credentials, but EAP-TLS does.
When using a tunneled EAP type, such as PEAP, what component is protected inside the TLS tunnel so that it is not sent in clear text across the wireless medium?
Given: XYZ Company has recently installed an 802.11ac WLAN. The company needs the ability to control access to network services, such as file shares, intranet web servers, and Internet access based on an employee's job responsibilities. What WLAN security solution meets this requirement?
A WLAN controller with RBAC features
Given: In a security penetration exercise, a WLAN consultant obtains the WEP key of XYZ Corporation's wireless network. Demonstrating the vulnerabilities of using WEP, the consultant uses a laptop running a software AP in an attempt to hijack the authorized user's connections. XYZ's legacy network is using 802.11n APs with 802.11b, 11g, and 11n client devices. With this setup, how can the consultant cause all of the authorized clients to establish Layer 2 connectivity with the software access point?
When the RF signal between the clients and the authorized AP is temporarily disrupted and the consultant's software AP is using the same SSID on a different channel than the authorized AP, the clients will reassociate to the software AP.
As a part of a large organization's security policy, how should a wireless security professional address the problem of rogue access points?
A trained employee should install and configure a WIPS for rogue detection and response measures.
For a WIPS system to identify the location of a rogue WLAN device using location patterning (RF fingerprinting), what must be done as part of the WIPS installation?
The RF environment must be sampled during an RF calibration process.
Given: ABC Company is implementing a secure 802.11 WLAN at their headquarters (HQ) building in New York and at each of the 10 small, remote branch offices around the United States. 802.1X/EAP is ABC's preferred security solution, where possible. All access points (at the HQ building and all branch offices) connect to a single WLAN controller located at HQ. Each branch office has only a single AP and minimal IT resources. What security best practices should be followed in this deployment scenario?
An encrypted VPN should connect the WLAN controller and each remote controller-based AP, or each remote site should provide an encrypted VPN tunnel to HQ.
Given: XYZ Hospital plans to improve the security and performance of their Voice over Wi-Fi implementation and will be upgrading to 802.11n phones with 802.1X/EAP authentication. XYZ would like to support fast secure roaming for the phones and will require the ability to troubleshoot reassociations that are delayed or dropped during inter-channel roaming. What portable solution would be recommended for XYZ to troubleshoot roaming problems?
Laptop-based protocol analyzer with multiple 802.11n adapters
Given: A large enterprise is designing a secure, scalable, and manageable 802.11n WLAN that will support thousands of users. The enterprise will support both 802.1X/EAP-TTLS and PEAPv0/MSCHAPv2. Currently, the company is upgrading network servers as well and will replace their existing Microsoft IAS implementation with Microsoft NPS, querying Active Directory for user authentication. For this organization, as they update their WLAN infrastructure, what WLAN controller feature will likely be least valuable?
Internal RADIUS server
What statement accurately describes the functionality of the IEEE 802.1X standard?
Port-based access control with EAP encapsulation over the LAN (EAPoL)
Given: Your network includes a controller-based WLAN architecture with centralized data forwarding. The AP builds an encrypted tunnel to the WLAN controller. The WLAN controller is uplinked to the network via a trunked 1 Gbps Ethernet port supporting all necessary VLANs for management, control, and client traffic. What processes can be used to force an authenticated WLAN client's data traffic into a specific VLAN as it exits the WLAN controller interface onto the wired uplink? (Choose 3)
During 802.1X authentication, RADIUS sends a return list attribute to the WLAN controller assigning the user and all traffic to a specific VLAN.
In the WLAN controller's local user database, create a static username-to-VLAN mapping on the WLAN controller to direct data traffic from a specific user to a designated VLAN.
Configure the WLAN controller with static SSID-to-VLAN mappings; the user will be assigned to a VLAN according to the SSID being used.
Given: When the CCMP cipher suite is used for protection of data frames, 16 bytes of overhead are added to the Layer 2 frame. 8 of these bytes comprise the MIC. What purpose does the encrypted MIC play in protecting the data frame?
The MIC provides for a cryptographic integrity check against the data payload to ensure that it matches the original transmitted data.
Wireless Intrusion Prevention Systems (WIPS) provide what network security services? (Choose 2)
Wireless vulnerability assessment
Policy enforcement and compliance management
You perform a protocol capture using Wireshark and a compatible 802.11 adapter in Linux. When viewing the capture, you see an auth req frame and an auth rsp frame. Then you see an assoc req frame and an assoc rsp frame. Shortly after, you see DHCP communications and then ISAKMP protocol packets. What security solution is represented?
Open 802.11 authentication with IPSec
What is a primary criteria for a network to qualify as a Robust Security Network (RSN)?
WEP may not be used for encryption.
What statements are true about 802.11-2012 Protected Management Frames? (Choose 2)
802.11w frame protection protects against some Layer 2 denial-of-service (DoS) attacks, but it cannot prevent all types of Layer 2 DoS attacks.
Management frame protection protects disassociation and deauthentication frames.
Which of the following security attacks cannot be detected by a WIPS solution of any kind? (Choose 2)
Given: ABC Corporation's 802.11 WLAN is comprised of a redundant WLAN controller pair (N+1) and 30 access points implemented in 2004. ABC implemented WEP encryption with IPSec VPN technology to secure their wireless communication because it was the strongest security solution available at the time it was implemented. IT management has decided to upgrade the WLAN infrastructure and implement Voice over Wi-Fi and is concerned with security because most Voice over Wi-Fi phones do not support IPSec. As the wireless network administrator, what new security solution would be best for protecting ABC's data?
Migrate corporate data and Voice over Wi-Fi devices to WPA2-Enterprise with fast secure roaming support, and segment Voice over Wi-Fi data on a separate VLAN.
You must support a TSN as you have older wireless equipment that will not support the required processing of AES encryption. Which one of the following technologies will you use on the network so that a TSN can be implemented that would not be required in a network compliant with 802.11-2012 non-deprecated technologies?
In the basic 4-way handshake used in secure 802.11 networks, what is the purpose of the ANonce and SNonce? (Choose 2)
They are input values used in the derivation of the Pairwise Transient Key.
They allow the participating STAs to create dynamic keys while avoiding sending unicast encryption keys across the wireless medium.
Given: Many corporations configure guest VLANs on their WLAN controllers that allow visitors to have Internet access only. The guest traffic is tunneled to the DMZ to prevent some security risks. In this deployment, what risks are still associated with implementing the guest VLAN without any advanced traffic monitoring or filtering features enabled? (Choose 2)
Intruders can send spam to the Internet through the guest VLAN.
Unauthorized users can perform Internet-based network attacks through the WLAN.
When implementing a WPA2-Enterprise security solution, what protocol must the selected RADIUS server support?
You are implementing an 802.11ac WLAN and a WIPS at the same time. You must choose between integrated and overlay WIPS solutions. Which of the following statements is true regarding integrated WIPS solutions?
Many integrated WIPS solutions that detect Voice over Wi-Fi traffic will cease scanning altogether to accommodate the latency sensitive client traffic.
When used as part of a WLAN authentication solution, what is the role of LDAP?
A data retrieval protocol used by an authentication service such as RADIUS
As the primary security engineer for a large corporate network, you have been asked to author a new security policy for the wireless network. While most client devices support 802.1X authentication, some legacy devices still only support passphrase/PSK-based security methods. When writing the 802.11 security policy, what password-related items should be addressed?
Static passwords should be changed on a regular basis to minimize the vulnerabilities of a PSK-based authentication.
Given: You are using WEP as an encryption solution. You are using VLANs for network segregation. Why can you not establish an RSNA?
RSNA connections require TKIP or CCMP.
Given: You are using a Wireless Aggregator utility to combine multiple packet captures. One capture exists for each of channels 1, 6 and 11. What kind of troubleshooting are you likely performing with such a tool?
Fast secure roaming problems.
In the IEEE 802.11-2012 standard, what is the purpose of the 802.1X Uncontrolled Port?
To allow only authentication frames to flow between the Supplicant and Authentication Server