CWSP-207 Certified Wireless Security Professional (CWSP) Questions and Answers

MSCHAPv2 passwords used with EAP/PEAPv0 should be stronger than typical WPA2-PSK passphrases.

Password complexity should be maximized so that weak WEP IV attacks are prevented.

Static passwords should be changed on a regular basis to minimize the vulnerabilities of a PSK-based authentication.

Certificates should always be recommended instead of passwords for 802.11 client authentication.

EAP-TLS must be implemented in such scenarios.

Require Port Address Translation (PAT) on each laptop.

Require secure applications such as POP, HTTP, and SSH.

Require VPN software for connectivity to the corporate network.

Require WPA2-Enterprise as the minimal WLAN security solution.

In home networks in which file and printer sharing is enabled

At public hot-spots in which many clients use diverse applications

In corporate Voice over Wi-Fi networks with push-to-talk multicast capabilities

In university environments using multicast video training sourced from professor’s laptops

Use a WPA2-Enterprise compliant security solution with strong mutual authentication and encryption for network access of corporate devices.

Hide the SSID of all legitimate APs on the network so that intruders cannot copy this parameter on rogue APs.

Conduct thorough manual facility scans with spectrum analyzers to detect rogue AP RF signatures.

A trained employee should install and configure a WIPS for rogue detection and response measures.

Enable port security on Ethernet switch ports with a maximum of only 3 MAC addresses on each port.

Supplicant devices

LDAP server

Controller-based APs

WLAN controller

RADIUS server

Use an IPSec VPN for connectivity to the office network

Use only HTTPS when agreeing to acceptable use terms on public networks

Use enterprise WIPS on the corporate office network

Use WIPS sensor software on the laptop to monitor for risks and attacks

Use 802.1X/PEAPv0 to connect to the corporate office network from public hot-spots

Use secure protocols, such as FTP, for remote file transfers.

The PTK is a type of master key used as an input to the GMK, which is used for encrypting multicast data frames.

The PTK contains keys that are used to encrypt unicast data frames that traverse the wireless medium.

The PTK is XOR'd with the PSK on the Authentication Server to create the AAA key.

The PTK is used to encrypt the Pairwise Master Key (PMK) for distribution to the 802.1X Authenticator prior to the 4-Way Handshake.

All MSDU contents

All MPDU contents

All PPDU contents

All PSDU contents

Offline dictionary attacks

MAC Spoofing

ASLEAP

DoS

802.1X/EAP-TTLS

Open 802.11 authentication with IPSec

802.1X/PEAPv0/MS-CHAPv2

WPA2-Personal with AES-CCMP

EAP-MD5

Identify the IP subnet information for each network segment.

Identify the manufacturer of the wireless intrusion prevention system.

Identify the skill level of the wireless network security administrator(s).

Identify the manufacturer of the wireless infrastructure hardware.

Identify the wireless security solution(s) currently in use.

Integrated WIPS always perform better from a client throughput perspective because the same radio that performs the threat scanning also services the clients.

Integrated WIPS use special sensors installed alongside the APs to scan for threats.

Many integrated WIPS solutions that detect Voice over Wi-Fi traffic will cease scanning altogether to accommodate the latency sensitive client traffic.

Integrated WIPS is always more expensive than overlay WIPS.

WEP-128

WPA2-Personal

EAP-TLS

WPA-Enterprise

802.1X/LEAP

Awareness of the exact vendor devices being installed

Management support for the process

End-user training manuals for the policies to be created

Security policy generation software

EAP-TTLS sends encrypted supplicant credentials to the authentication server, but EAP-TLS uses unencrypted user credentials.

EAP-TTLS supports client certificates, but EAP-TLS does not.

EAP-TTLS does not require an authentication server, but EAP-TLS does.

EAP-TTLS does not require the use of a certificate for each STA as authentication credentials, but EAP-TLS does.

A data retrieval protocol used by an authentication service such as RADIUS

An IEEE X.500 standard compliant database that participates in the 802.1X port-based access control process

A SQL compliant authentication service capable of dynamic key generation and distribution

A role-based access control protocol for filtering data to/from authenticated stations.

An Authentication Server (AS) that communicates directly with, and provides authentication for, the Supplicant.

Wireless adapter failure analysis.

Interference source location.

Fast secure roaming problems.

Narrowband DoS attack detection.

MS-CHAPv2 is compliant with WPA-Personal, but not WPA2-Enterprise.

MS-CHAPv2 is subject to offline dictionary attacks.

LEAP’s use of MS-CHAPv2 is only secure when combined with WEP.

MS-CHAPv2 is only appropriate for WLAN security when used inside a TLS-encrypted tunnel.

MS-CHAPv2 uses AES authentication, and is therefore secure.

When implemented with AES-CCMP encryption, MS-CHAPv2 is very secure.

John's bank is using an expired X.509 certificate on their web server. The certificate is on John's Certificate Revocation List (CRL), causing the user ID and password to be sent unencrypted.

John uses the same username and password for banking that he does for email. John used a POP3 email client at the wireless hot-spot to check his email, and the user ID and password were not encrypted.

John accessed his corporate network with his IPSec VPN software at the wireless hot-spot. An IPSec VPN only encrypts data, so the user ID and password were sent in clear text. John uses the same username and password for banking that he does for his IPSec VPN software.

The bank’s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Before connecting to the bank’s website, John’s association to the AP was hijacked. The attacker intercepted the HTTPS public encryption key from the bank’s web server and has decrypted John’s login credentials in near real-time.

Encryption cracking

Offline dictionary attacks

Layer 3 peer-to-peer

Application eavesdropping

Session hijacking

Layer 1 DoS

When the RF signal between a client and an access point is disrupted for more than a few seconds, the client device will attempt to associate to an access point with better signal quality.

When the RF signal between a client and an access point is lost, the client will not seek to reassociate with another access point until the 120 second hold down timer has expired.

After the initial association and 4-way handshake, client stations and access points do not need to perform another 4-way handshake, even if connectivity is lost.

As specified by the Wi-Fi Alliance, clients using Open System authentication must allow direct client-to-client connections, even in an infrastructure BSS.

Client drivers scan for and connect to access points in the 2.4 GHz band before scanning the 5 GHz band.

Weak-IV

Forgery

Replay

Bit-flipping

Session hijacking

RF DoS attacks

Layer 2 Disassociation attacks

Robust management frame replay attacks

Social engineering attacks

Enabling encryption to prevent MAC addresses from being sent in clear text

How to prevent non-IT employees from learning about and reading the user security policy

End-user training for password selection and acceptable network use

The exact passwords to be used for administration interfaces on infrastructure devices

Social engineering recognition and mitigation techniques