CWSP-207 Certified Wireless Security Professional (CWSP) Questions and Answers

SSID

IP Address

BSSID

Signal strength

RSN IE

Noise floor

IPSec VPN client and server software

Internet firewall software

Wireless intrusion prevention system

WLAN endpoint agent software

RADIUS proxy server

Integrated WIPS always perform better from a client throughput perspective because the same radio that performs the threat scanning also services the clients.

Integrated WIPS use special sensors installed alongside the APs to scan for threats.

Many integrated WIPS solutions that detect Voice over Wi-Fi traffic will cease scanning altogether to accommodate the latency sensitive client traffic.

Integrated WIPS is always more expensive than overlay WIPS.

Wireshark Protocol Analyzer

Wireless VPN Management Systems

Wireless Intrusion Prevention System

Distributed RF Spectrum Analyzer

WLAN Emulation System

EAPoL Reject frame flood against a rogue AP

Evil twin attack against a rogue AP

Deauthentication attack against a classified neighbor AP

ASLEAP attack against a rogue AP

Uses SNMP to disable the switch port to which rogue APs connect

Probe request

Beacon

RTS

CTS

Data frames

In home networks in which file and printer sharing is enabled

At public hot-spots in which many clients use diverse applications

In corporate Voice over Wi-Fi networks with push-to-talk multicast capabilities

In university environments using multicast video training sourced from professor’s laptops

MSCHAPv2 passwords used with EAP/PEAPv0 should be stronger than typical WPA2-PSK passphrases.

Password complexity should be maximized so that weak WEP IV attacks are prevented.

Static passwords should be changed on a regular basis to minimize the vulnerabilities of a PSK-based authentication.

Certificates should always be recommended instead of passwords for 802.11 client authentication.

EAP-TLS must be implemented in such scenarios.

Enabling encryption to prevent MAC addresses from being sent in clear text

How to prevent non-IT employees from learning about and reading the user security policy

End-user training for password selection and acceptable network use

The exact passwords to be used for administration interfaces on infrastructure devices

Social engineering recognition and mitigation techniques

Require Port Address Translation (PAT) on each laptop.

Require secure applications such as POP, HTTP, and SSH.

Require VPN software for connectivity to the corporate network.

Require WPA2-Enterprise as the minimal WLAN security solution.

Use a WPA2-Enterprise compliant security solution with strong mutual authentication and encryption for network access of corporate devices.

Hide the SSID of all legitimate APs on the network so that intruders cannot copy this parameter on rogue APs.

Conduct thorough manual facility scans with spectrum analyzers to detect rogue AP RF signatures.

A trained employee should install and configure a WIPS for rogue detection and response measures.

Enable port security on Ethernet switch ports with a maximum of only 3 MAC addresses on each port.

Awareness of the exact vendor devices being installed

Management support for the process

End-user training manuals for the policies to be created

Security policy generation software

On the Ethernet switch that connects to the AP, configure the switch port as an access port (not trunking) in the VLAN of supported clients.

During 802.1X authentication, RADIUS sends a return list attribute to the WLAN controller assigning the user and all traffic to a specific VLAN.

In the WLAN controller’s local user database, create a static username-to-VLAN mapping on the WLAN controller to direct data traffic from a specific user to a designated VLAN.

Configure the WLAN controller with static SSID-to-VLAN mappings; the user will be assigned to a VLAN according to the SSID being used.

The 802.1X Controlled Port is always blocked, but the Uncontrolled Port opens after the EAP authentication process completes.

The 802.1X Controlled Port remains blocked until an IP address is requested and accepted by the Supplicant.

The 4-Way Handshake must be performed before the 802.1X Controlled Port changes to the unblocked state.

The 802.1X Controlled Port is blocked until Vender Specific Attributes (VSAs) are exchanged inside a RADIUS packet between the Authenticator and Authentication Server.

EAP-TTLS sends encrypted supplicant credentials to the authentication server, but EAP-TLS uses unencrypted user credentials.

EAP-TTLS supports client certificates, but EAP-TLS does not.

EAP-TTLS does not require an authentication server, but EAP-TLS does.

EAP-TTLS does not require the use of a certificate for each STA as authentication credentials, but EAP-TLS does.

Man-in-the-Middle

Wi-Fi phishing

Management interface exploits

UDP port redirection

IGMP snooping

RF DoS attacks

Layer 2 Disassociation attacks

Robust management frame replay attacks

Social engineering attacks

MS-CHAPv2 is compliant with WPA-Personal, but not WPA2-Enterprise.

MS-CHAPv2 is subject to offline dictionary attacks.

LEAP’s use of MS-CHAPv2 is only secure when combined with WEP.

MS-CHAPv2 is only appropriate for WLAN security when used inside a TLS-encrypted tunnel.

MS-CHAPv2 uses AES authentication, and is therefore secure.

When implemented with AES-CCMP encryption, MS-CHAPv2 is very secure.

WPA-Enterprise

802.1X/EAP-PEAP

WPA2-Enterprise

WPA2-Personal

John's bank is using an expired X.509 certificate on their web server. The certificate is on John's Certificate Revocation List (CRL), causing the user ID and password to be sent unencrypted.

John uses the same username and password for banking that he does for email. John used a POP3 email client at the wireless hot-spot to check his email, and the user ID and password were not encrypted.

John accessed his corporate network with his IPSec VPN software at the wireless hot-spot. An IPSec VPN only encrypts data, so the user ID and password were sent in clear text. John uses the same username and password for banking that he does for his IPSec VPN software.

The bank’s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Before connecting to the bank’s website, John’s association to the AP was hijacked. The attacker intercepted the HTTPS public encryption key from the bank’s web server and has decrypted John’s login credentials in near real-time.

Social engineering and/or eavesdropping

RF DoS and/or physical theft

MAC denial of service and/or physical theft

Authentication cracking and/or RF DoS

Code injection and/or XSS

Wireless adapter failure analysis.

Interference source location.

Fast secure roaming problems.

Narrowband DoS attack detection.

Intruders may obtain the passphrase with an offline dictionary attack and gain network access, but will be unable to decrypt the data traffic of other users.

A successful attack against all unicast traffic on the network would require a weak passphrase dictionary attack and the capture of the latest 4-Way Handshake for each client.

An unauthorized wireless client device cannot associate, but can eavesdrop on some data because WPA2-Personal does not encrypt multicast or broadcast traffic.

An unauthorized WLAN user with a protocol analyzer can decode data frames of authorized users if he captures the BSSID, client MAC address, and a user’s 4-Way Handshake.

Because WPA2-Personal uses Open System authentication followed by a 4-Way Handshake, hijacking attacks are easily performed.

All integrated 802.11ac adapters will work with most protocol analyzers for frame capture, including the Radio Tap Header.

Integrated 802.11ac adapters are not typically compatible with protocol analyzers in Windows laptops. It is often best to use a USB adapter or carefully select a laptop with an integrated adapter that will work.

Laptops cannot be used to capture 802.11ac frames because they do not support MU-MIMO.

Only Wireshark can be used to capture 802.11ac frames as no other protocol analyzer has implemented the proper frame decodes.

The only method available to capture 802.11ac frames is to perform a remote capture with a compatible access point.