Chapter 13. Flashcards Preview

CWNA > Chapter 13. > Flashcards

Flashcards in Chapter 13. Deck (42):

What did 802.11i bring?

Robust Wireless Security


What are the 5 categories of wireless security?

Data privacy and integrity
Authentication, authorization, and accounting (AAA)


What is a cipher?

An algorithm used to perform encryption.


Which the best cipher to use for wireless?



What is AES?

A block cipher much stronger than RC4. Uses Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)


What amendment introduced protection for authentication and association frames?



What happened to the 802.11 data frame if data encryption is enabled?

If data encryption is enabled, the MAC Service Data Unit (MSDU) inside the body of any 802.11 data frame is protected by layer 2 encryption. Most of the encryption methods discussed in this chapter use layer 2 encryption, which is used to protect the layer 3–7 information found inside the body of an 802.11 data frame.


What is authentication? Give an example.

Authentication is the verification of identity and credentials. Users or devices must identify themselves and present credentials, such as usernames and passwords or digital certificates.


What is authorization? Give an example.

Authorization determines if the device or user is authorized to have access to network resources. This can include identifying whether you can have access based upon the type of device you are using (laptop, tablet, or phone), time of day restrictions, or location. Before authorization can be determined, proper authentication must occur.


What is accounting?

Accounting is tracking the use of network resources by users and devices. It is an important aspect of network security, used to keep a historical trail of who used what resource, when, and where.


What is segmentation and give examples as to how they would be segmented?

Segmentation is separating user traffic within a network. VLANS are used to segment the network.


What is open systems authentication?

Basically insures that both devices are 802.11. Authenticates the devices not the users. How does it work?

Open System authentication provides authentication without performing any type of
user verification. It is essentially a two-way exchange between the client radio and the
access point:
1. The client sends an authentication request.
2. The access point then sends an authentication response.


What cipher did WEP use?



How long is a MAC address?

12 digit hexadecimal.


What happens when you cloak your SSID?

When you implement a closed network, the SSID field in the beacon frame is null (empty), and therefore passive scanning will not reveal the SSID to client stations that are listening to beacons.


Does cloaking your SSID also hide you from active scanning?

Yes it does, because the request probes will have a null SSID. The AP will then respond with a null SSID field, or will be ignored. AP will only respond to clients that are trusted or have associated before and their SSID field is filled with the correct SSID and not null.


How are hidden networks, with masked ID's discovered?

By using a layer 2 scanning tool or protocol analyzer and listening to the CLIENTS send data\control frames to the AP.


What is the most common wireless authentication method used in small businesses?

PSK or private shared key.


What is the default encryption method for 802.11 - 2012?

CCMP/AES encryption is the default encryption method


When 802.11i was ratified what certification was given to devices that where compliant?

WPA2 certification. WPA2 is a more complete implementation of the 802.11i amendment and supports both CCMP/AES and TKIP/RC4 dynamic encryption-key generation.


What happens during a client interaction on a robust security configured network? When the clients first communicate?

Two stations (STAs) must authenticate and
associate with each other, as well as create dynamic encryption keys through a process known as the 4-Way Handshake. This association between two stations is referred to as an RSNA. In other words, any two radios must share dynamic encryption keys that are unique between those two radios.


An RSN can be identified by what field in a frame? What is the name of this field?

An RSN can be identified by a feld found in beacons, probe response frames, association request frames, and reassociation request frames. This field is known as the RSN Information Element (IE). This feld may identify the cipher suite capabilities of each station.


What is an authentication and key management protocol (AKMP)? and where is it used?

A system that require both authentication processes and the generation and management of encryption keys. Can be either a preshared (PSK) or an EAP protocol used during 802.1X authentication.


What are some ways that vendors are combating the issues with wireless preshared keys?

Creating databases that each user can have his\her own password. Simpler then setting up a radius server.


What are the 3 components that 802.11x is made of?

Supplicant - A host with software that requests authentication and access to network resources is known as a supplicant. Each supplicant has unique authentication credentials that are verified by the authentication server.

Authenticator - An authenticator device blocks traffic or allows traffic to pass through its port entity. This allows or blocks traffic using 2 virtual ports...uncontroller which allows EAP authentication traffic to pass through, and the controlled port blocks all other traffic until supplicant has been authenticated.

Authentication Server (AS) - he authentication server validates the credentials of the supplicant that is requesting access and notifies the authenticator that the supplicant has been authorized.


What is EAP? What are the 2 ways that authentication occurs? How does it work?

Extensible Authentication Protocol. EAP is a layer 2 protocol that is very flexible.
Mutual authentication - Mutual authentication not only requires that the authentication server validate the client credentials, but the supplicant must also authenticate the validity of the authentication server. By validating the authentication server, the supplicant can ensure that the username and password are not inadvertently given to a rogue authentication server. A root certificate is installed on the RADIUS server and a CA cert is installed on the clients.


What part of the security triangle does EAP and 802.1X satisfy?

Authentication and Authorization


What is the 4 way handshake?

Two stations (STAs) must establish a procedure to authenticate and associate with each other as well as
create dynamic encryption keys through a process. These final keys are created during a four-way EAP frame exchange that is known as the 4-Way Handshake.


What is a Group Master Key (GMK) and the Pairwise Master Key (PMK)

Part of the RSNA process involves the creation of two
master keys.


What is a PMK (Pairwise Master Key)

The PMK is created as a result of the 802.1X/EAP authentication. These master keys are the seeding material used to create the final dynamic keys that are used for encryption and decryption.


What is a Pairwise Transient Key

The PTK is used to encrypt/decrypt unicast
traffc, and the GTK is used to encrypt/decrypt broadcast and multicast traffic.


What is PSK and how does it work?

his method involves manually typing matching passphrases on both the access point and all client stations that will need to be able to associate to the wireless network. A formula is run that converts the
passphrase to a Pairwise Master Key (PMK) used with the 4-Way Handshake to create the final dynamic encryption keys.


What is TKIP?

The optional encryption method defned for a robust security network is Temporal Key Integrity Protocol (TKIP). This method uses the RC4 cipher just as WEP encryption does. As a matter of fact, TKIP is an enhancement of WEP encryption that addresses many of the known weaknesses of WEP. The problem with WEP was not the RC4 cipher but how the encryption
key was created. TKIP was developed to rectify the problems that were inherent in WEP.


Why does TKIP slow down wireless significantly?

Because of the additional overhead used. A total of 20 bytes of overhead is added to the body of an 802.11 data frame.


What does CCMP stand for?

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP).


What cipher does CCMP use?



What is the key size for CCMP?

CCMP/AES uses a 128-bit encryption-key size and encrypted in 128-bit fixed-length blocks.


What is the added overhead cost for using CCMP and what is that downside?

CCMP/AES encryption will add an extra 16 bytes of overhead to the body of an 802.11 data frame. Because the AES cipher is processor intensive, older legacy 802.11 devices do not have the processing power necessary to perform AES calculations.


How would you get your users to use a single SSID but still be separated into VLANS based on roles?

Using a RADIUS server, RADIUS attributes can be leveraged for VLAN assignment when using 802.1X authentication on the employee SSID. When
a RADIUS server provides a successful response to an authentication request, the ACCESS-ACCEPT response can contain a series of attribute-value pairs (AVPs). One of the most popular uses of RADIUS AVPs is assigning users to VLANs dynamically, Based on the identity of the authenticating user.


How does SSL VPN work?

The traffic between the web browser and the SSL VPN server is encrypted with the SSL protocol or Transport Layer Security (TLS). TLS and SSL encrypt data connections above the Transport layer, using
asymmetric cryptography for privacy and a keyed message authentication code for message reliability.


What is one of the primary reasons behind a captive portal?

One of the most important aspects of the captive web portal page is the legal disclaimer. A good legal disclaimer informs the guest users about acceptable behavior while using the guest WLAN. Businesses are also legally protected if something bad should happen to a guest user’s WLAN device, such as being
infected by a computer virus.


What is a captive portal?

Most hotspots and guest networks are secured by a captive portal. A captive portal is essentially the integration of a firewall with an authentication web page. When a user connects to the guest network, whether wired or wireless, any packets that the user transmits are intercepted and blocked from accessing a gateway to the network resources until the user has authenticated through the captive portal.