Sei sulla pagina 1di 7

Chapter 9: Implementing Wireless LAN Security

Chapter 9: Implementing Wireless LAN Security

TRUE/FALSE

1. WEP2 attempted to overcome the limitations of WEP by adding two new security enhancements.

ANS: T

REF:

293

2. The block cipher used in 802.11i is the Data Encryption Standard (DES).

ANS: F

REF:

295

3. WPA authentication can be accomplished by using either IEEE 802.1x or pre-shared key (PSK)

technology.

ANS: T

REF:

299

4. Pre-shared key (PSK) authentication uses a passphrase that is automatically generated to generate the encryption key.

ANS: F

REF:

304

5. A virtual private network (VPN) uses a public, unsecured network as if it were a private, secured

network.

ANS: T

REF:

312

MULTIPLE CHOICE

1. What authentication system did the proposed WEP2 standard use?

a. Kerberos

c.

dynamic WEP

b. AES-CCMP

d.

key caching

ANS: A

REF:

293

2. In dynamic WEP, the back in.

key is changed every time the user roams to a new AP or logs out and logs

a. broadcast

c.

passphrase

b. unicast

d.

ticket

ANS: B

REF:

294

3. The 802.11i standard addresses both

 

a. encryption and confidentiality

c.

authentication and direction

b. integrity and confidentiality

d.

encryption and authentication

ANS: D

REF:

295

4. Within Step 2 of Advanced Encryption Standard (AES), multiple iterations (called rounds) are

performed depending upon the key size: 128-bit key performs 9 rounds, a 192-bit key performs 11

rounds, and a 256-bit key uses

rounds.

a. 13

c.

17

b. 15

d.

19

 

ANS: A

REF:

295

5.

Within the IEEE 802.1x standard,

ensures that a device (wired or wireless) that requests access to

the network is prevented from receiving any traffic until its identity can be verified.

a. an access control list

 

c.

port scanning

b. port security

 

d.

port blocking

ANS: B

REF:

296

6.

What feature of IEEE 802.11i allows a device to become authenticated to an AP before moving to it?

a.

key caching

c.

pre-authentication

b.

port security

d.

message passing

ANS: C

REF:

296

7.

How long is the per-packet key used in TKIP?

 

a.

40-bits

c.

128-bits

b.

64-bits

d.

256-bits

ANS: C

REF:

297

8.

replaces CRC in WPA.

 

a.

MIC

c.

CMR

b.

MRC

d.

CMC

ANS: A

REF:

298

9.

was designed to address WEP vulnerabilities with a minimum of inconvenience.

 

a. IEEE 802.11i

 

c.

dynamic WEP

b. TGi

d.

WPA

ANS: D

REF:

299

10.

What security technology was most recently introduced?

a.

WPA

c.

WEP2

b.

WPA2

d.

Dynamic WEP

ANS: B

REF:

300

11.

The

wireless security standard provides a low level of security.

a.

Dynamic WEP

c.

WEP2

b.

WEP

d.

All of the above

ANS: D

REF:

300

12.

What is the first step in implementing an interim security model?

a. shared key authentication

c.

turning off SSID beaconing

b. port security

 

d.

MAC address filtering

ANS: A

REF:

302

13.

When implementing an interim security model, most vendors have the option of a 128-bit WEP key,

which can be created by entering 16

characters.

This provides the most secure option.

a. ASCII

c.

hexadecimal

b. ciphered

d.

plaintext

ANS: C

REF:

303

14. The personal security model is intended for settings in which a(n)

is unavailable.

a. wired network

 

c.

AP

b. authentication server

d.

intermediate security model

ANS: B

REF:

304

15. method of encryption is used in a personal security model.

The

a.

PSK

c.

TKIP

b.

WEP

d.

MAC

ANS: C

REF:

304

16. What is the name of the 128-bit key used in TKIP?

 

a.

temporal key

c.

XOR

b.

MIC

d.

PRNG

ANS: A

REF:

305

17. is considered to be the “heart and soul” of WPA security.

a.

PSK

c.

MIC

b.

IV

d.

TKIP

ANS: D

REF:

306

18. Encryption under the WPA2 personal security model is accomplished by using the block cipher

a.

TKIP

c.

PSK

b.

AES

d.

CBC

ANS: B

REF:

307

19. authentication is used in the enterprise security model using WPA and WPA2.

a.

AES

c.

IEEE 802.1x

b.

TKIP

d.

All of the above

ANS: C

REF:

308

20. VPN is a user-to-LAN connection used by remote users.

A

a.

remote-access

c. peer-to-peer

b.

site-to-site

d.

remote-to-LAN

ANS: A

REF:

312

21. At the heart of a WIDS are

;

these devices, which can be either separate hardware devices or a

standard access point operating in a special “scan” mode, monitor the airwaves to detect signals from

rogue access points.

a. captive portals

c.

firewalls

b. VPNs

d.

wireless sensors

ANS: D

COMPLETION

REF:

314

ANS: Kerberos

REF:

293

2. In WPA,

encryption replaces WEP’s small 40-bit

encryption key that must be manually entered on wireless APs and devices and does not change.

ANS:

Temporal Key Integrity Protocol (TKIP) Temporal Key Integrity Protocol TKIP

REF:

3. The

297

security model is designed for single users or small office home office

(SOHO) settings of generally 10 or fewer wireless devices.

ANS: personal

REF:

304

4. The

security model is designed for medium to large-size organizations such

as businesses, government agencies, and universities.

ANS: enterprise

REF:

308

5. Most consumer access points are in reality wireless

, because they combine

the functions of an access point, router, network address translator, firewall, and switch.

ANS: gateways

REF:

313

MATCHING

Match each term with the correct statement below.

a. pre-shared key authentication

f.

supplicant

b. dynamic WEP

g.

key caching

c. AES-CCMP

h.

broadcast

d. Advanced Encryption Standard

i.

Message Integrity Check

e. 802.11i

1. stores information from a device on the network so if a user roams away from an AP and later returns, she does not need to re-enter all of the credentials

2. robust security network

3. designed to prevent an attacker from capturing, altering, and resending data packets

4. solves the weak IV problem by rotating the keys frequently

5. encryption protocol in the 802.11i standard

6. uses a passphrase that is manually entered to generate the encryption key

8. performs three steps on every block (128 bits) of plaintext

9. wireless device that requires secure network access

1. ANS: G

REF:

296

2. ANS: E

REF:

295

3. ANS: I

REF:

298

4. ANS: B

REF:

293

5. ANS: C

REF:

307

6. ANS: A

REF:

304

7. ANS: H

REF:

294

8. ANS: D

REF:

295

9. ANS: F

REF:

309

SHORT ANSWER

1. Describe Kerberos.

ANS:

Kerberos is typically used when someone on a network attempts to use a network service, and the service wants assurance that the user is who he says he is. The user is provided a ticket that is issued by the Kerberos server, much as a driver’s license is issued by the DMV. This ticket contains information linking it to the user. The user presents this ticket to the network for a service. The service then examines the ticket to verify the identity of the user. If all checks out, the user is accepted. Kerberos tickets share some of the same characteristics as a driver’s license: tickets are difficult to copy (because they are encrypted), they contain specific user information, they restrict what a user can do, and they expire after a few hours or a day.

REF:

293

2. Describe the 802.1x authentication procedure.

ANS:

Step 1The wireless devices requests from the access point permission to join the wireless LAN. Step 2The access point asks the device to verify its identity. Step 3The device sends identity information to the access point which passes it on to an authentication server, whose only job is to verify the authentication of devices. The identity information is sent in encrypted form. Step 4—The authentication server verifies or rejects the client’s identity and returns the information to the access point. Step 5An approved client can now join the network and transmit data.

REF:

296

3. Describe the Temporal Key Integrity Protocol used by Wi-Fi Protected Access (WPA).

ANS:

TKIP is a longer 128-bit per-packet key. The per-packet functionality of TKIP means that it dynamically generates a new key for each packet and thus prevents collisions. After accepting a device’s credentials, the authentication server can use 802.1x to produce a unique master key for that user session. TKIP distributes the key to the client and AP, setting up an automated key hierarchy and management system. TKIP then dynamically generates unique keys to encrypt every data packet that is wirelessly communicated during a session.

REF:

297

4. What should a business do if the best possible security model cannot be implemented?

ANS:

The answer may be to implement the highest level of security based upon the current equipment in use. Although this is not the optimal solution, it is better than doing nothing at all. It should, however,

be recognized that this should only be considered a transitional phase until migration to stronger

wireless security is possible. Sometimes called the transitional security model, it should only be implemented as a temporary solution. A plan for the purchase and installation of new security

equipment should be outlined before the transitional security model is implemented to ensure that upgrading is not put off until it is too late.

REF:

301

5. Describe pre-shared key authentication.

ANS:

Pre-shared key (PSK) authentication uses a passphrase (the PSK) that is manually entered to generate

the encryption key. Unlike WEP, the PSK is not used for encryption. Instead, it only serves as the

starting seed value for mathematically generating the encryption keys themselves. However, one of the disadvantages with PSK involves initial key management. A key must be created and entered in the

wireless access point and also on any wireless device (“shared”) prior to (“pre”) the devices communicating with the AP.

REF:

304

6. Temporal Key Integrity Protocol (TKIP) has three major components to address vulnerabilities. and describe them.

List

ANS:

MICMIC (Message Integrity Check) protects against forgeries by ensuring that the message has not been tampered with, which CRC under WEP could not do. The original WEP design used a 24-bit

initialization vector (IV) along with a secret key to generate a keystream. TKIP creates a different key

for

each packet.

IV

sequenceTKIP reuses the WEP IV field as a sequence number for each packet. Both the

transmitter and receiver initialize the packet sequence space to zero whenever new TKIP keys are set, and the transmitter increments the sequence number with each packet it sends. This ensures that an attacker does not record a valid packet and then retransmit it. Also, the length of the sequence number (IV) has been doubled, from 24 bits to 48 bits. TKIP key mixingWEP constructs a per-packet RC4 key by concatenating a key and the packet IV. The new per-packet key construction, called the TKIP key mixing function, substitutes a temporary (temporal) key for the WEP base key and constructs a per-packet key that changes with each packet.

Temporal keys have a fixed lifetime and are replaced frequently.

REF:

306

7. A network supporting the 802.1x standard consists of three elements.

ANS:

Identify and describe each one.

A network supporting the 802.1x standard consists of three elements. The supplicant is the wireless

device which requires secure network access. The supplicant sends the request to an authenticator that

serves as an intermediary device. An authenticator can be an access point on a wireless network or a switch on a wired network. The authenticator sends the request from the supplicant to the

authentication server. The authentication server accepts or rejects the supplicant’s request and sends that information back to the authenticator, which in turn grants or denies access to the supplicant. One

of the strengths of the 802.1x protocol is that the supplicant never has direct communication with the

authentication server. This minimizes the risk of attack on the authentication server, which contains valuable logon data for all users. The authentication server in an 802.1x configuration stores the list of the names and credentials of authorized users in order to verify their authenticity. Typically a Remote Authentication Dial-In User Service (RADIUS) server is used. When a user wants to connect to the wireless network, the request is first sent to the authenticator, which relays the information, such as the username and password, type of connection, and other information, to the RADIUS server.

 

REF:

309

8.

Describe Advanced Encryption Standard (AES).

ANS:

AES is a block cipher that uses the same key for both encryption and decryption. With AES, bits are encrypted in blocks of plaintext that are calculated independently, rather than a keystream acting across a plaintext data input stream. AES has a block size of 128 bits with three possible key lengths:

128, 192, and 256 bits as specified in the AES standard. For the WPA2/802.11i implementation of AES, a 128-bit key length is used. AES encryption includes four stages that make up one round. Each round is then iterated 10, 12, or 14 times depending upon the bit-key size. For the WPA2/802.11i implementation of AES, each round is iterated 10 times.

REF:

311-312

9.

What is a wireless gateway?

ANS:

Equipping an access point with additional functionality can create a device known as a wireless gateway. Most consumer access points are in reality wireless gateways, because they combine the functions of an access point, router, network address translator, firewall, and switch. On the enterprise level a wireless gateway may combine the functionality of a VPN and an authentication server. Wireless gateways can also be used to provide enhanced security to access points that are connected to it.

REF:

313

10.

What are the ways in which captive portals are used?

ANS:

Captive portals are used to notify users of the wireless policies and rules. They have to agree to these before they are granted access to the Internet.

Captive portals can advertise

Captive portals can also be used to granted Internet access.

to users specific services or products.

authenticate users against a RADIUS server before they are

REF:

314