12.7_Secure WLANS

Question 1

To address the threats of keeping wireless intruders out and protecting data, two early security features were used and are still available on most routers and APs:

Answer 1

SSID cloaking
MAC address filtering

Question 2

APs and some wireless routers allow the SSID beacon frame to be disabled, as shown in the figure. Wireless clients must manually configure the SSID to connect to the network. What method is this?

Answer 2

SSID Cloaking

Question 3

An administrator can manually permit or deny clients wireless access based on their physical MAC hardware address. In the figure, the router is configured to permit two MAC addresses. Devices with different MAC addresses will not be able to join the 2.4GHz WLAN. What method is this?

Answer 3

MAC Addresses Filtering

Question 4

True or False
Although these two features would deter most users, the reality is that neither SSID cloaking nor MAC address filtering would deter a crafty intruder.

Answer 4

True
SSIDs are easily discovered even if APs do not broadcast them and MAC addresses can be spoofed. The best way to secure a wireless network is to use authentication and encryption systems.

Question 5

Two types of authentication were introduced with the original 802.11 standard:

__: Any wireless client should easily be able to connect and should only be used in situations where security is of no concern, such as those providing free internet access like cafes, hotels, and in remote areas. The wireless client is responsible for providing security such as using a virtual private network (VPN) to connect securely. VPNs provide authentication and encryption services. VPNs are beyond the scope of this topic.

Answer 5

Open system authentication

Question 6

Two types of authentication were introduced with the original 802.11 standard:
___: Provides mechanisms, such as WEP, WPA, WPA2, and WPA3 to authenticate and encrypt data between a wireless client and AP. However, the password must be pre-shared between both parties to connect.

Answer 6

Shared key authentication

Question 7

There are four shared key authentication techniques available:
____: The original 802.11 specification designed to secure the data using the Rivest Cipher 4 (RC4) encryption method with a static key. However, the key never changes when exchanging packets. This makes it easy to hack. WEP is no longer recommended and should never be used.

Answer 7

Wired Equivalent Privacy

Question 8

There are four shared key authentication techniques available:
__: A Wi-Fi Alliance standard that uses WEP, but secures the data with the much stronger Temporal Key Integrity Protocol (TKIP) encryption algorithm. TKIP changes the key for each packet, making it much more difficult to hack.

Answer 8

Wi-Fi Protected Areas (WPA)

Question 9

There are four shared key authentication techniques available:

__: the current industry standard for securing wireless networks. It uses the Advanced Encryption Standard (AES) for encryption. AES is currently considered the strongest encryption protocol.

Answer 9

WPA2

Question 10

There are four shared key authentication techniques available:
___: The next generation of Wi-Fi security. All **-enabled devices use the latest security methods, disallow outdated legacy protocols, and require the use of Protected Management Frames (PMF). However, devices with WPA3 are not yet readily available.

Answer 10

WPA3

Question 11

Home routers typically have two choices for authentication:

Answer 11

WPA and WPA2

Question 12

Authenticating a Home User
__: Intended for home or small office networks, users authenticate using a pre-shared key (PSK). Wireless clients authenticate with the wireless router using a pre-shared password. No special authentication server is required.

Answer 12

Personal

Question 13

Authenticating a Home User

___: Intended for **networks but requires a___ (RADIUS) authentication server. Although more complicated to set up, it provides additional security. The device must be authenticated by the RADIUS server and then users must authenticate using 802.1X standard, which uses the Extensible Authentication Protocol (EAP) for authentication.

Answer 13

Enterprise
Remote Authentication Dial-In User Service

Question 14

True or false
Encryption is not used to protect data

Answer 14

False
Encryption is used to protect data. If an intruder has captured encrypted data, they would not be able to decipher it in any reasonable amount of time.

Question 14

True or false
Encryption is not used to protect data

Answer 14

False
Encryption is used to protect data. If an intruder has captured encrypted data, they would not be able to decipher it in any reasonable amount of time.

Question 15

The WPA and WPA2 standards use the following encryption protocols:
___: the encryption method used by WPA. It provides support for legacy WLAN equipment by addressing the original flaws associated with the 802.11 WEP encryption method. It makes use of WEP, but encrypts the Layer 2 payload using ***, and carries out a Message Integrity Check (MIC) in the encrypted packet to ensure the message has not been altered.

Answer 15

Temporal Key Integrity Protocol (TKIP)

Question 16

The WPA and WPA2 standards use the following encryption protocols:
____: is the encryption method used by WPA2. It is the preferred method because it is a far stronger method of encryption. It uses the Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP) that allows destination hosts to recognize if the encrypted and non-encrypted bits have been altered.

Answer 16

Advanced Encryption Standard (AES)

Question 17

Authentication in the Enterprise
The Enterprise security mode choice requires an ____ RADIUS server.

Answer 17

Authentication, Authorization, and Accounting (AAA)

Question 18

Authentication in the Enterprise
___: This is the reachable address of the RADIUS server.

Answer 18

RADIUS Server IP address

Question 19

Authentication in the Enterprise
UDP Port Numbers: Officially assigned UDP ports ___ for RADIUS Authentication, and ___for RADIUS Accounting, but can also operate using UDP ports 1645 and 1646, as shown in the figure.

Answer 19

1812
1813

Question 20

Authentication in the Enterprise
___: Used to authenticate the AP with the RADIUS server.

Answer 20

Shared Key

Question 21

WPA3 includes four features:

Answer 21

WPA3-Personal
WPA3-Enterprise
Open Networks
Internet of Things (IoT) Onboarding

Question 22

WPA3
In____, threat actors can listen in on the “handshake” between a wireless client and the AP and use a brute force attack to try and guess the PSK. WPA3-Personal thwarts this attack by using___, a feature specified in the IEEE 802.11-2016. The PSK is never exposed, making it impossible for the threat actor to guess.

Answer 22

WPA2-Personal
Simultaneous Authentication of Equals (SAE)

Question 23

WPA3
____ still uses 802.1X/EAP authentication. However, it requires the use of a 192-bit cryptographic suite and eliminates the mixing of security protocols for previous 802.11 standards. WPA3-Enterprise adheres to the Commercial National Security Algorithm (CNSA) Suite which is commonly used in high security Wi-Fi networks.

Answer 23

WPA3-Enterprise

Question 24

WPA3
OPEN NETWORKS: Open networks in WPA2 send user traffic in unauthenticated, clear text. In WPA3, open or public Wi-Fi networks still do not use any authentication. However, they do use ___ to encrypt all wireless traffic.

Answer 24

Opportunistic Wireless Encryption (OWE)