Topic 9A

Question 1

Hardening

Answer 1

is the process of reducing system vulnerabilities to make IT resources more resilient to attacks. It involves disabling unnecessary services, configuring appropriate permissions, applying patches and updates, and ensuring adherence to secure configurations defined by the secure baselines.

Question 2

Network access control (NAC)

Answer 2

is a security solution that enforces policy on devices seeking to access network resources. It identifies, categorizes, and manages the activities of all devices on a network, ensuring they comply with security policies before granting access and continuously monitoring them while they are connected.

Question 3

secure baseline

Answer 3

is a collection of standard configurations and settings for network devices, software, patching and updates, access controls, logging, monitoring, password policies, encryption, endpoint protection, and many others.

Question 4

The Center for Internet Security (CIS) Benchmarks

Answer 4

an important resource for secure configuration best practices. CIS is recognized globally for publishing and maintaining best practice guides for securing IT systems and data.

Question 5

Security Technical Implementation Guides (STIGs)

Answer 5

are a specific secure baseline developed by the Defense Information Systems Agency (DISA) for the US Department of Defense. Like CIS Benchmarks, STIGs define a standardized set of security configurations and controls specifically designed for the DoD’s IT infrastructure.

Question 6

Configuration management tools, such as Puppet, Chef, Ansible, and Microsoft’s Group Policy

Answer 6

allow organizations to automate the deployment of secure baseline configurations across various diverse systems.

Question 7

Security Content Automation Protocol (SCAP) compliant tools

Answer 7

like OpenSCAP, can assess and verify the system’s adherence to the baseline.

Question 8

The SCAP Compliance Checker (SCC)

Answer 8

is a tool maintained by the DISA used to measure compliance with STIG baselines.

Question 9

Examples of changes designed to improve the security of switches and routers from the default settings include the following:

Answer 9

Change Default Credentials that are well documented and pose a significant security risk.

Disable Unnecessary Services and Interfaces on a switch or router. Not every service or interface is needed. For example, services like HTTP or Telnet should be avoided.

Use Secure Management Protocols such as SSH instead of Telnet or HTTPS instead of HTTP.

Implement Access Control Lists (ACLs) to restrict access to the router or switch to only required devices and networks.

Enable Logging and Monitoring to help identify issues like repeated login failures, configuration changes, and many others.

Configure Port Security helps limit the devices that can connect to a switch port to prevent unauthorized access.

Strong Password Policies help reduce the risk of password attacks.

Physically Secure Equipment like keeping devices in a locked room to prevent unauthorized physical access.

Question 10

Examples of changes designed to improve the security of servers from the default settings include the following:

Answer 10

Change Default Credentialsto prevent unauthorized access, similar to network devices.

Disable Unnecessary Servicesto reduce the attack surface of the server. Each service running on a server represents a potential point of entry for an attacker.

Apply Software Security Patches and Updates Regularlyto fix known vulnerabilities and provide security improvements. Automated patch management ensures this process is consistent and timely.

Least Privilege Principlelimits each user to the least amount of privilege necessary to perform a function to reduce the impact of a compromised account.

Use Firewalls and Intrusion Detection Systems (IDS)to help block or alert on malicious activity.

Secure Configurationof servers should use baseline configurations such as those provided by the CIS or STIGs.

Strong Access Controlsinclude strong password policies, multifactor authentication (MFA), and privileged access management (PAM).

Enable Logging and Monitoringto help identify issues like repeated login failures, configuration changes, and many others similar to the benefits for network equipment.

Use Antivirus and Antimalware Solutionsto detect and quarantine malware automatically.

Physical Securityof server equipment racks, server rooms, or datacenters prevents unauthorized access.

Question 11

access points

Answer 11

forward traffic to and from the wired switched network.

Each WAP is identified by its MAC address, also referred to as its basic service set identifier (BSSID).

Each wireless network is identified by its name or service set identifier (SSID).

Question 12

Wireless Networks operate at what wavelength?

Answer 12

can operate in either the 2.4 GHz or 5 GHz radio band.

Each radio band is divided into a number of channels, and each WAP must be configured to use a specific channel.

For performance reasons, the channels chosen should be as widely spaced as possible to reduce interference.

Question 13

site survey

Answer 13

is used to measure signal strength and channel usage throughout the area to cover.

A site survey starts with an architectural map of the site, with features that can cause background interference marked. These features include solid walls, reflective surfaces, motors, microwave ovens, and so on.

A Wi-Fi-enabled laptop or mobile device with Wi-Fi analyzer software installed performs the survey.

Question 14

heat map

Answer 14

The signal map that is created from a site survey.

Showing where a signal is strong (green/blue) or weak (red), and which channel is being used and how they overlap.

Question 15

How are which cryptographic protocols chosen?

Answer 15

Security standard determine which cryptographic protocols are supported, the means of generating the encryption key, and the available methods for authenticating wireless stations when they try to join (or associate with) the network.

Question 16

The first version of Wi-Fi Protected Access (WPA) was designed to

Answer 16

fix critical vulnerabilities in the earlier wired equivalent privacy (WEP) standard.

Like WEP, version 1 of WPA uses the RC4 stream cipher but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to make it stronger.

Question 17

Wi-Fi Protected Setup (WPS)

Answer 17

As setting up an access point securely is relatively complex for residential consumers, vendors have developed a system to automate the process.

To use WPS, both the access point and wireless station (client device) must be WPS-capable. Typically, the devices will have a push button.

Activating this on the access point and the adapter simultaneously will associate the devices using a PIN, then associate the adapter with the access point using WPA2.

The system generates a random SSID and PSK. If the devices do not support the push button method, the PIN (printed on the WAP) can be entered manually.

Question 18

WPS vulnerability

Answer 18

WPS is vulnerable to a brute force attack. While the PIN is eight characters, one digit is a checksum and the rest are verified as two separate PINs of four and three characters.

These separate PINs are many orders of magnitude simpler to brute force, typically requiring just hours to crack.

On some models, disabling WPS through the admin interface does not actually disable the protocol, or there is no option to disable it.

Question 19

The Easy Connect method, announced alongside WPA3, is intended to

Answer 19

replace WPS as a method of securely configuring client devices with the information required to access a Wi-Fi network. Easy Connect isa brand name for the Device Provisioning Protocol (DPP).

Question 20

The main features of WPA3 are as follows:

Answer 20

Simultaneous Authentication of Equals (SAE)—replaces the Pre-Shared Key (PSK) exchange protocol in WPA2, ensuring an attacker cannot intercept the Wi-Fi password even when capturing data from a successful login.

Enhanced Open—encrypts traffic between devices and the access point, even without a password, which increases privacy and security on open networks.

Updated Cryptographic Protocols—replaces AES CCMP with the AES Galois Counter Mode Protocol (GCMP) mode of operation. Enterprise authentication methods must use 192-bit AES, while personal authentication can use either 128-bit or 192-bit.

Wi-Fi Easy Connect—allows connecting devices by scanning a QR code, reducing the need for complicated configurations while maintaining secure connections.

Question 21

Wi-Fi authentication comes in three types:

Answer 21

personal, open, and enterprise. Within the personal category, there are two methods: pre-shared key authentication (PSK) and simultaneous authentication of equals (SAE).

Question 22

In WPA2, pre-shared key (PSK) authentication uses

Answer 22

a passphrase to generate the key used to encrypt communications. It is also referred to as group authentication because a group of users shares the same secret.

When the access point is set to WPA2-PSK mode, the administrator configures a passphrase of between 8 and 63 ASCII characters. This is converted to a 256-bit HMAC (expressed as a 64-character hex value) using the PBKDF2 key stretching algorithm.

This HMAC is referred to as the pairwise master key (PMK). The same secret must be configured on the access point and on each node that joins the network.

The PMK is used as part of WPA2’s 4-way handshake to derive various session keys.

Question 23

While WPA3 still uses a passphrase to authenticate stations in personal mode, it changes the method this secret is uses to agree session keys. The scheme used is called

Answer 23

Password-Authenticated Key Exchange (PAKE)

Question 24

In WPA3, the Simultaneous Authentication of Equals (SAE) protocol replaces

Answer 24

the 4-way handshake, which has been found vulnerable to various attacks. SAE uses the Dragonfly handshake, which is basically Diffie-Hellman over elliptic curves key agreement, combined with a hash value derived from the password and device MAC address to authenticate the nodes.

With SAE, there should be no way for an attacker to sniff out the handshake to obtain the hash value and try to use an offline brute force or dictionary attack to recover the password. Dragonfly also implements ephemeral session keys providing forward secrecy.

Question 25

enterprise authentication

Answer 25

A wireless network authentication mode where the access point acts as pass-through for credentials that are verified by an AAA server.

Question 26

Typically, 802.1x requires an authentication server such as

Answer 26

RADIUS (Remote Authentication Dial-In User Service), which verifies the credentials of users or devices trying to connect to the network.

Question 27

In enterprise mode authentication schemes…

Answer 27

users have a unique set of credentials rather than a shared passphrase as used in WPA2/WPA3 personal mod

Question 28

Extensible Authentication Protocol (EAP)

Answer 28

Defines authentication methods.

EAP-TLS, for instance, uses client-server certificates for mutual authentication, while EAP-TTLS and PEAP utilize a server-side certificate.

The server-side certificate is used to establish a secure tunnel for transmitting user credentials and helps devices validate the legitimacy of the access point.

Question 29

Remote Authentication Dial-In User Service (RADIUS) standard

Answer 29

There are several RADIUS server and client products.

he NAS device (RADIUS client) is configured with the IP address of the RADIUS server and with a shared secret.

This allows the client to authenticate to the server. Remember that the client is the access device (switch, access point, or VPN gateway), not the user’s PC or laptop.

Question 30

A generic RADIUS authentication workflow proceeds as follows:

Answer 30

The user’s device (the supplicant) makes a connection to the NAS appliance, such as an access point, switch, or remote access server.

2.The NAS prompts the user for their authentication credentials. RADIUS supports PAP, CHAP, and EAP. Most implementations now use EAP, as PAP and CHAP are not secure. If EAP credentials are required, the NAS enables the supplicant to transmit EAP over LAN (EAPoL) data, but not any other type of network traffic.

3.The supplicant submits the credentials as EAPoL data. The RADIUS client uses this information to create an Access-Request RADIUS packet, encrypted using the shared secret. It sends the Access-Request to the AAA server using UDP on port 1812 (by default).

4.The AAA server decrypts the Access-Request using the shared secret. If the Access-Request cannot be decrypted (because the shared secret is not correctly configured, for instance), the server does not respond.

5.With EAP, there will be an exchange of Access-Challenge and Access-Request packets as the authentication method is set up and the credentials verified. The NAS acts as a pass-thru, taking RADIUS messages from the server, and encapsulating them as EAPoL to transmit to the supplicant.

6.At the end of this exchange, if the supplicant is authenticated, the AAA server responds with an Access-Accept packet; otherwise, an Access-Reject packet is returned.

Question 31

Network access control (NAC)

Answer 31

not only authenticates users and devices before allowing them access to the network but also checks and enforces compliance with established security policies.

By evaluating the operating system version, patch level, antivirus status, or the presence of specific security software, NAC ensures that devices meet a minimum set of security standards before being granted network access.

NAC also can restrict access based on user profile, device type, location, and other attributes, to ensure users and devices can only access the resources necessary to complete their duties.

Works well with BYOD policies.

Question 32

NAC and virtual local area networks (VLANs) work together to improve and automate network security.

Answer 32

One of the primary ways NAC integrates with VLAN protections is through dynamic VLAN assignment.

Dynamic VLAN assignment is a NAC feature that assigns a VLAN to a device based on the user’s identity attributes, device type, device location, or health check results

Additionally, NAC can interact with dynamic VLAN to implement quarantine procedures. If a device is noncompliant with security policies—for example if it lacks updated antivirus software—the NAC system can automatically move it to a quarantine VLAN.

Question 33

agent-based approach

Answer 33

a software agent is installed on the devices that connect to the network. This agent communicates with the NAC platform, providing detailed information about the device’s status and compliance level.

An agent-based NAC implementation can enable features such as automatic remediation, where the NAC agent can perform actions like updating software or disabling specific settings to bring a device into compliance with mandatory security configurations.

Question 34

agentless NAC approach

Answer 34

uses port-based network access control or network scans to evaluate devices. For example, agentless NAC may use DHCP fingerprinting to identify the type and configuration of a device when it connects, or it might perform a network scan to detect open ports or active services.

While agentless methods may not provide as detailed information about a device’s status, they can be used with any device that connects to the network, including guest or IoT devices, without requiring any prior configuration.