Wireless Security Flashcards

1
Q

ou are building out a corporate Wi-Fi network that is intended for use only by corporate employees using corporate laptops (no guest access) and must be highly secure. Which of the following is the best solution?

WPA

WPA2-PSK

WPA2-Enterprise

A

WPA2-Enterprise

WPA2-Enterprise is the correct version of WPA2 for this setup, as it uses enterprise-grade options to establish a shared secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why would WPA be considered a stopgap fix for the issues with WEP?

It modernizes Wi-Fi with a new encryption cipher.

It provides for using temporary WEP keys to avoid the weakness in WEP, but does not replace the underlying encryption cipher.

It enforces the use of long-key WEP while having an autogenerated MAC filtering list to avoid potential eavesdropping.

A

It provides for using temporary WEP keys to avoid the weakness in WEP, but does not replace the underlying encryption cipher.

WPA is a stopgap due to its software-only implementation in that it still uses the flawed WEP RC4 cipher, albeit with temporary keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You are tasked with the implementation of Wi-Fi in Enterprise mode. The initial network diagram shows only the updated access points and network switches. What component is missing from the diagram?

Guest wireless

NAC server

Authentication server

A

Authentication server

Enterprise mode mandates authentication, so an authentication server, typically RADIUS, is required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why is WPA2-Personal not ideal for a large organization?

It has weak encryption.

The pre-shared key must be securely shared with all users.

It uses Open System authentication.

A

The pre-shared key must be securely shared with all users.

WPA2 in Personal mode uses a pre-shared key, and this key must be shared with all users, which is challenging in a large organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does Open System authentication differ from a pre-shared key?

Open System authentication only matches the SSID of the system, which is part of all the Wi-Fi packets, so there is no real authentication as with a pre-shared key.

Open System authentication uses a more complex hashing algorithm to pad the encryption key.

Open System authentication requires a RADIUS server.

A

Open System authentication only matches the SSID of the system, which is part of all the Wi-Fi packets, so there is no real authentication as with a pre-shared key.

Open System authentication only matches to the SSID and generates a random number from that. Because the SSID is part of the Wi-Fi packets, there is no real authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Why is enabling WPS not recommended?

It uses WEP-based encryption.

The lack of support for AES.

The use of an eight-digit PIN makes it susceptible to brute force attacks.

A

The use of an eight-digit PIN makes it susceptible to brute force attacks.

WPS uses an eight-digit pin and is subject to brute force attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You are implementing a new wireless system to allow access in all buildings of your corporate campus. You have selected WPA2-Enterprise with 802.1X and a RADIUS server. What is the most efficient way to allow visitors access to the wireless network?

Set up an air-gapped wireless network with Open System authentication enabled so that visitors can easily get access.

Add all visitors to your Active Directory so they can log onto the wireless natively.

Implement a captive portal.

A

Implement a captive portal.

Implementing a captive portal will ensure that users can easily authenticate and gain access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the primary vulnerability of pre-shared keys?

They have a weak initialization vector.

They could have too low a key strength.

They can be brute forced.

A

They can be brute forced.

Any pre-shared keys can be configured to be short, and therefore susceptible to a brute force attack. The defense against this is to always use long and complex PSKs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What allows RADIUS to scale to a worldwide authentication network?

Strong encryption

Certificate-based tunneling and EAP

CCMP-delegated authentication

A

Certificate-based tunneling and EAP

The use of SSL-based tunneling and EAP packets makes the distributed authentication of RADIUS possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Why should you use a VPN when attached to a public WPA hotspot?

Anyone with the key can store all the packets for later decryption.

Public Wi-Fi networks are set up for man-in-the-middle attacks.

To ensure browser secrecy.

A

Anyone with the key can store all the packets for later decryption.

The reason to use a VPN on any public Wi-Fi network is that, as a shared network, attackers may be attempting to capture all the traffic. In a public Wi-Fi configured with WEP or WPA, using a shared key also allows attackers to easily decrypt the traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How does TKIP improve security?

It uses stronger authentication.

It changes the WEP padding algorithm.

It uses a different key for each packet.

A

It uses a different key for each packet.

TKIP uses temporal keys, so there is a new key for every packet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What makes EAP-TLS so hard for an attacker to break?

The user’s key is held by the RADIUS server.

The encryption keys are escrowed.

The client-side key is needed to break the TLS tunnel.

A

The client-side key is needed to break the TLS tunnel.

The TLS connection uses a client key, so the attacker would need this key before being able to break the TLS tunnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which authentication protocol uses a Protected Access Credential (PAC)?

PEAP

EAP-FAST

EAP-TLS

A

EAP-FAST

EAP-FAST uses the Protected Access Credential (PAC) to create the TLS tunnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which authentication protocol uses mandatory client-side certificates, making it more challenging to maintain if guest access is provided to visitors?

PEAP

EAP-FAST

EAP-TLS

A

EAP-TLS

EAP-TLS uses client-side certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly