Wireless Security Flashcards
ou are building out a corporate Wi-Fi network that is intended for use only by corporate employees using corporate laptops (no guest access) and must be highly secure. Which of the following is the best solution?
WPA
WPA2-PSK
WPA2-Enterprise
WPA2-Enterprise
WPA2-Enterprise is the correct version of WPA2 for this setup, as it uses enterprise-grade options to establish a shared secret
Why would WPA be considered a stopgap fix for the issues with WEP?
It modernizes Wi-Fi with a new encryption cipher.
It provides for using temporary WEP keys to avoid the weakness in WEP, but does not replace the underlying encryption cipher.
It enforces the use of long-key WEP while having an autogenerated MAC filtering list to avoid potential eavesdropping.
It provides for using temporary WEP keys to avoid the weakness in WEP, but does not replace the underlying encryption cipher.
WPA is a stopgap due to its software-only implementation in that it still uses the flawed WEP RC4 cipher, albeit with temporary keys
You are tasked with the implementation of Wi-Fi in Enterprise mode. The initial network diagram shows only the updated access points and network switches. What component is missing from the diagram?
Guest wireless
NAC server
Authentication server
Authentication server
Enterprise mode mandates authentication, so an authentication server, typically RADIUS, is required
Why is WPA2-Personal not ideal for a large organization?
It has weak encryption.
The pre-shared key must be securely shared with all users.
It uses Open System authentication.
The pre-shared key must be securely shared with all users.
WPA2 in Personal mode uses a pre-shared key, and this key must be shared with all users, which is challenging in a large organization
How does Open System authentication differ from a pre-shared key?
Open System authentication only matches the SSID of the system, which is part of all the Wi-Fi packets, so there is no real authentication as with a pre-shared key.
Open System authentication uses a more complex hashing algorithm to pad the encryption key.
Open System authentication requires a RADIUS server.
Open System authentication only matches the SSID of the system, which is part of all the Wi-Fi packets, so there is no real authentication as with a pre-shared key.
Open System authentication only matches to the SSID and generates a random number from that. Because the SSID is part of the Wi-Fi packets, there is no real authentication
Why is enabling WPS not recommended?
It uses WEP-based encryption.
The lack of support for AES.
The use of an eight-digit PIN makes it susceptible to brute force attacks.
The use of an eight-digit PIN makes it susceptible to brute force attacks.
WPS uses an eight-digit pin and is subject to brute force attacks
You are implementing a new wireless system to allow access in all buildings of your corporate campus. You have selected WPA2-Enterprise with 802.1X and a RADIUS server. What is the most efficient way to allow visitors access to the wireless network?
Set up an air-gapped wireless network with Open System authentication enabled so that visitors can easily get access.
Add all visitors to your Active Directory so they can log onto the wireless natively.
Implement a captive portal.
Implement a captive portal.
Implementing a captive portal will ensure that users can easily authenticate and gain access
What is the primary vulnerability of pre-shared keys?
They have a weak initialization vector.
They could have too low a key strength.
They can be brute forced.
They can be brute forced.
Any pre-shared keys can be configured to be short, and therefore susceptible to a brute force attack. The defense against this is to always use long and complex PSKs
What allows RADIUS to scale to a worldwide authentication network?
Strong encryption
Certificate-based tunneling and EAP
CCMP-delegated authentication
Certificate-based tunneling and EAP
The use of SSL-based tunneling and EAP packets makes the distributed authentication of RADIUS possible
Why should you use a VPN when attached to a public WPA hotspot?
Anyone with the key can store all the packets for later decryption.
Public Wi-Fi networks are set up for man-in-the-middle attacks.
To ensure browser secrecy.
Anyone with the key can store all the packets for later decryption.
The reason to use a VPN on any public Wi-Fi network is that, as a shared network, attackers may be attempting to capture all the traffic. In a public Wi-Fi configured with WEP or WPA, using a shared key also allows attackers to easily decrypt the traffic
How does TKIP improve security?
It uses stronger authentication.
It changes the WEP padding algorithm.
It uses a different key for each packet.
It uses a different key for each packet.
TKIP uses temporal keys, so there is a new key for every packet
What makes EAP-TLS so hard for an attacker to break?
The user’s key is held by the RADIUS server.
The encryption keys are escrowed.
The client-side key is needed to break the TLS tunnel.
The client-side key is needed to break the TLS tunnel.
The TLS connection uses a client key, so the attacker would need this key before being able to break the TLS tunnel
Which authentication protocol uses a Protected Access Credential (PAC)?
PEAP
EAP-FAST
EAP-TLS
EAP-FAST
EAP-FAST uses the Protected Access Credential (PAC) to create the TLS tunnel
Which authentication protocol uses mandatory client-side certificates, making it more challenging to maintain if guest access is provided to visitors?
PEAP
EAP-FAST
EAP-TLS
EAP-TLS
EAP-TLS uses client-side certificates
