Here are the answers to our tutorial test, Identifying WLAN threats. After you've checked your answers, let us know how you did! And, if you need more instruction on wireless LAN vulnerabilities, listen to the accompanying on-demand tutorial webcast with Lisa Phifer.
1. d) Security -- Nearly three-quarters of those planning WLANs and half of those with existing WLANs named security as the biggest bugaboo, far over-shadowing other factors. Security is a challenge both during planned deployment and when mopping up after unauthorized installations.
2. e) None of the above -- Eliminating SSID from beacon frames does not stop the AP from sending beacons. Enabling WEP scrambles data but does not stop frame transmission. Placing APs to reduce leakage is unlikely to completely prevent signal from reaching public areas. You can't stop war drivers from discovering your WLAN, but you can take steps to prevent them from using your network.
3. b) Sniffing and Eavesdropping -- Payload encryption is required to prevent eavesdropping on confidential data. Sniffing is passive and does not require the attacker to get through your WLAN's access control measures – anyone within physical proximity has access to the air!
4. d) On the outside or DMZ -- Wireless networks are inherently untrustworthy and therefore should never be placed inside the perimeter firewall (i.e., inside trusted territory).
5. c) Authentication keys are different for every station -- With 802.11, the same authentication key is used by all stations in the wireless LAN. Four WEP keys can usually be configured for encryption, but only one key is used for authentication.
6. b) Using the MAC address of another station -- In the realm of network security, "spoofing" means assuming the identity of another device (e.g., an IP or MAC address) and attempting to masquerade as that device.
7. d) All of the above -- Any AP that is not in the WLAN analyzer's list of authorized devices will be reported as a possible rogue AP. These alerts need to be further investigated to determine the location of the AP and the actual threat posed to your WLAN.
8. c) WEP is harder to crack if you use dynamic keys -- The initialization vector used by WEP is too short to prevent keystream reuse, and any two frames encrypted with the same keystream can be XORed to decrypt the payload. You cannot make the WEP IV longer, but you can reduce keystream reuse by changing the key frequently. Short-lived keys, therefore, make WEP harder to crack.
9. b.) False -- Many Web sites do pass confidential data without SSL – assuming otherwise is risky. But even if you did visit only Web sites using SSL to protect HTTP, header information is still passed as cleartext over the air. Source and destination IP addresses and URLs can be analyzed to learn about your behavior or launch attacks. Depending upon authentication method, station credentials may also be revealed or left vulnerable to dictionary attack.
10. e) Answers A and B, but not C -- TKIP benefits from derived crypto keys and longer IVs, but still uses the same RC4 cipher employed by WEP so that upgrades can be applied with firmware instead of requiring new hardware.
11. b.) False -- The CRC used by WEP can detect transmission errors, but can't stop attackers from modifying frames without invalidating the CRC. TKIP detects forgery by using a real message integrity check instead of a cyclic redundancy check.
12. d) All of the above -- Any radio can transmit in an unlicensed band and there's nothing you can do to stop that. Floods and jamming by devices sharing the ISM band are still unresolved threats. However, using the UNII band occupied by 802.11a can eliminate competition with Bluetooth or potentially evade 802.11b-based DoS attacks.
13. b) Clients associating with the wrong access point -- Privacy may be a top concern, but studies like the one published by JupiterMedia suggest that relatively few companies report losing confidential data due to wireless. In contrast, clients accidentally associating with the wrong AP and finding rogue access points were each reported by 17% of those surveyed.
14. e) All of the above -- All locations in and around the site should be surveyed to identify and reduce windows of opportunity for unauthorized use or malicious attacks.
15. d) Send SNMP traps to alert the network administrator -- WLAN analyzers focus on passively scanning channels, recording traffic, crunching the collected data and presenting it in many different ways. Analyzers may perform expert analysis to generate alerts, but they don't typically act as SNMP agents.
16. b) False -- Just because someone can detect the presence of your AP does not necessarily mean they can penetrate your AP to take advantage of or attack your network. You can't stop war drivers from finding your AP, but you can take appropriate countermeasures to block access to destination networks and servers.
This was first published in June 2003