Here are the answers to our tutorial test, Implementing WLAN security countermeasures. To learn more about wireless LAN countermeasures, listen to the accompanying on-demand tutorial webcast with Lisa Phifer.
1. d) All of the above -- Determining business risk involves understanding threats, how likely they are to occur in your WLAN and the value of assets that would be exposed, damaged or lost if they do. Your security policy should attempt to meet business needs with an acceptable level of business risk.
2. c) Loss of irreplaceable data on stolen PDA. -- PDA theft can result in lost data, whether or not it has a wireless interface. Back up data stored on PDAs to reduce this risk. If improperly secured, stolen PDAs can be used to gain unauthorized access into your WLAN, but that's a different threat.
3. d) All of the above. -- Service providers always have AUPs for subscribers – that's the fine print most people don't read when they sign up for service. Companies should have AUPs regarding hotspot use, no matter whether they intend to permit or prohibit use of business resources at public hotspots.
4. b) Pulling down window shades and closing office doors. -- Steel doors can partially impede radio waves, but the signal will travel through walls surrounding the door anyway. Don't count on physical barriers for wireless LAN security, but do design your AP's footprint to match your workspace as closely as possible while meeting performance requirements.
5. b.) False -- MAC ACLs don't scale very well and are vulnerable to MAC address spoofing. Furthermore, it is impossible to explicitly list attackers you have never seen before, so most ACLs explicitly permit authorized addresses and deny all others instead.
6. c) Prevent peer-to-peer attack on the WLAN. -- The firewall's job is to enforce policy at the protected network's security perimeter. Items a, b and d are common firewall features. However, perimeter firewalls cannot impact peer-to-peer traffic, so each station must defend itself from peer attack.
7. a.) True Many entry-level APs have easy-to-use Web setup pages, protected by a single administrative password. Enterprise APs can often be hardened by changing listening port numbers, limiting administrative IP addresses or interfaces, creating non-default logins or supporting SSH/VPN management channels with strong authentication.
8. a) Turning on WEP. -- WEP scrambles data sent and received to inhibit eavesdropping, but does nothing to stop the station itself from being actively attacked by another station. Disabling interfaces and personal firewalling narrows an attacker's window of opportunity, while antivirus software can detect and eradicate wireless-borne infections before they do damage.
9. b) False -- SSIDs are network names, used by APs and stations to locate each other and associate with the intended network.
10. c) The more traffic on the WLAN, the more often you should update key values. -- The best keys are very random, and there are more permutations possible with hexadecimal keys, so random hex keys are your strongest option. But any key can be compromised if it is used to send enough traffic, so "refreshing" the value is essential.
11. d) Any EAP method that supports your security policy. -- EAP-MD5 is never a good idea in a wireless network. But ultimately, you should choose EAP method(s) that support your security policy. For example, if you require client-side passwords, EAP-TLS does not meet your needs; if you require client-side certificates, LEAP does not meet your needs.
12. b) False -- PEAP supports both client-side certificates and client-side passwords – you choose. LEAP only supports passwords.
13. d) B and C, but not A. -- WEP attempts to duplicate the "privacy" of Ethernet, where every station can hear every other station. Therefore, in an 802.11 WLAN, any station with the shared key can decrypt traffic sent by every other station. When using TKIP or IPSec, every session starts with new keying material, so peers cannot decrypt each other's traffic.
14. d) All of the above. -- In TKIP, wireless stations start with a base key, delivered via 802.1X or derived from a configured passphrase. The sender's MAC address is mixed with the base key and IV to produce a Phase 1 key. The Phase 1 key is used to derive packet keys that are each used to encrypt just one frame.
15. b.) False -- IPSec and WEP both prevent sniffing, but they don't do the same job. WEP only encrypts the airlink. IPSec encrypts from the VPN client to VPN gateway, a path that usually involves many wireless and wired links. Using both can sometimes make sense – for example, a teleworker may always use IPSec for data sent to his company's network, but still use WEP to protect all traffic on his home WLAN.
16. a) True -- Don't confuse SSL portals with SSL VPNs. Once a station completes secure login with a captive portal, it can use any application to send any data. SSL VPNs authenticate the station, then use the SSL tunnel to protect all traffic exchanged between the browser and an SSL VPN gateway at the edge of the destination network.
17. b) Interactive User Authentication -- The Internet Key Exchange standard used by IPSec supports mutual system-level authentication only. Many IPSec products implement interactive user authentication with other protocols like XAUTH or L2TP, adding useful VPN client functionality but inhibiting interoperability. If you're planning to use IPSec to secure wireless traffic, choose VPN clients and gateways that have compatible remote access extensions.
This was first published in June 2003