Wireless Security Lunchtime Learning: Final Exam Answers

1.) The correct answer is: d. All of the above
Both AES-CCMP and TKIP provide confidentiality by encrypting 802.11 data. Although 802.1X does not encrypt data, it does deliver the dynamic encryption keys used by AES-CCMP and TKIP.

<< Back to exam

2.) The correct answer is: a. Wireless intrusion prevention system
A spectrum analyzer helps to diagnose wireless interference with your WLAN, but you don't have a WLAN yet. While a stumbler can help you spot-check offices, looking for wireless APs, it cannot efficiently check over 500 offices or spot unauthorized wireless stations. You need an enterprise-class WIPS that can watch the air 24x7 at every office, providing a consolidated view of unauthorized wireless activity through a single console. You will also need a mobile WLAN analyzer for drill-down investigation.

<< Back to exam

3.) The correct answer is: c. PEAPv1
EAP-TLS requires client certificates, EAP-SIM requires handset Subscriber Identity Modules and PEAPv0/EAP-MSCHAPv2 requires a password hash. Of these types, only PEAPv1/EAP-GTC provides support for generic token card authentication methods like SecurID.

<< Back to exam

4.) The correct answer is: c. WPA-2 Enterprise with PEAP
WPA2 uses AES-CCMP to provide stronger, faster data protection than WPA. WPA-Enterprise uses 802.1X to provide more granular, robust access control and authentication than WPA-Personal. When using either WPA or WPA2-Enterprise, you must use at least one EAP Type. Protected EAP (PEAP) is a better choice than Lightweight EAP (LEAP) because PEAP is not vulnerable to dictionary attack.

<< Back to exam

5.) The correct answer is: b. VPN
VPNs provide end-to-end security for corporate data sent by teleworkers, applying security policies that are usually under your control. What about the others? MAC Address Access Control Lists are easily spoofed. Teleworkers may still use them to avoid unintentional associations with neighbors, but this does nothing to protect corporate data. WEP is easily cracked. Teleworkers may still want to use WEP to deter neighbor eavesdropping on personal traffic, but WEP won't protect data sent over the Internet. VLANs are useful for traffic segregation inside corporate networks but are rarely used in residential networks.

<< Back to exam

6.) The correct answer is: c. Network access controller
A network access controller can offer Web-based captive portal authentication and apply policies that limit what visitors can send and destinations they can reach. A traditional firewall could be helpful but is less well-suited to perform these specific tasks. VPN gateways and 802.1X are poor choices because you have no control over visitor devices or software or configuration.

<< Back to exam

7.) The correct answer is: b. EAP-FAST
EAP-FAST caters to small footprint clients, like VoWiFi handsets, that would be noticeably slowed by the digital certificate signature verification used in EAP-TLS. EAP-SIM and EAP-AKA are designed to authenticate devices like smartphones that roam between commercial 802.11 hotspots and public carrier telephone networks. But, in this scenario, you want to provide in-building communication, on a privately-operated network.

<< Back to exam

8.) The correct answer is: d. All of the above
A WIPS can automatically interfere with connections between authorized users and unknown rogue APs. Managing wireless client configurations can stop users from connecting to new, unprotected WLANs or changing security settings that require 802.1X or check server certificates. Using 802.1X with mutual authentication lets the client reject connections where the server does not present a trustworthy certificate. All of these steps can therefore reduce the risk posed by evil twin APs.

<< Back to exam

9.) The correct answer is: b. 802.11g AP not using protection
In a mixed b/g network, 802.11g APs should be configured to use a protection mechanism to avoid collisions with 802.11b traffic. If you did not know this, you may have been able to learn what these WIPS alerts meant by examining the alert description and accompanying recommendation.

<< Back to exam

10.) The correct answer is: c. 802.1Q
IEEE 802.1Q is the standard that defines the operation of Virtual LAN (VLAN) bridges that permit the definition, operation and administration of Virtual LAN topologies within a bridged LAN infrastructure.

<< Return to the Final Exam

<< Return to Wireless Security Lunchtime Learning

This was last published in February 2006

Dig Deeper on Wireless network security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.