Chapter05 - Cisco Networking Academy

advertisement
Chapter 5
Review Questions
1. The stronger security standard developed by the IEEE committee to address
wireless vulnerabilities of the 802.11 standard is
a. 802.16.2
b. 802.5
c. 802.11i
d. 802.11e
2. The two primary security vulnerabilities of the original 802.11 wireless security
mechanism are
a. speed and data modeling
b. encryption and authentication
c. access codes and passwords
d. tokens and resources
3. The Wi-Fi Alliance was responsible for creating
a. WPA2
b. 802.11i
c. 802.11
d. AES-CMMPR
4. One step to enhancing encryption was to replace the RC4 stream cipher with a
stronger
a. block cipher
b. supplicant
c. authenticator
d. Dynamic TKIP
5. _____ is the IEEE foundation of future wireless security.
a. Robust Secure Network (RSN)
b. Wireless Access Protection 2 (WPA2)
c. Encryption Model II
d. Enterprise Standard Security (ESS)
6. Advanced Encryption Standard (AES) is a stream cipher. True or False?
7. The IEEE 802.11 standard enforces port security. True or False?
8. Key-caching stores information from a device on the network and is used when
roaming. True or False?
9. Wi-Fi Protected Access (WPA) is a subset of IEEE 802.11i. True or False?
10. TKIP performs encryption by using a per-packet key. True or False?
11. The _____replaces the Cyclic Redundancy Check (CRC) function. Message
integrity check (MIC)
12. Preshared key (PSK) is primarily used in authentication but also plays a role in
encrypting by serving as the _____ for mathematically generating the encryption
keys. seed
13. WPA2 allows both AES and TKIP clients to operate in the same WLAN, yet
_____ only recognizes AES. IEEE 802.11i
14. The _____ security model should only be implemented as a temporary solution.
transitional
15. Shared key authentication uses _____ keys for authentication. WEP
16. What is the advantage of turning off SSID filtering if it can easily be bypassed?
Despite the fact that configuring an access point to not allow the beacon frame to
include the SSID provides little protection, when implementing the transitional
security model SSID beaconing should be turned off for the limited amount of
security that it does provide. This may prevent a “casual” unauthorized user or
novice attacker using Windows XP from capturing the SSID and entering the
network. On those APs that do allow this configuration, SSID beaconing should be
turned off and the SSID entered manually on each device.
17. When should the personal security model be implemented?
A dramatically increased level of security can be achieved through using the
personal security model. The personal security model is designed for single users or
small office home office (SOHO) settings of generally ten or fewer wireless devices.
The personal security model is intended for settings in which an authentication
server is unavailable.
18. What three DHCP settings should be used in the transitional security model?
First, DHCP distributes addresses to network devices beginning at a starting
address and incrementing by a value of one for each device. Changing the starting
IP address is set to a higher number makes it more difficult for the attacker to
determine the IP address through trying each address. Second, the maximum
number of DHCP users can also be restricted. The maximum number of DHCP
users should be limited to the number of authorized devices on the network. If an
attacker is able to breach the wireless security protections and gain access to the
network, he would not be leased an IP address since the maximum has already been
distributed. The final defense based on DHCP is to set the length of the lease time.
Setting the lease time so that an attacker who gains access to the network does not
have indefinite use of the WLAN may deter an attacker from trying to reconnect
once the lease expires
19. How does a RADIUS server support IEEE 802.1x?
The authentication server in an 802.1x configuration stores the list of the names and
credentials of authorized users in order to verify their user authenticity. Typically a
Remote Authentication Dial-In User Service (RADIUS) server is used. When a user
wants to connect to the wireless network, the request is first sent to authenticator,
which relays the information, such as the username and password, type of
connection, and other information, to the RADIUS server. The server first
determines if the AP itself is permitted to send requests. If so, the RADIUS server
attempts to find the user’s name in its database. It then applies the password to
decide whether access should be granted to this user. Depending upon the
authentication method being used, the server may return a challenge message that
carries a random number. The authenticator relays the challenge to the user’s
computer, which must respond with the correct value to prove its asserted identity.
Once the RADIUS server is satisfied that the user is authentic and authorized to use
the requested service, it returns an “Accept” message to the AP.
20. What is the weakness of PSK passphrases?
A PSK is a 64-bit hexadecimal number. The most common way in which this
number is generated is by entering a passphrase (consisting of letters, digits,
punctuation, etc.) that is between 8 and 63 characters in length. PSK passphrases of
fewer than 20 characters can be subject to offline dictionary attacks. The original
PSK passphrase is mathematically manipulated (known as hashing) 4,096 times
before it is transmitted. An attacker who captures the passphrase can perform the
same hashing on dictionary words seeking a match. If a user created a PSK
passphrase of fewer than 20 characters that was a dictionary word then a match can
be found and the passphrase broken.
21. What is the Robust Secure Network (RSN)?
The vulnerabilities of a security system may not be revealed until after it has been
exposed to the public over a period of time. The time needed to react to new
vulnerabilities, propose solutions, and finally ratify those proposals can often take
years of effort. To address this the IEEE 802.11i standard also includes a component
known as the Robust Secure Network (RSN). RSN uses dynamic negotiation of
authentication and encryption algorithms between access points and wireless
devices. This dynamic negotiation of authentication and encryption algorithms lets
RSN evolve as vulnerabilities are exposed or improved security is introduced. This
allows WLANs to address new threats and continuing to provide the security
necessary to protect information.
Download