Chapter 7: Implementing Secure Wireless Networks

Introduction to the Wireless LAN

1. Your supervisor has charged you with determining which 802.11 authentication method to use when deploying the new wireless network. Given your knowledge of the 802.11 specification, which of the following is the most secure 802.11 authentication method?

   1. Shared-key Authentication

   2. EAP-TLS

   3. EAP-MD5

   4. Open authentication

   þ D. Open authentication is actually more secure than shared-key authentication because it is not susceptible to a known plaintext attack, to which the shared-key authentication method is susceptible.

   ý A, B, C. Shared-key authentication is susceptible to a known plaintext attack if the attacker can capture the random challenge sent by the AP to the client, as well as the encrypted response from the client. The attacker can then try to brute-force the WEP key by trying to decrypt the encrypted response and comparing it to the random challenge sent by the AP, thus Answer A is incorrect. EAP-TLS and EAP-MD5 are authentication methods specified in the 802.1x standard, not the 802.11 standard, thus Answers C and D are incorrect.

2. What are the two WEP key sizes available in 802.11 networks?

   1. 64-bit and 104-bit keys

   2. 24-bit and 64-bit keys

   3. 64-bit and 128-bit keys

   4. 24-bit and 104-bit keys

   þ C. The 802.11 specification calls for 64-bit keys for use in WEP. Later the specification was amended to allow for 128-bit keys as well.

   ý A, B, D. The actual key size of the secret key is 40 bits and 104 bits. When added to the 24-bit IV, you wind up with WEP key sizes of 64 bits and 128 bits, thus Answers A, B, and D are incorrect.

3. Which of the following is a weakness in WEP related to the initialization vector (IV)? (Choose all that apply.)

   1. The IV is a static value, which makes it relatively easy for an attacker to brute-force the WEP key from captured traffic.

   2. The IV is transmitted in plaintext and can be easily seen in captured traffic.

   3. The IV is only 24 bits in size, which makes it possible that two or more data frames will be transmitted with the same IV, thereby resulting in an IV collision that an attacker can use to determine information about the network.

   4. There is no weakness in WEP related to the IV.

   þ B, C. The IV is transmitted in plaintext because the AP or the other ad hoc participants in the network must know its value in order to be able to recreate the WEP key to decrypt traffic. Because of the small size of the IV, space allows for the potential of IV collisions, which an attack can use to XOR out the key stream used to encrypt the traffic and thereby possibly recover information such as IP address information from packets.

   ý A, D. The IV is not a static value, it is randomly determined, thus Answer A is incorrect. Some weaknesses associated with WEP are directly attributable to the short length of the IV, as mentioned previously, thus Answer D is incorrect.

4. Bill, the network administrator, wants to deploy a wireless network and use open authentication. His problem is that he also wants to make sure that the network is not accessible by anyone. How can he authenticate users without a shared-key authentication mechanism? (Choose the best answer.)

   1. Use MAC address filters to restrict which wireless network cards can associate to the network.

   2. Deploy a RADIUS server and require the use of EAP.

   3. Set a WEP key on the APs and use it as the indirect authenticator for users.

   4. Use IP filters to restrict access to the wireless network.

   þ C. Use the WEP key as an indirect authenticator for open networks. Unlike shared-key authentication, open authentication does not provide for a challenge/response exchange and therefore does not expose the WEP key to a known plaintext cryptographic attack.

   ý A, B, D. MAC filtering does not absolutely authenticate a user, since MAC addresses are easily spoofed. In addition, MAC filtering is an administrative burden, thus Answer A is incorrect. Deploying RADIUS server or IP filters are both beyond the scope of the question, thus Answers B and D are incorrect.

5. The 802.1x standard specifies a series of exchanges between the supplicant and the authentication server. Which of the following is not part of the 802.1x authentication exchange?

   1. Association request

   2. EAPoL start

   3. RADIUS-access-request

   4. EAP-success

   þ A. The association request is part of the 802.11 standard, not the 802.1x
   standard.

   ý B, C, D. The EAPoL start, RADIUS-access-request, and EAP-success messages are all part of the 802.1x authentication exchange, thus Answers B, C, and D are incorrect.

6. 802.1x provides for mutual authentication of the supplicant and the authenticator. Which of the following 802.1x methods support mutual authentication?

   1. EAP-MD5

   2. EAP-PWD

   3. EAP-RC4

   4. EAP-TLS

   þ D. EAP-TLS provides for mutual authentication through the use of certificates.

   ý A, B, C. EAP-MD5 does not provide for mutual authentication of the supplicant and the authenticator, thus Answer A is incorrect. EAP-PWD and EAP-RC4 are not EAP authentication methods, thus Answers B and C are incorrect.

Wireless LAN Security Issues

7. The 802.1x standard requires the use of an authentication server to allow access to the wireless LAN. You are deploying a wireless network and will use EAP-TLS as your authentication method. What is the most likely vulnerability in your network?

   1. Unauthorized users accessing the network by spoofing EAP-TLS messages.

   2. Denial of service attacks occurring because 802.11 management frames are not authenticated.

   3. Attackers cracking the encrypted traffic.

   4. None of the above.

   þ B. One of the biggest problems identified in a paper discussing 802.1x security is the lack of authentication in the 802.11 management frames and that 802.1x does not address this problem.

   ý A, C, D. Spoofing EAP-TLS is not possible, because the attacker needs the user's certificate and passphrase, thus Answer A is incorrect. Cracking encrypted traffic is possible but unlikely, since EAP-TLS allows for WEP key rotation, thus Answer C is incorrect. The lack of authentication in 802.11 is the most likely vulnerability, thus Answer B is incorrect.

8. The tool NetStumbler detects wireless networks based on what feature?

   1. SSID

   2. WEP key

   3. MAC address

   4. CRC-32 checksum

   þ A. NetStumbler detects wireless networks by looking for SSIDs.

   ý B, C, D. NetStumbler does identify networks with WEP enabled but does not use that fact in identifying the network, thus Answer B is incorrect. NetStumbler does detect clients and APs based on their MACs but does not use this information for identifying wireless networks, thus Answer C is incorrect. CRC-32 checksums are of no concern to NetStumbler, thus Answer D is incorrect.

9. Some DoS attacks are unintentional. Your wireless network at home has been having sporadic problems. The wireless network is particularly susceptible in the afternoon and the evenings. This is most likely due to which of the following possible problems?

   1. The AP is flaky and needs to be replaced.

   2. Someone is flooding your AP with traffic in a DoS attack.

   3. The wireless network is misconfigured.

   4. Your cordless phone is using the same frequency as the wireless network, and whenever someone calls or receives a call, the phone jams the wireless network.

   þ D. The most likely problem is that a cordless phone (or a microwave or one of many other wireless devices) is jamming the wireless signal because it uses the same frequency. This problem is becoming more and more common as cordless phone manufacturers use the 2.4 GHz frequency.

   ý A, B, C. Bad hardware is something to be concerned with but should not be considered the sole reason for problems until further investigation has been done to determine the source of the problem, thus Answer A is incorrect. It is possible, but not likely, that someone is launching a DoS attack against you, thus Answer B is incorrect. If a device is not configured properly, it wouldn't work at all, not just sporadically, thus Answer D is incorrect.

10. You suspect that someone is stealing data from your company due to the fact that your closest competitor routinely seems to get its products to market weeks before you on every product you introduce. You have conducted sweeps of your organization's campus looking for surreptitious users and user actions but have yet to locate anything out of the ordinary. What type of wireless network attack are you most likely being subjected to?

    1. Spoofing

    2. Jamming

    3. Sniffing

    4. Man in the Middle

    þ C. You are being subjected to a sniffing attack whereby an attacker can simply sit passively and capture your wireless network traffic without giving an indication of suspicious activity. You would, in this case, need to investigate strong wireless network security, starting with the implementation of WEP and immediately followed with a solution such as TKIP and LEAP.

    ý A, B, D. Spoofing attacks are those in which the attacker tricks the network hardware into thinking that he or she is an authorized user, such as MAC spoofing, thus Answer A is incorrect. Jamming attacks are those in which high-power RF waves are targeted at a wireless network installation with the hope of knocking it out of operation by overpowering it, thus Answer B is incorrect. A man-in-the-middle attack is one in which an attacker sits between two communicating parties, intercepting and manipulating both sides of the transmission to suit his or her own needs, thus Answer D is incorrect.

11. Your wireless network does use WEP to authorize users. You do, however, use MAC filtering to ensure that only preauthorized clients can associate with your APs. On Monday morning, you reviewed the AP association table logs for the previous weekend and noticed that the MAC address assigned to the network adapter in your portable computer had associated with your APs several times over the weekend. Your portable computer spent the weekend on your dining room table and was not connected to your corporate wireless network during this period of time. What type of wireless network attack are you most likely being subjected to?

    1. Spoofing

    2. Jamming

    3. Sniffing

    4. Man in the middle

    þ A. You are the victim of a MAC spoofing attack whereby an attacker has captured valid MAC addresses by sniffing your wireless network. The fact that you have no other protection in place has made becoming associated with your APs an easy task for this attacker.

    ý B, C, D. Jamming attacks are those in which high-power RF waves are targeted at a wireless network installation with the hope of knocking it out of operation by overpowering it, thus Answer B is incorrect. Although your network has been sniffed previously to obtain the valid MAC address, you are currently being attacked using a spoofing attack, thus Answer C is incorrect. A man-in-the-middle attack is one in which an attacker sits between two communicating parties, intercepting and manipulating both sides of the transmission to suit his or her own needs, thus Answer D is incorrect.

12. The major weakness of WEP has to do with the fact that there are only a limited number of what available?

    1. IVs

    2. Packets

    3. Frames

    4. Beacons

    þ A. Only 224 IVs are available, which might seem like a lot until you realize that every frame or packet requires a unique IV. The entire stock of IVs could be exhausted in a short amount of time—perhaps just several hours—on a busy wireless network. This gives an attacker the opportunity to capture multiple frames using the same numerical IV, which is a large first step toward cracking the WEP key.

    ý B, C, D. Only 224 IVs are available, which might seem like a lot until you realize that every frame or packet requires a unique IV. The entire stock of IVs could be exhausted in a short amount of time—perhaps just several hours—on a busy wireless network. This gives an attacker the opportunity to capture multiple frames using the same numerical IV, which is a large first step toward cracking the WEP key, thus Answers B, C and D are incorrect.

Configuring Windows Client Computers for Wireless LAN Security

13. In Windows 2000, how do you configure WEP protection for a wireless client?

    1. Open the network adapter Properties page and configure WEP from the Wireless Networks tab.

    2. Install the high-security encryption pack from Microsoft.

    3. Issue the computer a digital certificate from a Windows 2000 Certificate Authority.

    4. Use the utilities provided by the manufacturer of the network adapter.

    þ D. Windows 2000 does not provide integrated control and management of wireless network adapters, so you will need to perform all configuration using the vendor-supplied utilities.

    ý A, B, C. Windows 2000 does not have a Wireless Networks tab in the network adapter Properties page, thus Answer A is incorrect. Installing the high encryption pack from Microsoft just raises the encryption strength supported by the computer itself to 128 bits, thus Answer B is incorrect. Issuing the computer a digital certificate will not configure it for WEP protection in a wireless network, thus Answer C is incorrect.

14. In Windows XP, how do you configure WEP protection for a wireless client?

    1. Open the network adapter Properties page and configure WEP from the Wireless Networks tab.

    2. Install the high-security encryption pack from Microsoft.

    3. Issue the computer a digital certificate from a Windows 2000 Certificate Authority.

    4. Use the utilities provided by the manufacturer of the network adapter.

    þ A. In about 95 percent or better of the cases, Windows XP integrates control and management of wireless network adapters into the network adapter Properties page.

    ý B, C, D. Installing the high encryption pack from Microsoft just raises the encryption strength supported by the computer itself to 128 bits, thus Answer B is incorrect. Issuing the computer a digital certificate will not configure it for WEP protection in a wireless network, thus Answer C is incorrect. In about 95 percent or better of the cases, Windows XP integrates control and management of wireless network adapters into the network adapter Properties page, so you cannot configure network adapters using the manufacturer's utilities, thus Answer D is incorrect.

15. You are attempting to configure a client computer wireless network adapter in Windows XP. You have installed and launched the utility program that came with the adapter, but you cannot configure the settings from it. What is the source of your problem?

    1. You are not a member of the Network Configuration Operators group.

    2. You do not have the correct Windows Service Pack installed.

    3. You do not configure wireless network adapters in Windows XP through manufacturer's utilities.

    4. Your network administrator has disabled SSID broadcasting for the wireless network.

    þ C. In Windows XP, you must use the network adapter Properties page to perform wireless network configuration.

    ý A, B, D. Being a member of the Network Configuration Operators group is not required to make configuration changes to a wireless network adapter properties, thus Answer A is incorrect. The Service Pack level has no bearing to being able to configure the network adapter properties, thus Answer B is incorrect. Closed networks, those that do not broadcast the SSID, have no effect on being able to configure the network adapter properties, thus Answer D is incorrect.