Chapter 9: Implementing Wireless LAN Security

TRUE/FALSE 1. WEP2 attempted to overcome the limitations of WEP by adding two new security enhancements. ANS: T REF: 293

2. The block cipher used in 802.11i is the Data Encryption Standard (DES). ANS: F REF: 295

3. WPA authentication can be accomplished by using either IEEE 802.1x or pre-shared key (PSK) technology. ANS: T REF: 299

4. Pre-shared key (PSK) authentication uses a passphrase that is automatically generated to generate the encryption key. ANS: F REF: 304

5. A virtual private network (VPN) uses a public, unsecured network as if it were a private, secured network. ANS: T MULTIPLE CHOICE 1. What authentication system did the proposed WEP2 standard use? a. Kerberos c. dynamic WEP b. AES-CCMP d. key caching ANS: A REF: 293 REF: 312

2. In dynamic WEP, the ____ key is changed every time the user roams to a new AP or logs out and logs back in. a. broadcast c. passphrase b. unicast d. ticket ANS: B REF: 294

3. The 802.11i standard addresses both ____. a. encryption and confidentiality b. integrity and confidentiality ANS: D REF: 295

c. authentication and direction d. encryption and authentication

4. Within Step 2 of Advanced Encryption Standard (AES), multiple iterations (called rounds) are performed depending upon the key size: 128-bit key performs 9 rounds, a 192-bit key performs 11 rounds, and a 256-bit key uses ____ rounds. a. 13 c. 17 b. 15 d. 19

ANS: A

REF: 295

5. Within the IEEE 802.1x standard, ____ ensures that a device (wired or wireless) that requests access to the network is prevented from receiving any traffic until its identity can be verified. a. an access control list c. port scanning b. port security d. port blocking ANS: B REF: 296

6. What feature of IEEE 802.11i allows a device to become authenticated to an AP before moving to it? a. key caching c. pre-authentication b. port security d. message passing ANS: C REF: 296

7. How long is the per-packet key used in TKIP? a. 40-bits c. 128-bits b. 64-bits d. 256-bits ANS: C REF: 297

8. ____ replaces CRC in WPA. a. MIC b. MRC ANS: A REF: 298

c. CMR d. CMC

9. ____ was designed to address WEP vulnerabilities with a minimum of inconvenience. a. IEEE 802.11i c. dynamic WEP b. TGi d. WPA ANS: D REF: 299

10. What security technology was most recently introduced? a. WPA c. WEP2 b. WPA2 d. Dynamic WEP ANS: B REF: 300

11. The ____ wireless security standard provides a low level of security. a. Dynamic WEP c. WEP2 b. WEP d. All of the above ANS: D REF: 300

12. What is the first step in implementing an interim security model? a. shared key authentication c. turning off SSID beaconing b. port security d. MAC address filtering ANS: A REF: 302

13. When implementing an interim security model, most vendors have the option of a 128-bit WEP key, which can be created by entering 16 ____ characters. This provides the most secure option. a. ASCII c. hexadecimal b. ciphered d. plaintext

ANS: C

REF: 303

14. The personal security model is intended for settings in which a(n) ____ is unavailable. a. wired network c. AP b. authentication server d. intermediate security model ANS: B REF: 304

15. The ____ method of encryption is used in a personal security model. a. PSK c. TKIP b. WEP d. MAC ANS: C REF: 304

16. What is the name of the 128-bit key used in TKIP? a. temporal key c. XOR b. MIC d. PRNG ANS: A REF: 305

17. ____ is considered to be the heart and soul of WPA security. a. PSK c. MIC b. IV d. TKIP ANS: D REF: 306

18. Encryption under the WPA2 personal security model is accomplished by using the block cipher ____. a. TKIP c. PSK b. AES d. CBC ANS: B REF: 307

19. ____ authentication is used in the enterprise security model using WPA and WPA2. a. AES c. IEEE 802.1x b. TKIP d. All of the above ANS: C REF: 308

20. A ____ VPN is a user-to-LAN connection used by remote users. a. remote-access c. peer-to-peer b. site-to-site d. remote-to-LAN ANS: A REF: 312

21. At the heart of a WIDS are ____; these devices, which can be either separate hardware devices or a standard access point operating in a special scan mode, monitor the airwaves to detect signals from rogue access points. a. captive portals c. firewalls b. VPNs d. wireless sensors ANS: D COMPLETION 1. ____________________ was developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of network users. REF: 314

ANS: Kerberos REF: 293 2. In WPA, ________________________________________ encryption replaces WEPs small 40-bit encryption key that must be manually entered on wireless APs and devices and does not change. ANS: Temporal Key Integrity Protocol (TKIP) Temporal Key Integrity Protocol TKIP REF: 297 3. The ____________________ security model is designed for single users or small office home office (SOHO) settings of generally 10 or fewer wireless devices. ANS: personal REF: 304 4. The ____________________ security model is designed for medium to large-size organizations such as businesses, government agencies, and universities. ANS: enterprise REF: 308 5. Most consumer access points are in reality wireless ____________________, because they combine the functions of an access point, router, network address translator, firewall, and switch. ANS: gateways REF: 313 MATCHING Match each term with the correct statement below. a. pre-shared key authentication f. b. dynamic WEP g. c. AES-CCMP h. d. Advanced Encryption Standard i. e. 802.11i

supplicant key caching broadcast Message Integrity Check

1. stores information from a device on the network so if a user roams away from an AP and later returns, she does not need to re-enter all of the credentials 2. robust security network 3. designed to prevent an attacker from capturing, altering, and resending data packets 4. solves the weak IV problem by rotating the keys frequently 5. encryption protocol in the 802.11i standard 6. uses a passphrase that is manually entered to generate the encryption key 7. traffic sent to all users on the network

8. performs three steps on every block (128 bits) of plaintext 9. wireless device that requires secure network access 1. 2. 3. 4. 5. 6. 7. 8. 9. ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: G E I B C A H D F REF: REF: REF: REF: REF: REF: REF: REF: REF: 296 295 298 293 307 304 294 295 309

SHORT ANSWER 1. Describe Kerberos. ANS: Kerberos is typically used when someone on a network attempts to use a network service, and the service wants assurance that the user is who he says he is. The user is provided a ticket that is issued by the Kerberos server, much as a drivers license is issued by the DMV. This ticket contains information linking it to the user. The user presents this ticket to the network for a service. The service then examines the ticket to verify the identity of the user. If all checks out, the user is accepted. Kerberos tickets share some of the same characteristics as a drivers license: tickets are difficult to copy (because they are encrypted), they contain specific user information, they restrict what a user can do, and they expire after a few hours or a day. REF: 293 2. Describe the 802.1x authentication procedure. ANS: Step 1The wireless devices requests from the access point permission to join the wireless LAN. Step 2The access point asks the device to verify its identity. Step 3The device sends identity information to the access point which passes it on to an authentication server, whose only job is to verify the authentication of devices. The identity information is sent in encrypted form. Step 4The authentication server verifies or rejects the clients identity and returns the information to the access point. Step 5An approved client can now join the network and transmit data. REF: 296 3. Describe the Temporal Key Integrity Protocol used by Wi-Fi Protected Access (WPA). ANS: TKIP is a longer 128-bit per-packet key. The per-packet functionality of TKIP means that it dynamically generates a new key for each packet and thus prevents collisions. After accepting a devices credentials, the authentication server can use 802.1x to produce a unique master key for that user session. TKIP distributes the key to the client and AP, setting up an automated key hierarchy and management system. TKIP then dynamically generates unique keys to encrypt every data packet that is wirelessly communicated during a session.

REF: 297 4. What should a business do if the best possible security model cannot be implemented? ANS: The answer may be to implement the highest level of security based upon the current equipment in use. Although this is not the optimal solution, it is better than doing nothing at all. It should, however, be recognized that this should only be considered a transitional phase until migration to stronger wireless security is possible. Sometimes called the transitional security model, it should only be implemented as a temporary solution. A plan for the purchase and installation of new security equipment should be outlined before the transitional security model is implemented to ensure that upgrading is not put off until it is too late. REF: 301 5. Describe pre-shared key authentication. ANS: Pre-shared key (PSK) authentication uses a passphrase (the PSK) that is manually entered to generate the encryption key. Unlike WEP, the PSK is not used for encryption. Instead, it only serves as the starting seed value for mathematically generating the encryption keys themselves. However, one of the disadvantages with PSK involves initial key management. A key must be created and entered in the wireless access point and also on any wireless device (shared) prior to (pre) the devices communicating with the AP. REF: 304 6. Temporal Key Integrity Protocol (TKIP) has three major components to address vulnerabilities. List and describe them. ANS: MIC MIC (Message Integrity Check) protects against forgeries by ensuring that the message has not been tampered with, which CRC under WEP could not do. The original WEP design used a 24-bit initialization vector (IV) along with a secret key to generate a keystream. TKIP creates a different key for each packet. IV sequenceTKIP reuses the WEP IV field as a sequence number for each packet. Both the transmitter and receiver initialize the packet sequence space to zero whenever new TKIP keys are set, and the transmitter increments the sequence number with each packet it sends. This ensures that an attacker does not record a valid packet and then retransmit it. Also, the length of the sequence number (IV) has been doubled, from 24 bits to 48 bits. TKIP key mixingWEP constructs a per-packet RC4 key by concatenating a key and the packet IV. The new per-packet key construction, called the TKIP key mixing function, substitutes a temporary (temporal) key for the WEP base key and constructs a per-packet key that changes with each packet. Temporal keys have a fixed lifetime and are replaced frequently. REF: 306 7. A network supporting the 802.1x standard consists of three elements. Identify and describe each one. ANS:

A network supporting the 802.1x standard consists of three elements. The supplicant is the wireless device which requires secure network access. The supplicant sends the request to an authenticator that serves as an intermediary device. An authenticator can be an access point on a wireless network or a switch on a wired network. The authenticator sends the request from the supplicant to the authentication server. The authentication server accepts or rejects the supplicants request and sends that information back to the authenticator, which in turn grants or denies access to the supplicant. One of the strengths of the 802.1x protocol is that the supplicant never has direct communication with the authentication server. This minimizes the risk of attack on the authentication server, which contains valuable logon data for all users. The authentication server in an 802.1x configuration stores the list of the names and credentials of authorized users in order to verify their authenticity. Typically a Remote Authentication Dial-In User Service (RADIUS) server is used. When a user wants to connect to the wireless network, the request is first sent to the authenticator, which relays the information, such as the username and password, type of connection, and other information, to the RADIUS server. REF: 309 8. Describe Advanced Encryption Standard (AES). ANS: AES is a block cipher that uses the same key for both encryption and decryption. With AES, bits are encrypted in blocks of plaintext that are calculated independently, rather than a keystream acting across a plaintext data input stream. AES has a block size of 128 bits with three possible key lengths: 128, 192, and 256 bits as specified in the AES standard. For the WPA2/802.11i implementation of AES, a 128-bit key length is used. AES encryption includes four stages that make up one round. Each round is then iterated 10, 12, or 14 times depending upon the bit-key size. For the WPA2/802.11i implementation of AES, each round is iterated 10 times. REF: 311-312 9. What is a wireless gateway? ANS: Equipping an access point with additional functionality can create a device known as a wireless gateway. Most consumer access points are in reality wireless gateways, because they combine the functions of an access point, router, network address translator, firewall, and switch. On the enterprise level a wireless gateway may combine the functionality of a VPN and an authentication server. Wireless gateways can also be used to provide enhanced security to access points that are connected to it. REF: 313 10. What are the ways in which captive portals are used? ANS: Captive portals are used to notify users of the wireless policies and rules. They have to agree to these before they are granted access to the Internet. Captive portals can advertise to users specific services or products. Captive portals can also be used to authenticate users against a RADIUS server before they are granted Internet access. REF: 314