» Wireless Security

By | September 24, 2012

Ensurepass
Here you will find answers to Wireless Security Questions


Question 1

Cisco Client Management Frame Protection is running on a mobility group with two controllers. Which two MFP requirements protect the network? (Choose two)

A. forces clients to authenticate, using a secure EAP method only
B. implements the validation of wireless management frames
C. requires CCXv5
D. requires the use of a non-broadcast SSID
E. requires CCXv4

 

Answer: B C

Explanation

In order to use client MFP, clients must support CCXv5 MFP and must negotiate WPA2 with either TKIP or AES-CCMP.

When management frame validation is enabled, the AP validates every management frame that it receives from other APs in the network. It ensures that the MIC IE is present (when the originator is configured to transmit MFP frames) and matches the content of the management frame. If it receives any frame that does not contain a valid MIC IE from a BSSID that belongs to an AP, which is configured to transmit MFP frames, it reports the discrepancy to the network management system.

(Reference: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml)

Question 2

When creating a wireless profile in the Cisco ADU and you have selected the WPA/WPA2/CCKM radio button option, what other decision must you make and then configure on this same screen?

A. the address and the server secret of the authentication device you will authenticate with
B. the encryption type
C. the EAP type to be used for authentication
D. the length and value of the pre-shared key
E. the SSID of the wireless client

 

Answer: C

Explanation

Please login or register to see this part

Question 3

What three authentication methods are generally used in enterprise wireless networks? (Choose three)

A. AE
B. CCKM
C. EAP-FAST
D. EAP-TLS
E. PEAP
F. WEP

 

Answer: C D E

Explanation

LEAP is fundamentally weak because it provides zero resistance to offline dictionary attacks. As LEAP began to gain a massive foothold on the enterprise market, a superior form of EAP called EAP-TLS (Transport Layer Security) was readily available and was completely password cracking resistant because it didn’t rely on user passwords. EAP-TLS relied on digital certificates on both the Server and the Client end to facilitate mutual authentication and secure key exchange. Unfortunately, the need for a PKI (Public Key Infrastructure) deployment on the server end and the installed user base was too great a barrier for many organizations.

To solve the need for a PKI, FunkSoftware created Tunneled Transport Layer Security (EAP-TTLS) to ease the deployment requirements by producing a standard that only required digital certificates on the authentication server end. Digital certificates were no longer needed for the client end which posed the biggest deployment barrier of all.

Similarly Microsoft, Cisco and RSA collaborated and created their own “lite”version of EAP-TLS called PEAP which in principal was the same as EAP-TTLS and also alleviated the need for client side certificates.

But many organizations don’t want to deploy a digital certificate on their authentication server because of the $300/year price tag of a publicly trusted digital certificate nor do they want to build their own Certificate Authority server or chain of servers. So many organizations still used LEAP which is very insecure.

Cisco has responded to the threat of LEAP hacking and the reluctance of most of their customers to adopt PKI-based PEAP with their so-called “PKI-free”protocol EAP-FAST.

(Reference: http://www.techrepublic.com/article/ultimate-wireless-security-guide-an-introduction-to-leap-authentication/6148551)

Question 4

A client is attached to the Cisco Unified Wireless network using controllers. When the client is using WPA2 and EAP authentication, where are the wireless encryption keys located during the active user session? (Choose two)

A. on the access point
B. on the RADIUS server
C. on the Cisco WCS
D. on the client
E. on the Cisco WLC

 

Answer: A D

Question 5

When choosing an EAP type for your Cisco ADU security profile, what must you ensure to authenticate successfully?

A. that the client and authentication server support the same encryption protocol
B. that the EAP type selected is known not to exchange any of its credentials in the clear
C. that the EAP type that you selected is supported by the authentication server
D. that the time set on the clocks for the wireless client and the authenticator are close to the same time
E. that WEP is not selected

 

Answer: C

Question 6

Which two attacks does Management Frame Protection help to mitigate? (Choose two)

A. Eavesdropping
B. Denial of Service
C. War Driving
D. Man-in-the-Middle

 

Answer: B D

 

Explanation

Please login or register to see this part

Question 7

What security benefit is enabled by using Management Frame Protection?

A. Provides encryption of administrator sessions between a wireless client and a wireless LAN
B. Protects the network infrastructure from denial-of-service attacks that attempt to flood the network with associations and probes.
C. Prevents the formation of client ad hoc networks within the RF coverage domain.
D. Detects network reconnaissance probes, like those used by tools like NetStumbler, that attempt to discover the wireless network topology.

 

Answer: B

Question 8

The Cisco Secure Services Client suite comprises which three elements? (Choose three)

A. Cisco Secure Services Client
B. Cisco Secure Services Client Administration Utilities
C. Cisco Secure Services Client Auditor
D. Cisco Secure Services Client Desktop Configurator
E. Cisco Secure Services Client Log Packager
F. Cisco Secure Services Client Manager

 

Answer: A B E

Explanation

The Cisco Secure Services Client (SSC) is client software that provides 802.1x (Layer 2) user and device authentication for access to both wired and wireless networks.

There are three pieces of SSC software:

* The SSC itself (Cisco Secure Services Client): Client software that provides 802.1x user and device authentication for access to both wired and wireless networks.
* The Cisco Secure Services Client Administration Utilities: Allow you to create complex profiles.
* The Cisco Secure Services Client Log Packager: Connects system information for support. An administrator would create profiles using the Cisco Secure Services Client Administration Utilities, which then generate an XML file that can be deployed network-wide to all the client machines.

(Reference: CCNA Wireless Official Exam Certification Guide)

Question 9

John works as a network administrator for Web Perfect Inc. The company has a wireless LAN network. John has configured shared key authentication on a client. The client and the AP start exchanging the frames to enable authentication. Which of the following vulnerabilities may occur while the client and the AP exchange the challenge text over the wireless link?

A. Land attack
B. Vulnerability attack
C. DoS attack
D. Man-in-the-middle attack

 

Answer: D

Explanation

Man-in-the-middle attack relies on spoofing a management frame to deauthenticate or disassociate the client. The Management Frame Protection (MFP) mechanism can be used to counteract them.

Question 10

Which software is designed for both wired and wireless profile management and can access to Cisco Enterprise networks?

A. ACS
B. SSC
C. CSA
D. SSL

 

Answer: B

Explanation

Please login or register to see this part



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.