Q O D

Q. 37 (28/2/2011)

Given: When using WPA or WPA2 Personal, selecting a passphrase with high entropy is critical. What is the best way to ensure you choose a high entropy passphrase?

A

Use a passphrase generator

B

Select a passphrase of at least l east eight or more characters

C

Use only special characters or numbers in the t he passphrase

D

Use a NIST-compliant naming convention

E

Encrypt the passphrase with an AES cipher

A.37

Given: When using WPA or WPA2 Personal, selecting a passphrase with high entropy is critical. What is the best way to ensure you choose a high entropy passphrase? A

Use a passphrase generator

B

Select a passphrase of at least eight or more characters

C

Use only special characters or numbers in the passphrase

D

Use a NIST-compliant naming convention

E

Encrypt the passphrase with an AES cipher

Explanation: Entropy, or more precisely 'information entropy', is the measure for randomness. An intuitive understanding of information entropy relates to t he amount of  uncertainty about picking a passphrase, i.e. an object that could be translated in a string of  bits. 'If you have a 32-bit word that is completely random, then it has 32 bits of entropy. If th e 32-bit word takes only four different values, and each values has a 25% chance of occurring, then the word has 2 bits of entropy.' (Practical Cryptography, B. Schneier and N. Ferguson, p.155) The best way to ensure a passphrase passphrase has high entropy is to use a passphrase generator.

Q. 38 (1/3/2011)

The measure of 100 mW of power is equivalent to what logarithmic unit of measure?

A

+20 dBm

B

-20 dBm

C

0 dB

D

+20 dB

E

0 dBm

F

-20 dB

A.38

The measure of 100 mW of power is equivalent to what logarithmic unit of measure? A

+20 dBm

B

-20 dBm

C

0 dB

D

+20 dB

E

0 dBm

F

-20 dB

Explanation: The reference point is 0 dBm and 1 mW. For every +10 dB, the mW value is multiplied by 10. 1 mW x 10 x 10 = 100 mW, thus a gain of 20 dB is i s needed to move from the reference point to 20 dBm. The 'm' in dBm is i s referenced against 1 mW and represents an actual amount of power.

Q.39 (2/3/2011) In what frequency band does the ERP-OFDM PHY operate?

A

915 MHz ISM band

B

2.4 GHz ISM band

The measure of 100 mW of power is equivalent to what logarithmic unit of measure?

A

+20 dBm

B

-20 dBm

C

0 dB

D

+20 dB

E

0 dBm

F

-20 dB

A.38

The measure of 100 mW of power is equivalent to what logarithmic unit of measure? A

+20 dBm

B

-20 dBm

C

0 dB

D

+20 dB

E

0 dBm

F

-20 dB

Explanation: The reference point is 0 dBm and 1 mW. For every +10 dB, the mW value is multiplied by 10. 1 mW x 10 x 10 = 100 mW, thus a gain of 20 dB is i s needed to move from the reference point to 20 dBm. The 'm' in dBm is i s referenced against 1 mW and represents an actual amount of power.

Q.39 (2/3/2011) In what frequency band does the ERP-OFDM PHY operate?

A

915 MHz ISM band

B

2.4 GHz ISM band

C

5 GHz lower U-NII band

D

5 GHz middle U-NII band

E

5 GHz upper U-NII band

A. 39 In what frequency band does the ERP-OFDM PHY operate? A

915 MHz ISM band

B

2.4 GHz ISM band

C

5 GHz lower U-NII band

D

5 GHz middle U-NII band

E

5 GHz upper U-NII band

Explanation: The IEEE 802.11 standard (as amended), along with the HR-DSSS (802.11b) and ERP-OFDM (802.11g) amendments operate in the 2.4 GHz ISM band. Thus far, the only onl y amendment to the IEEE 802.11 standard (as amended) that operates in any other band is the OFDM (802.11a) amendment which uses the U-NII bands.

Q 40 (3/3/2011) In order to implement a robust security network (RSN) as defined by the 802.11i-2004 amendment, an administrator may not implement _____________________? _____________________?

A

The Wired Equivalent Privacy (WEP) Cipher Suite

B

The STAKey Handshake

C

The Pass-phrase-to-Preshared Pass-phrase-to-Preshared Key Algorithm

D

The Group Key Handshake

E

The TKIP Message Integrity Check (MIC) called 'Michael'

A. 40 In order to implement a robust security network (RSN) as defined by the 802.11i-2004 amendment, an administrator may not implement _____________________? _____________________?

A

The Wired Equivalent Privacy (WEP) Cipher Suite

B

The STAKey Handshake

C

The Pass-phrase-to-Preshared Key Algorithm

D

The Group Key Handshake

E

The TKIP Message Integrity Check (MIC) called 'Michael'

Explanation: 802.11i-2004, Section 3.106robust 3.106robust security network (RSN): A security network that allows only the t he creation of robust security network associations (RSNAs). An RSN can be identified by the indication in the RSN Information Element (IE) of Beacon frames that the group cipher suite specified is not wired equivalent privacy (WEP).

Q. 41 (4/3/2011) What types of transmissions are protected using a group key hierarchy in an RSN network? (Choose 2) A

Broadcast

B

Multicast

C

Unicast

D

Ad-hoc

E

Plaintext

A.41 What types of transmissions are protected using a group key hierarchy in an RSN network? A

Broadcast

B

Multicast

C

Unicast

D

Ad-hoc

E

Plaintext

Explanation: A robust secure network (RSN) has two different key hierarchies used to

protect traffic. The pairwise key hierarchy is used to protect unicast traffic, while broadcast and multicast traffic is protected by the group key hierarchy. Q. 42 (5/3/2011) You are the wireless systems s ystems engineer for XYZ company. Your company wants to upgrade their wireless infrastructure to support features such as VPN endpoints, WLAN capability, centralized management, 802.1X/EAP, Captive Portal, Role-based Access Control, and rogue AP detection. Which wireless solution would best meet the criteria for XYZ X YZ company?

A

WLAN controller

B

Enterprise Encryption Gateway

C

Consumer-grade wireless router

D

Autonomous AP infrastructure

E

WLAN Base Station

A.42 You are the wireless systems s ystems engineer for XYZ company. Your company wants to upgrade their wireless infrastructure to support features such as VPN endpoints, WLAN capability, centralized management, 802.1X/EAP, Captive Portal, Role-based Access Control, and rogue AP detection. Which wireless solution would best meet the criteria for XYZ X YZ company? A

WLAN controller

B

Enterprise Encryption Gateway

C

Consumer-grade wireless router

D

Autonomous AP infrastructure

E

WLAN Base Station

Explanation: WLAN controllers and enterprise wireless gateways typically offer similar features, such as support for multiple authentication and encryption schemes, schemes, VPN support, centralized management, management, captive portal and RBAC R BAC support, and intrusion detection capabilities.

Q.43 (6/3/2011) After implementing a wireless network, XYZ Company decided to update their security policy to include a wireless acceptable use policy. What are two purposes of this type of policy? (Choose 2) A

Help protect the company from the introduction of malicious software

B

Reduce the likelihood of online dictionary or brute force attacks

C

Eliminate the chance of a denial-of-service (DoS) attack 

D

Reduce the number of false-positives reported in a wireless audit

E

Avoid default or misconfigured infrastructure devices

F

Avoid unnecessary performance problems on the wireless medium

A. 43 After implementing a wireless network, XYZ Company decided to update their security policy to include a wireless acceptable use policy. What are two purposes of this type of policy? A

Help protect the company from the introduction of malicious software

B

Reduce the likelihood of online dictionary or brute force attacks

C

Eliminate the chance of a denial-of-service (DoS) attack 

D

Reduce the number of false-positives reported in a wireless audit

E

Avoid default or misconfigured infrastructure devices

F

Avoid unnecessary performance problems on the wireless medium

Explanation: An acceptable use policy (AUP) is a set of rules which restrict the ways in which the network may be used. Enforcement of AUPs varies with the network. AUPs are also used by schools, corporations, etc., delimiting what is and is not permitted for use of the computers. The intent is to help protect the network from the introduction of malicious software, and to avoid unnecessary performance problems. Q. 44 (7/3/2011)

What security technologies, called for in the 802.11i-2004 amendment, may be implemented

in an ERP-OFDM network to improve upon the security mechanisms offered by the ori ginal 802.11 standard? (Choose 3) A

AES-CCMP

B

802.1X/EAP authentication

C

3DES block cipher

D

4-Way handshake

E

Shared Key authentication

F

RC4 stream cipher

A. 44 What security technologies, called for in the 802.11i-2004 amendment, may be implemented in an ERP-OFDM network to improve upon the security mechanisms offered by the original 802.11 standard? A

AES-CCMP

B

802.1X/EAP authentication

C

3DES block cipher

D

4-Way handshake

E

Shared Key authentication

F

RC4 stream cipher

Explanation: 802.11i calls for the default use of the CCMP encryption scheme using the AES encryption algorithm. The TKIP encryption scheme using the RC4 encryption algorithm is also allowed. 802.1X port-based access control with Extensible Authentication Protocol (EAP) support and preshared keys are both specified as authentication mechanisms.

Section 5.9.1 specifies use of 802.1X as follows: 'IEEE 802.11 depends upon IEEE 802.1X to control the flow of MAC service data units (MSDUs) between the DS and STAs by use of the IEEE 802.1X Controlled/Uncontrolled Port model. IEEE 802.1X authentication frames are transmitted in IEEE 802.11 data frames and passed via the IEEE 802.1X Uncontrolled Port. The IEEE 802.1X Controlled Port is

blocked from passing general data traffic between two STAs until an IEEE 802.1X authentication procedure completes successfully over the IEEE 802.1X Uncontrolled Port. It is the responsibility of both the Supplicant and the Authenticator to implement port blocking. Each association between a pair of STAs creates a unique pair of IEEE 802.1X Ports, and authentication takes place relative to those ports alone.' 802.11i (Figure below) illustrates use of EAP authentication with 802.1X port-based access control. The 4-Way handshake is used both by 802.1X/EAP and preshared key implementations and consists of the following steps: a) The Authenticator sends an EAPOL-Key frame containing an ANonce. b) The Supplicant derives a PTK from ANonce and SNonce. c) The Supplicant sends an EAPOL-Key frame containing SNonce, the RSN information element from the (Re)Association Request frame, and a MIC. d) The Authenticator derives PTK from ANonce and SNonce and validates the MIC in the EAPOL-Key frame. e) The Authenticator sends an EAPOL-Key frame containing ANonce, the RSN information element from its Beacon or Probe Response messages, MIC, whether to install the temporal keys, and the encapsulated GTK. f) The Supplicant sends an EAPOL-Key frame to confirm that the temporal keys are installed. Q.45 (8/3/2011) What differentiates an overlay wireless intrusion prevention system (W IPS) from WIPS integrated into a WLAN controller?

A

Overlay WIPS is limited to accessing wireless traffic at the physical and data-link  layer, while integrated WIPS has access to layers 3-7 as well.

B

Only overlay WIPS monitors the RF for attack signatures and undesirable performance issues

C

Only overlay WIPS can use dedicated wireless sensors to passively monitor traffic

D

Integrated WIPS may also be used to assist with fast/secure roaming between autonomous APs.

A.45 What differentiates an overlay wireless intrusion prevention system (W IPS) from WIPS

integrated into a WLAN controller? A

Overlay WIPS is limited to accessing wireless traffic at the physical and data-link  layer, while integrated WIPS has access to layers 3-7 as well.

B

Only overlay WIPS monitors the RF for attack signatures and undesirable performance issues

C

Only overlay WIPS can use dedicated wireless sensors to passively monitor traffic

D

Integrated WIPS may also be used to assist with fast/secure roaming between autonomous APs.

Explanation: In an overlay WIPS monitoring deployment, organizations augment their existing WLAN infrastructure with dedicated wireless sensors. These are connected to the network in a manner similar to access points. However, while access points provide client connectivity, WIPS sensors are primarily passive devices that monitor the air for signs of  attack or other undesired wireless activity. In an overlay WIPS system, the WIPS vendor provides a controller in the f orm of a server or appliance that collects and assesses information from the W IPS sensors that is monitored by an administrator. These devices do not otherwise participate with t he rest of the wireless network, and are limited to assessing traffic at the physical layer (layer 1) and the data-link  layer (layer 2). This is not true for integrated WIPS that can access all OSI layers.

For more information, see Joshua Wright's whitepaper: A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model.

Q.46 (9/3/2011) Given: An inherent weakness of the original IEEE 802.11 standard is the lack of AAA (Authentication, Authorization, and Accounting) services. What technology is used as part of a network to provide AAA services to enhance wireless security?

A

IEEE 802.1X

B

EAP

C

WEP

D

RADIUS

E

L2TP/IPSec

F

PPTP

A. 46 Given: An inherent weakness of the original IEEE 802.11 standard is the lack of AAA (Authentication, Authorization, and Accounting) services. What technology is used as part of a network to provide AAA services to enhance wireless security? A

IEEE 802.1X

B

EAP

C

WEP

D

RADIUS

E

L2TP/IPSec

F

PPTP

Explanation: The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and implemented to manage access to network services. It defines a standard for information exchange between a Network Access Server (NAS) and an authentication, authorization, and accounting (AAA) server for performing authentication, authorization, and accounting operations. A RADIUS AAA server can manage user profiles for authentication (verifying user name and password), configuration information that specifies the type of  service to deliver, and policies to enforce that may restrict user access.

Q 47 (10/3/2011) As part of its corporate security policy, your organization requires all wireless LANs to be separated from the wired network core using a device capable of authentication, data encryption, and throughput limiting. Which device will accomplish this policy requirement?

A

Wireless workgroup bridge

B

Transparent tunneling bridge

C

Wireless LAN controller

D

Personal firewall software

A 47 As part of its corporate security policy, your organization requires all wireless LANs to be separated from the wired network core using a device capable of authentication, data encryption, and throughput limiting. Which device will accomplish this policy requirement? A

Wireless workgroup bridge

B

Transparent tunneling bridge

C

Wireless LAN controller

D

Personal firewall software

Explanation: A Wireless LAN controller is the only segmentation device in the listed answers that is capable of performing all three functions. Examples of such devices are EWGs and WLAN switches. A Wireless workgroup bridge is incorrect because a workgroup bridge is a device that allows you to connect multiple wired devices through, essentially, a shared radio. A Transparent tunneling bridge does not exist. Personal firewall software is incorrect because it only filters packets and does not provide for authentication, data encryption, or throughput limiting.

Q 48 (11/3/2011) You have been tasked with implementing your company's wireless security. Among your options are standard and non-standard solutions. What risks are i ncreased when using a nonstandard solution? (Choose 3) A

You are more likely to become 'vendor-locked'

B

Your solution may not interoperate with other parts of the system

C

Support for your solution may be discontinued

D

An increased amount of known vulnerabilities with your solution will be discovered

E

The solution will be inherently less secure than a standards-based solution

F

Additional training will be required to successfully implement the solution

A 48 You have been tasked with implementing your company's wireless security. Among your

options are standard and non-standard solutions. What risks are i ncreased when using a nonstandard solution? A

You are more likely to become 'vendor-locked'

B

Your solution may not interoperate with other parts of the system

C

Support for your solution may be discontinued

D

An increased amount of known vulnerabilities with your solution will be discovered

E

The solution will be inherently less secure than a standards-based solution

F

Additional training will be required to successfully implement the solution

Explanation: When using proprietary or non-standard solutions, risks increase of your systems not interoperating with other standards-based systems now or in the future. Also, because you are basing your solution on a single vendor, you are dependent upon that vendor for future systems that may only interoperate with your current solution, 'locking' you into that vendor. Vendors often make business decisions to discontinue support for a particular solution or technology. If you are using a non-standard solution, the ability to find support from someone other than the original vendor may be difficult and expensive, forcing you to change your solution completely. Because the market is typically larger for standards based solutions, known vulnerabilities will generally be discovered (and patched) more quickly for them. Proprietary solutions can be just as secure or more so than standards-based solutions, and additional training may or may not be required.

Q.49 (12/3/2011) Which of the following is true regarding industry organizationsagencies? (Choose 2) A

Government agencies regulate the wireless LAN devices' use of the RF spectrum through the use of specific standards such as HR-DSSS, ERP-OFDM, and OFDM.

B

An IEEE standard must be ratified before it can be implemented and sold in a manufacture's product.

C

The goal of the Wi-Fi Alliance is to certify interoperability of wireless local area network products.

D

To address the weaknesses found in WEP, the IEEE introduced WPA, followed by WPA2.

E

Regulatory bodies such as the FCC have the ability to mandate where on the RF

spectrum a wireless LAN can operate, and certify a wireless system. A.49 Which of the following is true regarding industry organizationsagencies? A

Government agencies regulate the wireless LAN devices' use of the RF spectrum through the use of specific standards such as HR-DSSS, ERP-OFDM, and OFDM.

B

An IEEE standard must be ratified before it can be implemented and sold in a manufacture's product.

C

The goal of the Wi-Fi Alliance is to certify interoperability of wireless local area network products.

D

To address the weaknesses found in WEP, the IEEE introduced WPA, followed by WPA2.

E

Regulatory bodies such as the FCC have the ability to mandate where on the RF spectrum a wireless LAN can operate, and certify a wireless system.

Explanation: The goal of the Wi-Fi Alliance is to certify interoperability of wireless LAN devices. Regulatory bodies govern the RF spectrum. Some regulatory bodies require that 802.11 enabled products be tested at a certified lab to ensure that the radio does not exceed radiation limits and cause interference with other devices operating at these frequencies. The IEEE specifies standards such as HR-DSSS (802.11b), ERP-OFDM (802.11g), and OFDM (802.11a), not the FCC. Manufacturers often create proprietary or 'pre-standard' equipment. Examples include pre-G and pre-N access points. WPA and WPA2 are not IEEE standards, but were created by the Wi-Fi Alliance based upon IEEE standards such as 802.11i.

Q.50 (13/3/2011) Senior management of XYZ Company is complaining that i mplementations of their client's wireless networks take too long to complete. They want to know if a complete RF site survey is necessary. As their senior wireless systems analyst, what do you tell them? (Choose 2) A

Self-managing wireless networks minimize the need for an onsite site survey

B

Must know RF behavior and interference sources to determine access point placement

C

Virtual site surveys are just as accurate and eliminate the need for expensive manual site surveys

D

A wireless network will not work if a site survey is not first completed

E

Performing a site survey will ensure wireless networks will not experience cochannel interference

A.50 Senior management of XYZ Company is complaining that i mplementations of their client's wireless networks take too long to complete. They want to know if a complete RF site survey is necessary. As their senior wireless systems analyst, what do you tell them? A

Self-managing wireless networks minimize the need for an onsite site survey

B

Must know RF behavior and interference sources to determine access point placement

C

Virtual site surveys are just as accurate and eliminate the need for expensive manual site surveys

D

A wireless network will not work if a site survey is not first completed

E

Performing a site survey will ensure wireless networks will not experience cochannel interference

Explanation: RF site surveys are the single most important part of a successful wireless implementation. If a thorough site survey is not performed, the wireless LAN might never work properly, and the site could spend significant amounts of money on hardware that doesn't perform the intended tasks. Site surveys answer how many access points should be used, and where they should be placed. Self-organizing systems rely on the logic of the access points to sense the environment and make adjustments to channel selection and power output, minimizing or eliminating the need for manual site surveys, depending on the accuracy of the decision making. Virtual site surveys use predictive modeling to forecast a WLAN's coverage areas, channel assignments, data rates, AP number and placement, and power output of each AP. Virtual site surveys can be highly accurate, depending on the accuracy of the i nformation provided in the model, and offer a great 'starting point' for AP placement.

Manual site surveys are typically used to validate a predictive analysis and 'tweak' access point placement, making them more accurate. Because they sample actual RF signals, they are able to identify outside wireless networks that may cause co-channel interference and affect the design of the wireless implementation. Q 51 (14/3/2011)

Q.52 (15/3/2011)

An intruder locates an unprotected 802.11b WLAN and gains control of two access points and a wireless bridge using the default SNMP read/write community strings. What types of wireless auditing tools are required for the intruder to locate the

WLAN, discover the infrastructure devices, and exploit this particular security hole?

A

Netstumbler, share enumerator, wireless protocol analyzer, and spectrum analyzer

B

MacStumbler, OS fingerprinting & port scanning tool, and WEP decryption software

C

Wireless protocol analyzer, IP scanning utility, and network management software

D

IP scanning utility, network management software, access point software, and an RF jamming device

E

Network management software, WEP decryption software, application layer analyzer, and an SSH2 client utility

A.52 An intruder locates an unprotected 802.11b WLAN and gains control of two access points and a wireless bridge using the default SNMP read/write community strings. What types of wireless auditing tools are required for the intruder to locate the WLAN, discover the infrastructure devices, and exploit this particular security hole? A Netstumbler, share enumerator, wireless protocol analyzer, and spectrum analyzer B MacStumbler, OS fingerprinting & port scanning tool, and WEP decryption software C Wireless protocol analyzer, IP scanning utility, and network management software D IP scanning utility, network management software, access point software, and an RF  jamming device E Network management software, WEP decryption software, application layer analyzer, and an SSH2 client utility

Explanation: This is a three tiered problem.1. First, you need to identify the target WLAN devices by using a tool such as a wireless protocol analyzer. Protocol analyzers monitor the RF environment in order to display a list of wireless devices and decode captured frames. 2. Second, the identified hosts need to be enumerated to identify 'listening' ports and services. There are a number of 'IP scanning tools' that can perform this function, such as nmap, SuperScan, or WS Ping ProPack. 3. Once the services have been discovered, they can potentially be exploited. In this case, SNMP was both running and was configured to use very weak, default community strings. These community strings were then tried by using network management software to exploit the discovered vulnerability. Q.53 (16/3/2011)

You have won a contract to install a wireless network for XYZ Company based upon another consultant's wireless site survey. What things should you expect to see in the site survey report to help you with your installation? (Choose 3) A

Client requirements and how they can be met

B

Vendor make and model configuration settings

C

Access point naming conventions

D

Number of access points required

E

Graphical representation of RF coverage areas

F

Detailed implementation instructions

A.53 You have won a contract to install a wireless network for XYZ Company based upon another consultant's wireless site survey. What things should you expect to see in the site survey report to help you with your installation? A Client requirements and how they can be met B Vendor make and model configuration settings C Access point naming conventions D Number of access points required E Graphical representation of RF coverage areas F Detailed implementation instructions

Explanation: Site surveys are used to answer how many access points are needed and where they should be located. Additionally, configuration settings such as output power and channel selection should be included. Client requirements such as throughput requirements, reliability, etc. will drive design decisions and should be noted. Today it is common to include heat map representations of RF coverage areas.

Q 54 (17/3/2011) Given: Beacons are transmitted periodically to allow mobile stations to locate and identify a

BSS, as well as keep each wireless station in sync with the access point to allow for those stations to use sleep mode. What part of the beacon is used to keep each wireless station's timer synchronized?

A

Beacon Interval

B

Timestamp

C

Traffic Indication Map (TIM)

D

DTIM

E

Sync Field

A 54 Given: Beacons are transmitted periodically to allow mobile stations to locate and identify a BSS, as well as keep each wireless station in sync with the access point to allow for those stations to use sleep mode. What part of the beacon is used to keep each wireless station's timer synchronized? A Beacon Interval B Timestamp C Traffic Indication Map (TIM) D DTIM E Sync Field

Explanation: Each beacon contains a timestamp value placed there by the access point. When stations receive the beacon, they change their clock to reflect the time of the clock on the access point. This allows stations to stay synchronized, ensuring time-sensitive functions are performed without error. Q. 55 (18/3/2011)

A university's WLAN administrator is seeking an efficient and effective method of  detecting and eliminating rogue access points and wireless Ad Hoc networks across the entire campus. The administrator's friend suggests that the he use a WLAN protocol analyzer to perform a weekly survey of the campus to discover rogues devices. The administrator considers this option and then asks you to offer advice on the subject. What is your advice to the administrator?

(Choose 2) A

In a campus environment, manual scanning for rogues requires too much time and resources to effectively and consistently locate all rogue devices. A system is needed that can inspect the entire campus in real time.

B

WLAN protocol analyzers will not detect rogue devices that do not use the 802.11 protocol frame format.

C

Because WLAN protocol analyzers can see all frames on the wireless medium, they are the most comprehensive solution for detecting rogue wireless devices of  any kind.

D

By assigning one IT worker to do weekly scans using a WLAN protocol analyzer, Wi-Fi, Bluetooth, and Infrared rogue access points and Ad Hoc networks can be effectively located and removed.

E

WLAN protocol analyzers are not a comprehensive rogue detection solution because they cannot detect access points that are configured to hide the SSID in beacons.

A. 55

A university's WLAN administrator is seeking an efficient and effective method of detecting and eliminating rogue access points and wireless Ad Hoc networks across the entire campus. The administrator's friend suggests that the he use a WLAN protocol analyzer to perform a weekly survey of the campus to discover rogues devices. The administrator considers this option and then asks you to offer advice on the subject. What is your advice to the administrator? A In a campus environment, manual scanning for rogues requires too much time and resources to effectively and consistently locate all rogue devices. A system is needed that can inspect the entire campus in real time. B WLAN protocol analyzers will not detect rogue devices that do not use the 802.11 protocol frame format. C Because WLAN protocol analyzers can see all frames on the wireless medium, they are the most comprehensive solution for detecting rogue wireless devices of any kind. D By assigning one IT worker to do weekly scans using a WLAN protocol analyzer, Wi-Fi, Bluetooth, and Infrared rogue access points and Ad Hoc networks can be effectively located and removed. E WLAN protocol analyzers are not a comprehensive rogue detection solution because they cannot detect access points that are configured to hide the SSID in beacons.

Explanation: In large IT environments (enterprises and campuses), doing consistent 'walk about' scans is impractical and ineffective. Wireless Intrusion Prevention Systems should be used to inspect the entire campus environment in real time using distributed sensors and a central engine/console. Additionally, WIPS can enforce policy adherence across the WLAN environment.

Q. 56 (19/3/2011) You have been hired by ABC Corporation to perform a WLAN security audit. ABC's network manager has attended a one-day manufacturer's seminar on WLAN security and, in your opinion, knows only enough to ask good questions of a WLAN security professional. The network manager asks you about the specific advantages of TKIP over WEP. You explain that TKIP has the following advantages over WEP: (Choose 2) A

Inclusion of SHA-HMAC authentication to prevent man-in-the-middle attacks

B

Inclusion of a strong MIC to prevent in-transit frame tampering and replay attacks

C

Replacement of IVs with LIVs to prevent attacks against weak passwords

D

Replacement of CRC-32 with ICV-32 to prevent brute-force attacks against RC4

E

Per-packet keying to prevent weak initialization vectors from being used to derive the WEP key

A 56 You have been hired by ABC Corporation to perform a WLAN security audit. ABC's network manager has attended a one-day manufacturer's seminar on WLAN security and, in your opinion, knows only enough to ask good questions of a WLAN security professional. The network manager asks you about the specific advantages of TKIP over WEP. You explain that TKIP has the following advantages over WEP: A Inclusion of SHA-HMAC authentication to prevent man-in-the-middle attacks B Inclusion of a strong MIC to prevent in-transit frame tampering and replay attacks C Replacement of IVs with LIVs to prevent attacks against weak passwords D Replacement of CRC-32 with ICV-32 to prevent brute-force attacks against RC4 E Per-packet keying to prevent weak initialization vectors from being used to derive the WEP key

Explanation: TKIP is included as an optional security protocol in the 802.11i amendment. WPAPersonal and WPA-Enterprise implement TKIP. TKIP includes an 8-byte MIC for frame tamper prevention and replay attacks in addition to the CRC-32 already included with WEP. TKIP supports per-packet keying and extended initialization vector (IV) length (from 24 bits to 48 bits) for prevention of attacks aimed at weak IVs.

Q 57 (20/3/2011)

A GAIN of 3 dB will yield what power ratio?

A

2:1

B

3:1

C

10:1

D

1:10

E

5:1

A 57

A GAIN of 3 dB will yield what power ratio? A

2:1

B

3:1

C

10:1

D

1:10

E

5:1

Explanation: A gain of 3 dB will multiply the actual amount of power output by a factor of  2. A gain of 3 dB can be expressed as a ratio of 2:1 (2 to 1).

Q 58 (21/3/2011)

For which of the following tasks is the Wi-Fi Alliance responsible? (Choose 2) A

Certifying 802.11 FHSS, DSSS, and OFDM systems for interoperability.

B

Providing the Wi-Fi logo to vendors that meet basic levels of interoperability with other wireless LAN devices.

C

Creating the Wi-Fi Multimedia (WMM) certification based on a subset of the features described in the 802.11d draft standard.

D

Outlining the WPA-Enterprise and WPA-Personal standards to both use TKIP.

E

Creating the WPA2 standard based upon the 802.1X security standard.

A 58 For which of the following tasks is the Wi-Fi Alliance responsible? A Certifying 802.11 FHSS, DSSS, and OFDM systems for interoperability. B Providing the Wi-Fi logo to vendors that meet basic levels of interoperability with other wireless LAN devices. C Creating the Wi-Fi Multimedia (WMM) certification based on a subset of the features described in the 802.11d draft standard. D Outlining the WPA-Enterprise and WPA-Personal standards to both use TKIP. E Creating the WPA2 standard based upon the 802.1X security standard.

Explanation: The Wi-Fi Alliance allows any vendor's product it grants a certification for interoperability to use the Wi-Fi logo on advertising and packaging for the certified product. The Wi-Fi Alliance created Wi-Fi Protected Access (WPA) as a solution to counteract the weaknesses in WEP, until the 802.11i standard was ratified. WPA has two distinct modes: WPAEnterprise and WPA-Personal, which both use TKIP for encryption. The Wi-Fi Alliance does not certify FHSS systems. The WMM certification is based on a subset of features described in the 802.11e standard. The WPA2 standard is based upon the 802.11i security standard.

Q 59 (22/3/2011) Which configurations are considered optional for Wi-Fi Protected Setup Certification? (Choose 2) A

Near Filed Communications (NFC)

B

Personal Identification Number (PIN)

C

Universal Serial Bus (USB)

D

Push Button Configuration (PBC)

E

Pre-shared Key (PSK)

A 59 Which configurations are considered optional for Wi-Fi Protected Setup Certification? A Near Filed Communications (NFC) B Personal Identification Number (PIN)

C Universal Serial Bus (USB) D Push Button Configuration (PBC) E Pre-shared Key (PSK)

Explanation: The Wi-Fi Protected Setup specification mandates that all Wi-Fi CERTIFIED products that support Wi-Fi Protected Setup are tested and certified to include both PIN and PBC configurations in APs, and at a minimum, PIN in client devices. A Registrar, which can be located in a variety of devices, including an AP or a client, issues the credentials necessary to enroll new clients on the network. In order to enable users to add devices from multiple locations, the specification also supports having multiple Registrars on a single network. Registrar capability is mandatory in an AP. The optional NFC and USB methods, like PBC, join devices to a network without requiring the manual entry of a PIN. In NFC configuration, Wi-Fi Protected Setup is activated simply by touching the new device to the AP or another device with Registrar capability. The USB method transfers credentials via a USB flash drive (UFD). Both provide strong protection against adding an unintended device to the network. However, Wi-Fi certification for USB and NFC is not currently available.

Q 60 (23/3/2011)

What is used by wireless LANs to overcome the problems associated with the inability to detect collisions?

A

Antenna diversity

B

Acknowledgement frames

C

Frame fragmentation

D

Station polling

E

StrictlyOrdered service class

A 60 What is used by wireless LANs to overcome the problems associated with the inability to detect collisions? A Antenna diversity B Acknowledgement frames C Frame fragmentation D Station polling E StrictlyOrdered service class

Explanation: Every data frame, whether fragmented or not, is acknowledged by the receiver with an acknowledgement frame. Some management frames are also acknowledged. Since radios are half duplex (meaning they can either receive or transmit, but not both simultaneously), they cannot hear a collision with the frame they are transmitting. Antenna diversity is used to offset the negative effects of multipath. Frame fragmentation is used to decrease network overhead due to retransmissions in a noisy RF environment. Station polling happens only in PCF or HCF modes, and is unrelated to collision detection. StrictlyOrdered service requires that an AP deliver frames to stations in the order that they were received per section 6.1.3 of the IEEE 802.11 standard (as amended).

Q 61 (24/3/2011)

Within the IPSec's ESP tunnel mode, which parts of the frame are encrypted? (Choose 3) A

ESP Header

B

Original IP Header

C

IP Payload

D

ESP Trailer

E

ESP Authentication Trailer

A 61 Within the IPSec's ESP tunnel mode, which parts of the frame are encrypted? A ESP Header B Original IP Header C IP Payload D ESP Trailer E ESP Authentication Trailer

Explanation: ESP tunnel mode encapsulates an IP packet with both an ESP and IP header and an ESP authentication trailer. The original header is placed after the ESP header. The entire packet is appended with an ESP trailer before encryption occurs. Everything that follows the ESP header, except for the ESP authentication trailer, is encrypted. This includes the original header which is now considered to

be part of the data portion of the packet.

Q 62 (25/3/2011)

Which WLAN attacks does personal firewall software prevent?

A

802.11 deauthentication attacks

B

RF jamming attacks from nearby intruders

C

Computer viruses from peer WLAN devices

D

Wi-Fi phishing attacks at hotspots

E

WLAN hijacking attacks by co-workers

A 62 Which WLAN attacks does personal firewall software prevent? A 802.11 deauthentication attacks B RF jamming attacks from nearby intruders C Computer viruses from peer WLAN devices D Wi-Fi phishing attacks at hotspots E WLAN hijacking attacks by co-workers

Explanation: Computer viruses are application layer attacks. Firewalls can prevent these attacks by preventing unauthorized layer 3-7 connectivity to a host computer. The other attacks listed are attacks against the 802.11 protocol, the RF transmission medium, and social engineering attacks.

Q 63 (26/3/2011)

You have a protocol analyzer that can capture both 802.11 and 802.3 transmissions. What might you expect to find in the analysis of a wireless transmission that is not seen in the analysis of a transmission over a wired network? (Choose 2)

A

WEP packets

B

CSMA/CD packets

C

MTUs of up to 2304 bytes

D

Layer 3-7 protocols

E

TCP fragmentation

A 63 You have a protocol analyzer that can capture both 802.11 and 802.3 transmissions. What might you expect to find in the analysis of a wireless transmission that is not seen in the analysis of a transmission over a wired network? A WEP packets B CSMA/CD packets C MTUs of up to 2304 bytes D Layer 3-7 protocols E TCP fragmentation

Q 64 (27/3/2011)

XYZ Company uses 802.1X/EAP-FAST on their ERP-OFDM network to secure wireless data transmissions. They have field agents who use the local ERP-OFDM network while in the office and often need to access the corporate intranet from wireless hotspots around the country. What security protocol would be best suited for remote access from the wireless hotspots?

A

PEAP-MS-CHAPv2

B

WPA2-Personal

C

L2TP/IPSec

D

EAP-TTLS

A 64 XYZ Company uses 802.1X/EAP-FAST on their ERP-OFDM network to secure wireless data transmissions. They have field agents who use the local ERP-OFDM network while in the office and often need to access the corporate intranet from wireless hotspots around the country. What security protocol would be best suited for remote access from the wireless hotspots? A PEAP-MS-CHAPv2

B WPA2-Personal C L2TP/IPSec D EAP-TTLS

Explanation: PEAP-MS-CHAPv2, WPA2-Personal, and EAP-TTLS are layer 2, local-area protocols only. For this reason, they are not used for WAN access (over the Internet). L2TP/IPSec can be used to protect LAN and WAN traffic. Over an 802.11 hotspot, L2TP can be used to 'dial' the IP address of the corporate VPN concentrator. IPSec is used to encrypt the data both over the wireless network and over the Internet.

Q 65 (28/3/2011) What is the name for a group of OFDM wireless stations communicating without the use of  an access point?

A

Client access mode

B

Basic Service Set

C

Infrastructure mode

D

Peer Exclusive mode

E

Independent Basic Service Set

F

Privileged mode

A 65 What is the name for a group of OFDM wireless stations communicating without the use of an access point? A Client access mode B Basic Service Set C Infrastructure mode D Peer Exclusive mode E Independent Basic Service Set F Privileged mode

Explanation: Section 3 of the IEEE 802.11 standard (as amended) defines an Ad Hoc network as follows: 3.3 ad hoc network:

A network composed solely of stations within mutual communication range of each other via the wireless medium (WM). An ad hoc network is typically created in a spontaneous manner. The principal distinguishing characteristic of an ad hoc network is its limited temporal and spatial extent. These limitations allow the act of creating and dissolving the ad hoc network to be sufficiently straightforward and convenient so as to be achievable by non-technical users of the network facilities; i.e., no specialized 'technical skills' are required and little or no investment of time or additional resources is required beyond the stations that are to participate in the ad hoc network. The term ad hoc is often used as slang to refer to an independent basic service set (IBSS). Additionally, the standard defines an IBSS as follows: 3.27 independent basic service set (IBSS): A BSS that forms a self-contained network, and in which no access to a distribution system (DS) is available.

Q 66 (29/3/2011) What is one purpose of implementing Role-Based Access Control (RBAC) in a WLAN switch/controller?

A

Apply protocol filtering to user groups

B

Allow 802.1X/EAP authentication

C

Enable SNMP polling from a WNMS

D

Facilitate rogue access point detection and location

A 66 What is one purpose of implementing Role-Based Access Control (RBAC) in a WLAN switch/controller? A Apply protocol filtering to user groups B Allow 802.1X/EAP authentication C Enable SNMP polling from a WNMS D Facilitate rogue access point detection and location

Explanation: RBAC is used to apply filtering at many layers of the OSI model to user groups or individual users based on their job functions within an organization. Examples of such filters might include limiting data rates for Internet access, limiting access to specific servers within the enterprise, and assigning specific security protocols (e.g., VPN) to specific user groups.

Q 67 (30/3/2011) As part of your company's wireless security policy, you are creating several password policies to help prevent your company's passwords from being compromised. What password policy should be included to significantly reduce the likelihood that an online dictionary attack will successfully compromise a user's password? (Choose 3) A

Passwords must be at least 15 characters long

B

User accounts will be disabled after five unsuccessful login attempts

C

Passwords must change after any unsuccessful login attempt

D

Only administrators are allowed to choose user passwords

E

Users should not share passwords with other users

F

Passwords should consist of upper case, lower case, numbers, and special characters

A 67 As part of your company's wireless security policy, you are creating several password policies to help prevent your company's passwords from being compromised. What password policy should be included to significantly reduce the likelihood that an online dictionary attack will successfully compromise a user's password? A Passwords must be at least 15 characters long B User accounts will be disabled after five unsuccessful login attempts C Passwords must change after any unsuccessful login attempt D Only administrators are allowed to choose user passwords E Users should not share passwords with other users F Passwords should consist of upper case, lower case, numbers, and special characters

Explanation: A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching a large number of possibilities. In contrast with a brute force attack, where all possibilities are searched through exhaustively, a dictionary attack only tries possibilities which are most likely to succeed, typically derived from a list of words in a dictionary. Generally, dictionary attacks succeed because most people have a tendency to choose passwords which are easy to remember, and typically choose words taken from their native language.

A strong password is sufficiently long, random, or otherwise producible only by the user who chose it, that successfully guessing it will require too long a time. The length of time deemed to be too long will vary with the attacker, the attacker's resources, the ease with which a password can be tried, and the value of the password to the attacker. Another good defense against brute force or dictionary attacks is to disable the user account after a certain number of unsuccessful login attempts.

Q 68 (31/3/2011) What has occurred if an RF signal strikes an uneven surface causing the signal to be reflected in many directions simultaneously so that the resultant signals are less significant then the original signal?

A

Return loss

B

Interference

C

Phase shift keying

D

Diffraction

E

Scattering

F

Refraction

A 68 What has occurred if an RF signal strikes an uneven surface causing the signal to be reflected in many directions simultaneously so that the resultant signals are less significant then the original signal? A Return loss B Interference C Phase shift keying D Diffraction E Scattering F Refraction

Explanation: Scattering occurs when an RF signal strikes an uneven surface causing the signal to be scattered as multiple reflections, each less significant then the original signal. Refraction is the bending of a radio wave as it passes through a medium of different density. Diffraction is the bending of a radio wave around an obstacle.

Voltage Standing Wave Ration (VSWR) occurs when there is mismatched impedance between devices in an RF system. VSWR causes return loss, which is the loss of forward energy through a system due to some of the power being reflected back toward the transmitter. Phase shift keying is a type of encoding used by wireless networks to represent information by manipulating the phase of the signal. Q 69 (1/4/2011)

Phishing is an example of what type of attack?

A

Social Engineering

B

Man-in-the-middle

C

Eavesdropping

D

Bit-flipping

E

Hijacking

A 69 Phishing is an example of what type of attack? A Social Engineering B Man-in-the-middle C Eavesdropping D Bit-flipping E Hijacking

Explanation: Phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.

Q 70 (2/4/2011)

You are about to deploy an application that only certain users on the wireless network should be able to access. What WLAN controller feature would most easily allow you to segment this WLAN network  traffic?

A

RBAC

B

VLAN

C

VPN

D

MAC Filtering

E

STP

A 70 You are about to deploy an application that only certain users on the wireless network should be able to access. What WLAN controller feature would most easily allow you to segment this WLAN network traffic? A RBAC B VLAN C VPN D MAC Filtering E STP

Explanation: Role-based access control (RBAC) is an approach for restricting system access to authorized users. It is a newer and alternative approach to mandatory access control (MAC) and discretionary access control (DAC). Within an organization, roles are created for various job functions. The permissions to perform certain operations ('permissions') are assigned to specific roles. Members of staff (or other system users) are assigned particular roles, and through those role assignments acquire the permissions to perform particular system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning the appropriate roles to the user, which simplifies common operations such as adding a user, or changing a user's department.

Q 71 (3/4/2011)

n an ERP-OFDM wireless LAN, what can cause attenuation of an 802.11 RF signal?

(Choose 2) A

Adding an RF extension cable

B

Open air space between transmitter and receiver

C

Nearby Bluetooth 2.0 wireless systems

D

Adding an RF amplifier in series with the main RF signal path

E

Bright sunlight between the transmitting and receiving antennas

A 72 In an ERP-OFDM wireless LAN, what can cause attenuation of an 802.11 RF signal? A Adding an RF extension cable B Open air space between transmitter and receiver C Nearby Bluetooth 2.0 wireless systems D Adding an RF amplifier in series with the main RF signal path E Bright sunlight between the transmitting and receiving antennas

Explanation: RF signal power degradation (attenuation) may be caused by Free Space Path Loss (FSPL) or any number of devices in the RF signal path (whether in the wire or after it has propagated from the antenna). Devices such as cables, connectors, splitters, and attenuators can cause attenuation (power loss) in the wire. Fresnel Zone and FSPL blockage can cause power loss of a propagating RF signal. When an additional RF cable is added to a circuit, it will introduce resistance to current flow, and therefore power loss. Newer Bluetooth systems use avoidance technology to minimize interference.

Q 73 (4/4/2011)

ABC Company recently implemented wireless networks at many of their branch offices. To determine RF coverage areas and access point placement, they measured the signal strength as reported in their laptop's wireless network card. What limitations does this site survey method include? (Choose 2) A

Does not identify interference sources

B

Different vendors report identical RF signals at different signal strengths

C

Only indicates a signal's viability

D

A laptop WLAN card does not accurately identify signal strength

E

Does not consider impact of security overhead

A 73 ABC Company recently implemented wireless networks at many of their branch offices. To determine RF coverage areas and access point placement, they measured the signal strength as reported in their laptop's wireless network card. What limitations does this site survey method include? A Does not identify interference sources B Different vendors report identical RF signals at different signal strengths C Only indicates a signal's viability D A laptop WLAN card does not accurately identify signal strength E Does not consider impact of security overhead

Explanation: The 802.11 standard does not specify how RSSI should be calculated, only that a vendor's hardware must be capable of reporting RSSI up to the driver, resulting in different implementations between vendors. Signal strength alone does not identify interference sources, so does not test for a signal's viability. The power level of a narrowband signal relative to the power level of the noise floor is called the signal-to-noise ratio. SNR shows the strength of the RF signal versus the background noise, and also shows the viability of the RF link. SNR is a good indicator of whether or not a client will connect and remain connected.

Q 74 (5/4/2011)

Within the IPSec's ESP tunnel mode, which parts of the frame are encrypted? (Choose 3) A

ESP Header

B

Original IP Header

C

IP Payload

D

ESP Trailer

E

ESP Authentication Trailer

A 74 Within the IPSec's ESP tunnel mode, which parts of the frame are encrypted? A ESP Header B Original IP Header C IP Payload D ESP Trailer E ESP Authentication Trailer

Explanation: ESP tunnel mode encapsulates an IP packet with both an ESP and IP header and an ESP authentication trailer. The original header is placed after the ESP header. The entire packet is appended with an ESP trailer before encryption occurs. Everything that follows the ESP header, except for the ESP authentication trailer, is encrypted. This includes the original header which is now considered to be part of the data portion of the packet.

Q 75 (6/4/2011)

What component of a wireless network might use a bi-metal conductor or gas discharge tube?

A

PoE Injector

B

Lightning arrestor

C

Amplifier

D

Attenuator

E

Yagi antenna

A 75 What component of a wireless network might use a bi-metal conductor or gas discharge tube? A PoE Injector B Lightning arrestor C Amplifier D Attenuator E Yagi antenna

Explanation: Lightning arrestors are used to shunt into the ground transient current that is

caused by a nearby lightning strike. (Note: lightning arrestors will not protect against direct lightning strikes.) Some are reusable after a lightning strike and some are not. Examples of reusable lightning arrestors are models with replaceable gas discharge tube elements that are cheaper to replace than the entire lightning arrestor, or bi-metal conductors. A single-use lightning arrestor is like a fuse, destroying itself to protect the equipment.

Q 76 (7/4/2011) XYZ University has recently installed a secure WLAN solution. There have been no problems with network intrusion, but due to the weekend entertainment schedule of the university's social infrastructure, many access points in t he residence halls have be damaged or stolen. What are some ways to prevent this type of security event from affecting network  operation and security?

A

Put an access point in each residence hall room and make the students responsible for the access point

B

Migrate to a WLAN switched infrastructure with lightweight (thin) access points

C

Install web-based IP cameras in the same areas with access points to monitor theft

D

Install access points in lockable enclosures in the ceiling or on the wall of the facilities

A 76 XYZ University has recently installed a secure WLAN solution. There have been no problems with network intrusion, but due to the weekend entertainment schedule of the university's social infrastructure, many access points in the residence halls have be damaged or stolen. What are some ways to prevent this type of security event from affecting network operation and security? A Put an access point in each residence hall room and make the students responsible for the access point B Migrate to a WLAN switched infrastructure with lightweight (thin) access points C Install web-based IP cameras in the same areas with access points to monitor theft D Install access points in lockable enclosures in the ceiling or on the wall of the facilities

Explanation: Installing web-based IP cameras would only give the thief another device to steal, and would not likely deter theft of access points. Locking access points in lockable containers would prevent theft or damage of units. Putting an access point in each residence hall room would cause significant adjacent and co-channel interference due to the access points being far too close to each other. While lightweight access points would not provide useful information to a thief, they would still be considered valuable and if removed or damaged would affect network operation.

Q 77 (8/4/2011)

Bill & Jane, two IT staff professionals at ABC Corporation, are arguing over the differences between WPA2 and Layer 3 VPN technologies. George, the IT Director, settles the dispute by explaining how WPA2 secures the wireless LAN data frame payloads. Which description of this process is correct in describing how WPA2 secures wireless data transmissions?

A

WPA2 encrypts layer 2 addresses and encrypts the layer 3 through layer 7 payloads.

B

WPA2 encodes layer 2 addresses with a 64-bit offset and encrypts the layer 3 and layer 4 addresses only.

C

WPA2 encrypts layer 3 through layer 7 payloads while leaving layer 2 source and destination addresses exposed.

D

WPA2 leaves the layer 2 and layer 3 addresses exposed while encrypting layer 4 through layer 7 payloads.

A 77 Bill & Jane, two IT staff professionals at ABC Corporation, are arguing over the differences between WPA2 and Layer 3 VPN technologies. George, the IT Director, settles the dispute by explaining how WPA2 secures the wireless LAN data frame payloads. Which description of this process is correct in describing how WPA2 secures wireless data transmissions? A WPA2 encrypts layer 2 addresses and encrypts the layer 3 through layer 7 payloads. B WPA2 encodes layer 2 addresses with a 64-bit offset and encrypts the layer 3 and layer 4 addresses only. C WPA2 encrypts layer 3 through layer 7 payloads while leaving layer 2 source and destination addresses exposed. D WPA2 leaves the layer 2 and layer 3 addresses exposed while encrypting layer 4 through layer 7 payloads.

Explanation: WPA2 (802.11i-compliant CCMP-enabled) encrypts layer 3-7 information while leaving layer 2 addresses (MAC) exposed. This is done so that layer 2 wireless devices (PCMCIA cards, access points, bridges, etc.) can communicate on the local wireless segment.

Q 78 (9/4/2011) What is a significant difference between an 802.3-2005 Clause 33 compliant Endpoint or Midspan PSE device? (Choose 2)

A

Endpoint PSE devices can support Gigabit Ethernet but Midspan PSE devices only support 10BASE-T or 100BASE-TX.

B

Midspan PSE devices regenerate an Ethernet signal similar to a repeater.

C

Ethernet signals and electrical power may both travel on the same two wire pairs when using an endpoint PSE device.

D

Endpoint PSE devices will continuously monitor for powered device connectivity.

E

Endpoint PSE devices withhold power until PoE compliance is determined.

A 78 What is a significant difference between an 802.3-2005 Clause 33 compliant Endpoint or Midspan PSE device? A Endpoint PSE devices can support Gigabit Ethernet but Midspan PSE devices only support 10BASE-T or 100BASE-TX. B Midspan PSE devices regenerate an Ethernet signal similar to a repeater. C Ethernet signals and electrical power may both travel on the same two wire pairs when using an endpoint PSE device. D Endpoint PSE devices will continuously monitor for powered device connectivity. E Endpoint PSE devices withhold power until PoE compliance is determined.

Explanation: The two types of Power Sourcing Equipment (PSE) include endpoint and midspan devices. Alternative A Ethernet cabling uses the data lines (orange and green pairs) while alternative B Ethernet cabling uses the unused conductors (blue and brown pairs). An endpoint PSE is housed with a switch and has the ability to use either alternative A or alternative B power sourcing. Midspan PSE devices reside between a non-PSE switch and an end station (power device or PD) and can only send power over the non-data lines. This difference allows endpoint PSE devices to support 10BASE-T, 100BASE-TX, and 1000BASE-T connectivity, while midspan devices only support 10BASE-T and 100BASE-TX, as 1000BASE-T requires use of all eight Ethernet lines.

Q 79 (10/4/2011)

Within the IPSec's ESP tunnel mode, which parts of the frame are encrypted? (Choose 3) A

ESP Header

B

Original IP Header

C

IP Payload

D

ESP Trailer

E

ESP Authentication Trailer

A 79 Within the IPSec's ESP tunnel mode, which parts of the frame are encrypted? A ESP Header B Original IP Header C IP Payload D ESP Trailer E ESP Authentication Trailer

Explanation: ESP tunnel mode encapsulates an IP packet with both an ESP and IP header and an ESP authentication trailer. The original header is placed after the ESP header. The entire packet is appended with an ESP trailer before encryption occurs. Everything that follows the ESP header, except for the ESP authentication trailer, is encrypted. This includes the original header which is now considered to be part of the data portion of the packet. Q 80 (11/4/2011)

XYZ Company uses 802.1X/EAP-FAST on their ERP-OFDM network to secure wireless data transmissions. They have field agents who use the local ERP-OFDM network while in the office and often need to access the corporate intranet from wireless hotspots around the country. What security protocol would be best suited for remote access from the wireless hotspots?

A

PEAP-MS-CHAPv2

B

WPA2-Personal

C

L2TP/IPSec

D

EAP-TTLS

A 80 XYZ Company uses 802.1X/EAP-FAST on their ERP-OFDM network to secure wireless data transmissions. They have field agents who use the local ERP-OFDM network while in the office and often need to access the corporate intranet from wireless hotspots around the country. What

security protocol would be best suited for remote access from the wireless hotspots? A PEAP-MS-CHAPv2 B WPA2-Personal C L2TP/IPSec D EAP-TTLS

Explanation: PEAP-MS-CHAPv2, WPA2-Personal, and EAP-TTLS are layer 2, local-area protocols only. For this reason, they are not used for WAN access (over the Internet). L2TP/IPSec can be used to protect LAN and WAN traffic. Over an 802.11 hotspot, L2TP can be used to 'dial' the IP address of the corporate VPN concentrator. IPSec is used to encrypt the data both over the wireless network and over the Internet.

Q 81 (12/4/2011)

When reassociating between access points of two different WLAN controllers, which technology is needed to perform a fast BSS transition?

A

Preauthentication

B

PMK Caching

C

Opportunistic PMK Caching

D

Fast Roam-Back 

E

Fast Roam-Forward

A 81 When reassociating between access points of two different WLAN controllers, which technology is needed to perform a fast BSS transition? A Preauthentication B PMK Caching C Opportunistic PMK Caching D Fast Roam-Back E Fast Roam-Forward

Explanation: Preauthentication is defined by the 802.11 standard and specifies performing 802.1X/EAP authentications over the wired (Ethernet) distribution system. Preauthentication allows an associated supplicant to remain connected to an AP while building a PMK with another

AP, allowing the client station to only perform the 4-Way Handshake. When roaming between APs of a single WLAN controller, PMK Caching and Opportunistic PMK Caching (OPC) can be used for fast BSS transition. However, to roam quickly between WLAN controllers, a mechanism like preauthentication will need to be used. Preauthentication between WLAN controllers works on the same premise as it would between two autonomous APs. Fast Roam-Back is another name for PMK Caching, while Fast Roam-Forward is another name for Opportunistic PMK Caching. Note: In order to use preauthentication, both the supplicant and authenticator must offer support.

Q 82 (13/4/2011)

Q 83 (15/4/2011) Which are features commonly supported by WLAN controllers? (Choose 2) A

Layer 2 protocol analysis

B

Rogue AP/Client detection

C

Gateway Load Balancing Protocol (GLBP)

D

HTTPS device management

E

802.1Q-in-Q Tag Stacking (Q-in-Q Tunneling)

A 83 Which are features commonly supported by WLAN controllers? A Layer 2 protocol analysis B Rogue AP/Client detection C Gateway Load Balancing Protocol (GLBP) D HTTPS device management E 802.1Q-in-Q Tag Stacking (Q-in-Q Tunneling)

Explanation: WLAN controllers are layer-23 devices. Rogue AP and client device detection (and often mitigation) is available in almost all WLAN switches/controllers. HTTP, HTTPS, SNMP, Telnet, and SSH1/2 protocols are used to manage WLAN switches/controllers. GLBP

and 802.1Q-in-Q are not supported by WLAN infrastructure devices.

Q 84 (16/4/2011) You are a WLAN administrator for a large hospital, and quick elimination of rogue wireless devices is critical according to your new security policy. Due to the size of the facilit y, locating a rogue access point or client device quickly and accurately has been a problem in the past. What step can you take to meet this new security policy requirement?

A

Use a WLAN protocol analyzer with a Yagi antenna

B

Use a GPS-enabled 802.11a/b/g PC card with an Omni antenna

C

Use the rogue triangulation feature in a WIPS with an integrated floor plan

D

Enable 802.11i-compliant rogue tracking in your access points

E

Use a laptop spectrum analyzer capable of 2.4 GHz and 5 GHz frequency ranges

A 84 You are a WLAN administrator for a large hospital, and quick elimination of rogue wireless devices is critical according to your new security policy. Due to the size of the facility, locating a rogue access point or client device quickly and accurately has been a problem in the past. What step can you take to meet this new security policy requirement? A Use a WLAN protocol analyzer with a Yagi antenna B Use a GPS-enabled 802.11a/b/g PC card with an Omni antenna C Use the rogue triangulation feature in a WIPS with an integrated floor plan D Enable 802.11i-compliant rogue tracking in your access points E Use a laptop spectrum analyzer capable of 2.4 GHz and 5 GHz frequency ranges

Explanation: WIDS/WIPS can use either triangulation or fingerprinting technologies to pinpoint within 10-20 feet where a rogue AP or rogue client might exist. A graphic of the building's floor plan can be imported into the WIDS/WIPS software to assist in locating the rogue devices. For either of these technologies to work accurately, an adequate number of hardware sensors will be needed.

Q 85 (17/4/2011)

What may significantly affect the amount of wireless throughput available to each station connected to a single radio access point when all stations are actively transmitting and receiving in the BSS? (Choose 2)

A

The transmission delay threshold value on the access point

B

The RTS/CTS threshold value on each station

C

The size of the queuing buffers in the access point

D

Data frame retransmissions due to narrowband RF interference

E

Delay spread due to multipath

A 85 What may significantly affect the amount of wireless throughput available to each station connected to a single radio access point when all stations are actively transmitting and receiving in the BSS? A The transmission delay threshold value on the access point B The RTS/CTS threshold value on each station C The size of the queuing buffers in the access point D Data frame retransmissions due to narrowband RF interference E Delay spread due to multipath

Explanation: For each DSSS or OFDM channel, there is a maximum amount of throughput available. The amount of throughput is shared among all stations on that channel. When a station enables RTS/CTS, not only does it affect the amount of throughput that station will have, but it also affects the throughput of all other stations on that channel because the station using RTS/CTS controls use of the RF medium for longer periods of time. When stations must retransmit data frames due to RF interference, their throughput goes down significantly. Additionally, stations that must retransmit data frames congest the shared medium for longer periods of time decreasing throughput for all stations on that channel.

Q 86 (18/4/2011)

Given: The XYZ Corporation employs 20 data entry clerks that use an unencrypted IEEE 802.11 WLAN to access the main network. An intruder is using a laptop running a software access point in an attempt to hijack the wireless users. How can the intruder cause all of these clients to establish Layer 2 connectivity with the software access point?

A

WLAN clients can be forced to reassociate if the intruder's laptop uses a WLAN card capable of emitting at least 5 times more power than the authorized access

point. B

A higher SSID value programmed into the intruder's software access point will take priority over the SSID in the authorized access point, causing the clients to reassociate.

C

When the signal between the clients and the authorized access point is temporarily disrupted and the intruder's software access point i s using the same SSID on a different channel than the authorized access point, the clients will reassociate to the software access point.

D

When the signal between the clients and the authorized access point is permanently disrupted and the intruder's software access point is using the same SSID and the same channel as the authorized access point, the clients will reassociate to the software access point.

A 86 Given: The XYZ Corporation employs 20 data entry clerks that use an unencrypted IEEE 802.11 WLAN to access the main network. An intruder is using a laptop running a software access point in an attempt to hijack the wireless users. How can the intruder cause all of these clients to establish Layer 2 connectivity with the software access point? A WLAN clients can be forced to reassociate if the intruder's laptop uses a WLAN card capable of emitting at least 5 times more power than the authorized access point. B A higher SSID value programmed into the intruder's software access point will take priority over the SSID in the authorized access point, causing the clients to reassociate. C When the signal between the clients and the authorized access point is temporarily disrupted and the intruder's software access point is using the same SSID on a different channel than the authorized access point, the clients will reassociate to the software access point. D When the signal between the clients and the authorized access point is permanently disrupted and the intruder's software access point is using the same SSID and the same channel as the authorized access point, the clients will reassociate to the software access point.

Explanation: By design, when the connection between a WLAN client and access point drops below a certain threshold (determined differently by each vendor) the WLAN client will start looking for another access points on different channels with matching SSID which might provide a better connection, typically based upon RSSI values. Many devices will also continue to scan other channels for better options even while associated to an access point. Jamming the signal will drop the connection below the client's threshold, causing it to search for another alternative. When it discovers the intruder's software access point is using the same SSID and can provide a strong connection, the client station will reassociate to the software access point.

Q 87 (19/4/2011) What types of transmissions are protected using a group key hierarchy in an RSN network? (Choose 2) A

Broadcast

B

Multicast

C

Unicast

D

Ad-hoc

E

Plaintext

A 87 What types of transmissions are protected using a group key hierarchy in an RSN network? A Broadcast B Multicast C Unicast D Ad-hoc E Plaintext

Explanation: A robust secure network (RSN) has two different key hierarchies used to protect traffic. The pairwise key hierarchy is used to protect unicast traffic, while broadcast and multicast traffic is protected by the group key hierarchy.

Q 88(20/4/2011) What 802.11 authentication is supported by the 802.1X framework?

A

Open System

B

Shared Key

C

Mutual

D

Username and password

E

Digital Certificate

A 88 What 802.11 authentication is supported by the 802.1X framework? A Open System B Shared Key C Mutual D Username and password E Digital Certificate

Explanation: The IEEE 802.1X standard defines port-based, network access control that is used to provide authenticated network access for users wanting access to Ethernet and IEEE 802.11 wireless networks. With port-based network access control, a wireless station cannot send any frames on the network until access has been granted by the authenticator, (typically a wireless access point or controller). Before the 802.1X authentication process can begin, the WLAN client must first have access to the 802.1X authenticator, meaning it must first perform wireless authentication to the access point or controller. The only supported method for this type of authentication when combined with 802.1X authentication is Open System authentication, which is transparent to the user due to its automatic success. Q 89 (21/4/2011)

XYZ University is installing a security camera system, and they want to use mesh routers to connect all of the security cameras back to a central Ethernet switch. Each camera has an Ethernet port and is located near an AC outlet. Each mesh router uses ERP-OFDM, AESCCMP encryption, and has three Ethernet ports for connecting multiple cameras. Each mesh router will connect to at least two other mesh routers b y design. All cameras are housed in locked enclosures, are pointed at a specific location, and cannot be rotated. A student that i s participating in the installation is going to attempt to circumvent this security solution. What plausible approach might the student use to circumvent this security solution?

A

Use an 802.11 frame generator to send spoofed deauthentication frames to the mesh router with a source address of another mesh router.

B

Use an RF jamming device to interrupt the wireless mesh link near a mesh router.

C

Plug an additional camera into a lower-numbered (higher priority) Ethernet port on a mesh router. This would cause the mesh router to send video from the unauthorized camera which is pointing in a different direction.

D

Enable an HR-DSSS client adapter near the mesh router, forcing it to enable protection mechanisms. This will result in an average bandwidth too low for full-

motion video and will cause substantial blurring.

A 89 XYZ University is installing a security camera system, and they want to use mesh routers to connect all of the security cameras back to a central Ethernet switch. Each camera has an Ethernet port and is located near an AC outlet. Each mesh router uses ERP-OFDM, AES-CCMP encryption, and has three Ethernet ports for connecting multiple cameras. Each mesh router will connect to at least two other mesh routers by design. All cameras are housed in locked enclosures, are pointed at a specific location, and cannot be rotated. A student that is participating in the installation is going to attempt to circumvent this security solution. What plausible approach might the student use to circumvent this security solution? A Use an 802.11 frame generator to send spoofed deauthentication frames to the mesh router with a source address of another mesh router. B Use an RF jamming device to interrupt the wireless mesh link near a mesh router. C Plug an additional camera into a lower-numbered (higher priority) Ethernet port on a mesh router. This would cause the mesh router to send video from the unauthorized camera which is pointing in a different direction. D Enable an HR-DSSS client adapter near the mesh router, forcing it to enable protection mechanisms. This will result in an average bandwidth too low for full-motion video and will cause substantial blurring.

Explanation: By interrupting the wireless mesh link near a camera, the video stream on the camera will not be sent across the mesh to the Ethernet switch. The video stream will be lost until the RF jamming device is disabled. Deauthenticating one mesh router from another will not work in this case because each mesh router is connected to two other mesh routers by design. The data stream would simply fail over to the second mesh router link (if it was not already being sent on that link). ERP-OFDM mesh router networks should be designed to accommodate the expected data traffic, even when they must use CCK modulation instead of OFDM.

Q 90 (22/4/2011) Q 91 (23/4/2011)

What may significantly affect the amount of wireless throughput available to each station connected to a single radio access point when all stations are actively transmitting and receiving in the BSS? (Choose 2) A

The transmission delay threshold value on the access point

B

The RTS/CTS threshold value on each station

C

The size of the queuing buffers in the access point

D

Data frame retransmissions due to narrowband RF interference

E

Delay spread due to multipath

A 91 What may significantly affect the amount of wireless throughput available to each station connected to a single radio access point when all stations are actively transmitting and receiving in the BSS? A The transmission delay threshold value on the access point B The RTS/CTS threshold value on each station C The size of the queuing buffers in the access point D Data frame retransmissions due to narrowband RF interference E Delay spread due to multipath

Explanation: For each DSSS or OFDM channel, there is a maximum amount of throughput available. The amount of throughput is shared among all stations on that channel. When a station enables RTS/CTS, not only does it affect the amount of throughput that station will have, but it also affects the throughput of all other stations on that channel because the station using RTS/CTS controls use of the RF medium for longer periods of time. When stations must retransmit data frames due to RF interference, their throughput goes down significantly. Additionally, stations that must retransmit data frames congest the shared medium for longer periods of time decreasing throughput for all stations on that channel.

Q 92 (24/4/2011) Q 93 (25/4/2011)

The ERP-OFDM amendment to the IEEE 802.11-1999 (as amended) standard specifies what protection mechanism when used in mixed mode?

A

RTS/CTS

B

Fragmentation

C

CSMA/CA

D

CSMA/CD

E

Dynamic Rate Switching

F

Digital Certificates

A 93 The ERP-OFDM amendment to the IEEE 802.11-1999 (as amended) standard specifies what protection mechanism when used in mixed mode? A RTS/CTS B Fragmentation C CSMA/CA D CSMA/CD E Dynamic Rate Switching F Digital Certificates

Explanation: ERP-OFDM (802.11g) amendment '9.10 Protection mechanism' states: The intent of a protection mechanism is to ensure that a STA does not transmit an MPDU of type Data or an MMPDU with an ERP-OFDM preamble and header unless it has attempted to update the NAV of receiving NonERP STAs. The updated NAV period shall be longer than or equal to the total time required to send the data and any required response frames. ERP STAs shall use protection mechanisms (such as RTS/CTS or CTS-to-self) for ERP-OFDM MPDUs of type Data or an MMPDU when the Use_Protection field of the ERP Information element is set to 1 (see the requirements of 9.2.6). Protection mechanisms frames shall be sent using one of the mandatory Clause 15 or Clause 18 rates and using one of the mandatory Clause 15 or Clause 18 waveforms, so all STAs in the BSA will know the duration of the exchange even if they cannot detect the ERP-OFDM signals using their CCA function. Note that when using the Clause 19 options, ERP-PBCC or DSSS-OFDM, there is no need to use protection mechanisms, as these frames start with a DSSS header. In the case of a BSS composed of only ERP STAs, but with knowledge of a neighboring cochannel BSS having NonERP traffic, the AP may require protection mechanisms to protect the BSS's traffic from interference. This will provide propagation of NAV to all attached STAs and all STAs in a neighboring co-channel BSS within range by BSS basic rate set modulated messages. The frames that propagate the NAV throughout the BSS include RTS/CTS/ACK frames, all data frames with the .more fragments. field set to 1, all data frames sent in response to PS-Poll that are not proceeded in the frame sequence by a data frame with the .more fragments. field set to 1, Beacon frames with nonzero CF time, and CF-End frames. When RTS/CTS is used as the protection mechanism, cases exist such as NAV resetting (discretionary, as indicated in 9.2.5.4), where a hidden station may reset its NAV and this may cause a collision. The likelihood of occurrence is low, and it is not considered to represent a significant impairment to overall system operation. A mechanism to address this possible situation would be to use alternative protection mechanisms, or to revert to alternative

modulation methods. If a protection mechanism is being used, a fragment sequence may only employ ERP-OFDM modulation for the final fragment and control response. The rules for calculating RTS/CTS NAV fields are unchanged when using RTS/CTS as a protection mechanism. Additionally, if any of the rates in the BSSBasicRateSet of the protection mechanism frame transmitting STA's BSS are Clause 15 or Clause 18 rates, then the protection mechanism frames shall be sent at one of those Clause 15 or Clause 18 basic rates.