Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Chapter 13. Network Security Architecture > Answers to Review Questions

13.11. Answers to Review Questions

  1. B. As required by an 802.1X security solution, the supplicant is a WLAN client requesting authentication and access to network resources. Each supplicant has unique authentication credentials that are verified by the authentication server.

  2. B, D. The 802.11-2007 standard defines CCMP/AES encryption as the default encryption method, while TKIP/RC4 is the optional encryption method. This was originally defined by the 802.11i amendment, which is now part of the 802.11-2007 standard. The Wi-Fi Alliance created the WPA2 security certification, which mirrors the robust security defined by the IEEE. WPA2 supports both CCMP/AES and TKIP/RC4 dynamic encryption-key management.

  3. E. 128-bit WEP encryption uses a secret 104-bit static key that is provided by the user (26 hex characters) and combined with a 24-bit Initialization Vector for an effective key strength of 128 bits.

  4. A, C, E. The supplicant, authenticator, and authentication server work together to provide the framework for an 802.1X/EAP solution. The supplicant requests access to network resources. The authentication server authenticates the identity of the supplicant, and the authenticator allows or denies access to network resources via virtual ports.

  5. C. The original 802.11 standard ratified in 1997 defined the use of a 64-bit or 128-bit static encryption solution called Wired Equivalent Privacy (WEP). Dynamic WEP was never defined under any wireless security standard. The use of 802.1X/EAP, TKIP/RC4, and CCMP/AES are all defined under the current 802.11-2007 standard.

  6. A, D, E. Access points may be mounted in lockable enclosure units to provide theft protection. All access points should be configured from the wired side and never wirelessly. Encrypted management interfaces such as HTTPS and Secure Command Shell should be used instead of HTTP or Telnet. An 802.1X/EAP solution guarantees that only authorized users will receive an IP address. Attackers can get an IP address prior to setting up an IPSec VPN tunnel and potentially attack the access points.

  7. A, C. Virtual LANs are used to segment wireless users at layer 3. The most common wireless segmentation strategy often used in 802.11 enterprise WLANs is segmentation using VLANS combined with role-based access control (RBAC) mechanisms. CCMP/AES, TKIP/ RC4, and WEP are encryption solutions.

  8. A, C. The Wi-Fi Protected Access (WPA) certification was a snapshot of the not-yet-released 802.11i amendment, supporting only the TKIP/RC4 dynamic encryption-key generation. 802.1X/EAP authentication was required in the enterprise, and passphrase authentication was required in a SOHO or home environment. LEAP is Cisco proprietary and is not specifically defined by WPA. Neither dynamic WEP nor CCMP/AES were defined for encryption. CCMP/ AES dynamic encryption is mandatory under the WPA2 certification.

  9. B, D, E. Role-based access control (RBAC) is an approach to restricting system access to authorized users. The three main components of an RBAC approach are users, roles, and permissions.

  10. A, D, E. The purpose of 802.1X/EAP is authentication of user credentials and authorization to network resources. Although the 802.1X/EAP framework does not require encryption, it highly suggests the use of encryption. A by-product of 802.1X/EAP is the generation and distribution of dynamic encryption keys.

  11. A, B, D, E. All forms of WEP encryption use the Rivest Cipher 4 (RC4) algorithm. TKIP is WEP that has been enhanced and also uses the RC4 cipher. PPTP uses 128-bit Microsoft Point-to-Point Encryption (MPPE), which uses the RC4 algorithm. CCMP uses the AES cipher.

  12. B, D. Open System and Shared Key authentication are legacy authentication methods that do not provide seeding material to generate dynamic encryption keys. A robust security network association requires a four-frame EAP exchange known as the 4-Way Handshake that is used to generate dynamic TKIP or CCMP keys. The handshake may occur either after an 802.1X/EAP exchange or as a result of PSK authentication.

  13. A, D. An 802.1X/EAP solution requires that both the supplicant and the authentication server support the same type of EAP. The authenticator must be configured for 802.1X/ EAP authentication but does not care which EAP type passes through. The authenticator and the supplicant must support the same type of encryption.

  14. D. WLAN controllers use lightweight access points, which are dumb terminals with radio cards and antennas. The WLAN controller is the authenticator. When an 802.1X/EAP solution is deployed in a wireless controller environment, the virtual controlled and uncontrolled ports exist on the WLAN controller.

  15. A, C, D. TKIP starts with a 128-bit temporal key that is combined with a 48-bit Initialization Vector (IV) and source and destination MAC addresses in a process known as perpacket key mixing. TKIP uses an additional data integrity check known as the Message Integrity Check (MIC).

  16. A. The root bridge would be the authenticator, and the nonroot bridge would be the supplicant if 802.1X/EAP security is used in a WLAN bridged network.

  17. D. The AES algorithm encrypts data in fixed data blocks with choices in encryption-key strength of 128, 192, or 256 bits. CCMP/AES uses a 128-bit encryption-key size and encrypts in 128-bit fixed-length blocks.

  18. A, D. The WPA2 certification requires the use of an 802.1X/EAP authentication method in the enterprise and the use of a preshared key or a passphrase in a SOHO environment. The WPA2 certification also requires the use of stronger dynamic encryption-key generation methods. CCMP/AES encryption is the mandatory encryption method, and TKIP/RC4 is the optional encryption method.

  19. E. The 802.11-2007 standard defines what is known as a robust security network (RSN) and robust security network associations (RSNAs). CCMP/AES encryption is the mandated encryption method, while TKIP/RC4 is an optional encryption method.

  20. C. The supplicant, authenticator, and authentication server work together to provide the framework for 802.1X port-based access control, and an authentication protocol is needed to assist in the authentication process. The Extensible Authentication Protocol (EAP) is used to provide user authentication.


You are currently reading a PREVIEW of this book.


Get instant access to over $1 million worth of books and videos.


Start a Free 10-Day Trial

  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint