CWSP-205 Online Practice Questions and Answers

ABC Company uses the wireless network for highly sensitive network traffic. For that reason, they intend to protect their network in all possible ways. They are continually researching new network threats and new preventative measures. They are interested in the security benefits of 802.11w, but would like to know its limitations.

What types of wireless attacks are protected by 802.11w? (Choose 2)

A. RF DoS attacks

B. Layer 2 Disassociation attacks

C. Robust management frame replay attacks

D. Social engineering attacks

You are configuring seven APs to prevent common security attacks. The APs are to be installed in a small business and to reduce costs, the company decided to install all consumer-grade wireless routers. The wireless routers will connect to a switch, which connects directly to the Internet connection providing 50 Mbps of Internet bandwidth that will be shared among 53 wireless clients and 17 wired clients.

To ensure the wireless network is as secure as possible from common attacks, what security measure can you implement given only the hardware referenced?

A. WPA-Enterprise

B. 802.1X/EAP-PEAP

C. WPA2-Enterprise

D. WPA2-Personal

In order to acquire credentials of a valid user on a public hot-spot network, what attacks may be conducted? Choose the single completely correct answer.

A. Social engineering and/or eavesdropping

B. RF DoS and/or physical theft

C. MAC denial of service and/or physical theft

D. Authentication cracking and/or RF DoS

E. Code injection and/or XSS

As the primary security engineer for a large corporate network, you have been asked to author a new security policy for the wireless network. While most client devices support 802.1X authentication, some legacy devices still only support passphrase/PSK-based security methods.

When writing the 802.11 security policy, what password-related items should be addressed?

A. MSCHAPv2 passwords used with EAP/PEAPv0 should be stronger than typical WPA2-PSK passphrases.

B. Password complexity should be maximized so that weak WEP IV attacks are prevented.

C. Static passwords should be changed on a regular basis to minimize the vulnerabilities of a PSK-based authentication.

D. Certificates should always be recommended instead of passwords for 802.11 client authentication.

E. EAP-TLS must be implemented in such scenarios.

What disadvantage does EAP-TLS have when compared with PEAPv0 EAP/MSCHAPv2 as an 802.11 WLAN security solution?

A. Fast/secure roaming in an 802.11 RSN is significantly longer when EAP-TLS is in use.

B. EAP-TLS does not protect the client's username and password inside an encrypted tunnel.

C. EAP-TLS cannot establish a secure tunnel for internal EAP authentication.

D. EAP-TLS is supported only by Cisco wireless infrastructure and client devices.

E. EAP-TLS requires extensive PKI use to create X.509 certificates for both the server and all clients, which increases administrative overhead.

When using the 802.1X/EAP framework for authentication in 802.11 WLANs, why is the 802.1X Controlled Port still blocked after the 802.1X/EAP framework has completed successfully?

A. The 802.1X Controlled Port is always blocked, but the Uncontrolled Port opens after the EAP authentication process completes.

B. The 802.1X Controlled Port remains blocked until an IP address is requested and accepted by the Supplicant.

C. The 4-Way Handshake must be performed before the 802.1X Controlled Port changes to the unblocked state.

D. The 802.1X Controlled Port is blocked until Vender Specific Attributes (VSAs) are exchanged inside a RADIUS packet between the Authenticator and Authentication Server.

What drawbacks initially prevented the widespread acceptance and use of Opportunistic Key Caching (OKC)?

A. Sharing cached keys between controllers during inter-controller roaming created vulnerabilities that exposed the keys to attackers.

B. Because OKC is not defined by any standards or certification body, client support was delayed and sporadic early on.

C. Key exchanges during fast roams required processor-intensive cryptography, which was prohibitive for legacy devices supporting only TKIP.

D. The Wi-Fi Alliance continually delayed the creation of a client certification for OKC, even though it was defined by IEEE 802.11r.

What TKIP feature was introduced to counter the weak integrity check algorithm used in WEP?

A. 32-bit ICV (CRC-32)

B. Sequence counters

C. RC5 stream cipher

D. Michael

E. Block cipher support

What protocols allow a network administrator to securely manage the configuration of WLAN controllers and access points? (Choose 2)

A. SNMPv1

B. HTTPS

C. Telnet

D. TFTP

E. FTP

F. SSHv2

Given: ABC Company is an Internet Service Provider with thousands of customers. ABC's customers are given login credentials for network access when they become a customer. ABC uses an LDAP server as the central user credential database. ABC is extending their service to existing customers in some public access areas and would like to use their existing database for authentication.

How can ABC Company use their existing user database for wireless user authentication as they implement a large-scale WPA2-Enterprise WLAN security solution?

A. Import all users from the LDAP server into a RADIUS server with an LDAP-to-RADIUS conversion tool.

B. Implement an X.509 compliant Certificate Authority and enable SSL queries on the LDAP server.

C. Mirror the LDAP server to a RADIUS database within a WLAN controller and perform daily backups to synchronize the user databases.

D. Implement a RADIUS server and query user authentication requests through the LDAP server.

Given: ABC Company has recently installed a WLAN controller and configured it to support WPA2Enterprise security. The administrator has configured a security profile on the WLAN controller for each group within the company (Marketing, Sales, and Engineering).

How are authenticated users assigned to groups so that they receive the correct security profile within the WLAN controller?

A. The WLAN controller polls the RADIUS server for a complete list of authenticated users and groups after each user authentication.

B. The RADIUS server sends a group name return list attribute to the WLAN controller during every successful user authentication.

C. The RADIUS server forwards the request for a group attribute to an LDAP database service, and LDAP sends the group attribute to the WLAN controller.

D. The RADIUS server sends the list of authenticated users and groups to the WLAN controller as part of a 4-Way Handshake prior to user authentication.

Given: XYZ Hospital plans to improve the security and performance of their Voice over Wi-Fi implementation and will be upgrading to 802.11n phones with 802.1X/EAP authentication. XYZ would like to support fast secure roaming for the phones and will require the ability to troubleshoot reassociations that are delayed or dropped during inter-channel roaming.

What portable solution would be recommended for XYZ to troubleshoot roaming problems?

A. WIPS sensor software installed on a laptop computer

B. Spectrum analyzer software installed on a laptop computer

C. An autonomous AP mounted on a mobile cart and configured to operate in monitor mode

D. Laptop-based protocol analyzer with multiple 802.11n adapters

Wireless Intrusion Prevention Systems (WIPS) are used for what purposes? (Choose 3)

A. Performance monitoring and troubleshooting

B. Enforcing wireless network security policy

C. Detecting and defending against eavesdropping attacks

D. Security monitoring and notification

E. Preventing physical carrier sense attacks

F. Classifying wired client devices

You are implementing a wireless LAN that will be used by point-of-sale (PoS) systems in a retail environment. Thirteen PoS computers will be installed. To what industry requirement should you ensure you adhere?

A. ISA99

B. HIPAA

C. PCI-DSS

D. Directive 8500.01

ABC Company has deployed a Single Channel Architecture (SCA) solution to help overcome some of the common problems with client roaming. In such a network, all APs are configured with the same channel and BSSID. PEAPv0/EAP-MSCHAPv2 is the only supported authentication mechanism.

As the Voice over Wi-Fi (STA-1) client moves throughout this network, what events are occurring?

A. STA-1 initiates open authentication and 802.11 association with each AP prior to roaming.

B. The WLAN controller is querying the RADIUS server for authentication before the association of STA-1 is moved from one AP to the next.

C. STA-1 controls when and where to roam by using signal and performance metrics in accordance with the chipset drivers and 802.11k.

D. The WLAN controller controls the AP to which STA-1 is associated and transparently moves this association in accordance with the physical location of STA-1.