Many corporations configure guest VLANs on their WLAN controllers that allow visitors to have Internet access only. The guest traffic is tunneled to the DMZ to prevent some security risks. In this deployment, what risk is still associated with implementing the guest VLAN without any advanced traffic monitoring or filtering feature enabled?

1. A. Intruders can send spam to the Internet through the guest VLAN.
2. B. Peer-to-peer attacks can still be conducted between guest users unless application-layer monitoring and filtering are implemented.
3. C. Guest users can reconfigure AP radios servicing the guest VLAN unless unsecure network management protocols (e.
4. D. Telnet, HTTP) are blocked.
5. E. Once guest users are associated to the WLAN, they can capture 802.11 frames from the corporate VLANs.

Correct Answer: A

A large enterprise is designing a secure, scalable, and manageable 802.11n WLAN that will support thousands of users. The enterprise will support both 802.1X/EAP-TTLS and PEAPv0/MSCHAPv2. Currently, the company is upgrading network servers as well and will replace their existing Microsoft IAS implementation with Microsoft NPS, querying Active Directory for user authentication. For this organization, as they update their WLAN infrastructure, what WLAN controller feature will likely be least valuable?

1. A. SNMPv3 support
2. B. 802.1Q VLAN trunking
3. C. Internal RADIUS server
4. D. WIPS support and integration
5. E. WPA2-Enterprise authentication/encryption

Correct Answer: C

As the primary security engineer for a large corporate network, you have been asked to author a new security policy for the wireless network. While most client devices support 802.1X authentication, some legacy devices still only support passphrase/PSK-based security methods. When writing the 802.11 security policy, what password-related items should be addressed?

1. A. Certificates should always be recommended instead of passwords for 802.11 client authentication.
2. B. Password complexity should be maximized so that weak WEP IV attacks are prevented.
3. C. Static passwords should be changed on a regular basis to minimize the vulnerabilities of a PSK-based authentication.
4. D. EAP-TLS must be implemented in such scenarios.
5. E. MS-CHAPv2 passwords used with EAP/PEAPv0 should be stronger than typical WPA2-PSK passphrases.

Correct Answer: C

You support a coffee shop and have recently installed a free 802.11ac wireless hotspot for the benefit of your customers. You want to minimize legal risk in the event that the hotspot is used for illegal Internet activity. What option specifies the best approach to minimize legal risk at this public hotspot while maintaining an open venue for customer Internet access?

1. A. Require client STAs to have updated firewall and antivirus software.
2. B. Block TCP port 25 and 80 outbound on the Internet router.
3. C. Use a WIPS to monitor all traffic and deauthenticate malicious stations.
4. D. Implement a captive portal with an acceptable use disclaimer.
5. E. Allow only trusted patrons to use the WLAN.
6. F. Configure WPA2-Enterprise security on the access point.

Correct Answer: D

ABC Company is implementing a secure 802.11 WLAN at their headquarters (HQ) building in New York and at each of the 10 small, remote branch offices around the United States. 802.1X/EAP is ABC’s preferred security solution, where possible. All access points (at the HQ building and all branch offices) connect to a single WLAN controller located at HQ. Each branch office has only a single AP and minimal IT resources. What security best practices should be followed in this deployment scenario?

1. A. Remote management of the WLAN controller via Telnet, SSH, HTTP, and HTTPS should be prohibited across the WAN link.
2. B. RADIUS services should be provided at branch offices so that authentication server and suppliant credentials are not sent over the Internet.
3. C. An encrypted VPN should connect the WLAN controller and each remote controller-based AP, or each remote site should provide an encrypted VPN tunnel to HQ.
4. D. APs at HQ and at each branch office should not broadcast the same SSID; instead each branch should have a unique ID for user accounting purposes.

Correct Answer: C