CWNP CWSP-208 Dumps

PCI-DSS (Payment Card Industry Data Security Standard) applies to all entities that process, store, or transmit credit card data. Since Point-of-Sale (PoS) systems handle such transactions in retail environments, the wireless network supporting them must comply with PCI-DSS. This includes encrypting wireless transmissions, segmenting network traffic, and implementing WIPS for rogue detection and logging.

WIPS platforms with multiple sensors can locate rogue devices using:

A. TDoA: Measures the time difference a signal takes to reach multiple sensors; requires synchronized clocks.

C. Trilateration using RSSI: Estimates distance based on signal strength from three or more known sensor positions.

E. RF Fingerprinting: Matches received signals to known RF patterns in the environment for device positioning.

AoA requires directional antennas (not typical with dipoles), and GPS is used for locating mobile sensors or vehicles, not indoor rogues.

A WIPS (Wireless Intrusion Prevention System) is designed to monitor WLAN activity and provide visualization and reporting related to:

Security threats (e.g., DoS attacks, rogue devices)

Policy compliance (e.g., allowed SSIDs, encryption types)

Rogue threat classification (e.g., rogue, neighbor, ad hoc)

The dashboard displaying this type of security-centric overview is characteristic of a WIPS platform.

WIPS (Wireless Intrusion Prevention Systems) monitor the RF environment and detect unauthorized activities. However, eavesdropping involves passive listening to wireless communications without transmitting any signals. Because the attacker is not transmitting or generating any detectable activity, a WIPS has no RF signal to detect and is thus unable to identify or prevent this attack.

Before conducting a security audit of an 802.11ac WLAN, it is essential to know the current security implementations—such as the use of WPA2-Enterprise, 802.1X, or MAC filtering. This helps the auditor tailor tests to identify gaps, weaknesses, or misconfigurations in the existing system. Understanding the security solutions provides the most immediate insight into potential vulnerabilities.

Many protocol analyzers require special drivers or place the NIC into monitor/promiscuous mode. When used this way, the original driver stack may be altered or replaced. Afterward, if not correctly reloaded, the adapter may lack full 802.1X support or required encryption features. This is likely the case here — Mary's WLAN adapter is still under the control of or affected by the analyzer’s NIC driver, which doesn’t support PEAP properly.

In a security context, outdated firmware is one of the most critical vulnerabilities. Firmware updates typically patch known security issues, fix bugs, and provide new features or improved encryption support. If the APs have not been updated or checked in over 18 months, they could be running firmware with known exploits or lacking critical security patches, making firmware review a top priority.

Wireless Intrusion Prevention Systems (WIPS) can proactively respond to detected threats using various techniques. One such preventative measure is integration with the wired infrastructure to mitigate rogue APs by disabling the switch port they are connected to. This is typically done through SNMP or other switch management interfaces.

This form of wired-side containment is more secure and compliant than wireless-side attacks (e.g., deauthentication), which can violate regulations in some jurisdictions.

The key clue in this sequence is the four EAPOL-Key frames, which indicate a 4-way handshake — a hallmark of WPA and WPA2 authentication processes. There is no EAP exchange preceding the 4-way handshake, which eliminates WPA/WPA2-Enterprise and 802.1X/EAP methods. This points directly to WPA2-Personal, where PSK (Pre-Shared Key) is used and there is no EAP exchange before key generation.

Also, the second "Auth" frame suggests Open System Authentication was used, which is typical for RSN-based networks (not Shared Key as in WEP).

MS-CHAPv2 is a widely used authentication protocol, but it has notable weaknesses:

B. MS-CHAPv2 is vulnerable to offline dictionary attacks. Attackers can capture authentication exchanges and attempt password guesses offline due to predictable hashing behavior.

D. The only secure use of MS-CHAPv2 is inside a secure tunnel (e.g., EAP-TTLS or PEAP), where credentials are protected during transmission.

Incorrect:

A. MS-CHAPv2 is used in WPA2-Enterprise, not WPA-Personal, and it is allowed under WPA2-Enterprise via PEAP.

C. WEP does not enhance LEAP’s security; it compounds vulnerabilities.

E and F. MS-CHAPv2 does not use AES for authentication. Using AES-CCMP for encryption does not fix MS-CHAPv2's weaknesses.

Though AES-CCMP is secure and 802.1X authentication is strong, LEAP is inherently weak because:

B. LEAP uses MS-CHAPv1, making it vulnerable to offline dictionary attacks once challenge/response exchanges are captured.

F. Layer 1 DoS attacks (such as RF jamming or interference) can be launched regardless of authentication mechanisms.

Incorrect:

A. AES-CCMP resists encryption cracking.

C. Peer-to-peer at Layer 3 is unrelated to LEAP or 802.1X vulnerabilities.

D. Application-layer eavesdropping is mitigated if encryption is properly implemented.

E. Session hijacking is more difficult with proper authentication and encryption in place.

Hijacking attacks often rely on exploiting client behavior during signal disruption. Clients will seek better connections when RF is weak or interrupted. An attacker may:

Disrupt the signal (e.g., with a deauth attack)

Present a rogue access point (evil twin) with stronger signal

Trick the client into associating with the rogue AP, hijacking the session

Incorrect:

B. There is no standard 120-second timer behavior.

C. Loss of connectivity typically triggers reassociation and reauthentication.

D. Direct client-to-client connections are not required in infrastructure mode.

E. Band selection logic varies and is unrelated to hijacking attacks.

This network uses WPA-Personal (Pre-Shared Key) and MAC filtering. While it does offer some basic protections, it is still vulnerable to several well-known attack vectors:

A. Offline dictionary attacks: An attacker can capture the 4-way handshake and perform offline dictionary or brute-force attacks to guess the PSK.

B. MAC Spoofing: Since MAC filtering is based on easily observed MAC addresses, attackers can spoof an authorized MAC address.

D. DoS: Attacks such as deauthentication floods or RF jamming can deny users access without needing to break encryption.

Incorrect:

C. ASLEAP: This is specific to LEAP (a weak EAP type), which is not used in WPA-Personal.

In this scenario, although the bank’s website uses HTTPS (which encrypts communications between John’s browser and the bank’s server), the compromise did not occur during the banking session itself. Instead, the attacker exploited a common security mistake: credential reuse.

John reused his email credentials for his bank login, and he accessed his email using a POP3 client without encryption at a public hotspot. This means his username and password were sent in cleartext, which is trivially easy to sniff on an open wireless network. Once an attacker obtained those credentials, they could use them to log into his bank account if the same credentials were used there.

Here's how this aligns with CWSP knowledge domains:

CWSP Security Threats & Attacks: This is a classic example of credential harvesting via cleartext protocols (POP3), and password reuse, both of which are significant risks in WLAN environments.

CWSP Secure Network Design: Recommends use of encrypted protocols (e.g., POP3S or IMAPS) and user education against password reuse.

CWSP WLAN Security Fundamentals: Emphasizes that open Wi-Fi networks offer no encryption by default, leaving unprotected protocols vulnerable to sniffing and interception.

Other answer options and why they are incorrect:

A & D are invalid because an expired or unsigned certificate may cause browser warnings but won’t result in sending credentials unencrypted unless the user bypasses HTTPS (which wasn’t stated).

C is incorrect: IPSec VPNs encrypt all data between the client and VPN endpoint—including credentials.

E is technically incorrect and misleading: intercepting the public key of an HTTPS session doesn't allow decryption of the credentials due to asymmetric encryption and session key security. Real-time decryption of HTTPS traffic without endpoint compromise is not feasible.

In Cisco LEAP (Lightweight EAP), the username is sent in clear text as part of the 802.1X authentication process. LEAP uses a challenge/response authentication mechanism that is susceptible to offline dictionary attacks because the attacker only needs to know the username and capture the challenge/response exchange to perform brute-force guessing of passwords. The username is used in generating the hash for the authentication exchange, making its disclosure critical for an attacker.

Incorrect:

A. PACs are used in EAP-FAST, not LEAP.

C. The 4-Way Handshake nonces are unrelated to the username.

D. While dictionary files may include username/password combos, the cryptographic significance in LEAP is due to the challenge/response mechanism.

Most integrated Wi-Fi adapters in Windows laptops are not capable of entering “monitor mode” or capturing 802.11ac frames properly. Compatibility with protocol analyzers like Wireshark or Omnipeek requires special drivers or specific USB adapters. Therefore, it is recommended to use a USB adapter known to support monitor mode and frame capture on 802.11ac for accurate and complete data capture.

Incorrect:

A. Not all adapters support protocol analyzer features.

C. MU-MIMO support is irrelevant for frame capture.

D. Other analyzers besides Wireshark can decode 802.11ac (e.g., Omnipeek).

E. Remote capture is not the only method—local USB adapters are effective too.

When using a wireless aggregator to combine packet captures from channels 1, 6, and 11 (the three non-overlapping 2.4 GHz channels), you're most likely analyzing multi-channel behavior. This is particularly relevant when troubleshooting roaming issues, such as fast secure roaming (e.g., 802.11r). These captures help determine whether authentication or association events occur smoothly across APs operating on different channels.

Incorrect:

A. Adapter failure doesn't require multi-channel capture.

B. Interference location is typically single-channel and spectrum-analysis focused.

D. Narrowband DoS attacks are also usually identified using RF spectrum analysis, not packet capture across all channels.

802.11w, also known as Protected Management Frames (PMF), is designed to protect specific types of 802.11 management frames such as disassociation and deauthentication frames. These frames were previously sent unencrypted and could be spoofed by attackers to disconnect clients (DoS attacks). With 802.11w, these frames are cryptographically protected, mitigating such attacks.

PMF also includes replay protection for these management frames, preventing attackers from capturing and replaying them to disrupt network connectivity.

PEAPv0/EAP-TLS is a tunneled EAP method that requires:

The server to present a certificate for TLS tunnel establishment.

The client to present a valid client certificate within the tunnel (in the case of EAP-TLS).

If the client does not have a valid X.509 certificate installed, authentication will fail.

Incorrect:

A. The server certificate is required for the TLS tunnel, and it is typically present; the issue here lies with the client cert.

B. TKIP is technically compatible with PEAPv0, although AES-CCMP is preferred.

D. Kerberos is unrelated to EAP authentication and VLAN use.

In tunneled EAP types (e.g., PEAP, EAP-TTLS):

A secure TLS tunnel is first established using the server’s certificate.

Then, user credentials (e.g., username/password) are sent through the encrypted tunnel to ensure confidentiality.

Incorrect:

A. Certificates are exchanged during tunnel establishment, not protected within it.

C. Server credentials are used to establish the tunnel, not protected inside it.

D. The RADIUS shared secret secures communication between AP/controller and RADIUS server—not sent via the tunnel.

AAA stands for:

Authentication: Validates user identity (Option 1).

Authorization: Grants access to specific resources based on policy (Option 3).

Accounting: Tracks user activity (Option 2).

This ordering matches standard network security architecture:

Who are you? → Authentication

What are you allowed to do? → Authorization

What did you do? → Accounting

Incorrect:

A–C. Misplace or mislabel AAA functions.

Endpoint security software can:

A. Enforce network access policies by validating that security settings meet organizational standards.

B. Monitor usage for auditing and threat detection.

C. Limit network connectivity based on SSID names, encryption, and authentication parameters.

Incorrect:

D. Detecting rogue APs and clients is typically done by WIPS, not endpoint security agents.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

The Pairwise Transient Key (PTK) is derived during the 4-Way Handshake and is used to generate:

The EAPOL-Key Confirmation Key (KCK)

The EAPOL-Key Encryption Key (KEK)

The Temporal Key (TK), which encrypts unicast traffic

Incorrect:

A. The Group Master Key (GMK) is used to derive the GTK, not the PTK.

C. PTK is not XOR’d with the PSK—PTK is derived from PMK + other session parameters.

D. PMK is never encrypted or transmitted; it is pre-shared or derived and remains local.

Role-Based Access Control (RBAC) enables dynamic assignment of permissions and access rights based on a user's job function. A WLAN controller with RBAC:

Can apply policies post-authentication.

Controls access to internal services (e.g., file shares, apps).

Assigns users to different VLANs or applies firewall rules based on roles.

Incorrect:

A. MAC filtering is not scalable or secure.

B. WPA2-Personal does not support user-based policies or LDAP integration.

C. DHCP scope assignment is not linked to user roles.

E. VLAN assignment via SSID is static and does not consider job function.

EAP-TLS is considered one of the most secure EAP types, but:

It requires a Public Key Infrastructure (PKI).

Every client device must have a unique certificate, adding to administrative burden and cost.

Incorrect:

A. Roaming speed is not inherently slower with EAP-TLS if supported by the infrastructure.

B. EAP-TLS protects client credentials; passwords aren’t even used—it uses certificates.

C. EAP-TLS does establish a secure tunnel—it's the original TLS-based method.

D. EAP-TLS is vendor-agnostic and supported by most enterprise WLAN infrastructure.

Comprehensive Detailed Explanation:

To support real-time applications like Voice over Wi-Fi:

WPA2-Enterprise ensures robust security using 802.1X and AES-CCMP.

Fast secure roaming (802.11r) is essential to maintain voice session quality.

VLAN segmentation improves network performance and security between voice and data devices.

Incorrect:

A. WPA-Enterprise is less secure than WPA2, and frequency band segmentation doesn’t address QoS and security together.

C. WEP is deprecated and insecure even with added measures.

D. WPA-Personal lacks centralized authentication and doesn’t support enterprise-grade security or fast roaming.

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.

In environments where PSK-based authentication (like WPA2-Personal) is still in use due to legacy device constraints:

C. Regularly changing static passwords helps limit exposure from credential leaks or previous employees retaining access.

Incorrect:

A. MSCHAPv2 is vulnerable to offline attacks; recommending strong passwords is good, but that alone isn’t sufficient.

B. WEP is insecure regardless of password strength due to IV reuse.

D. Certificates are stronger, but not always feasible for legacy systems.

E. EAP-TLS is ideal but not always compatible with all devices; policies should be flexible to device capabilities.

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.