David D. Coleman David A. Westcott Bryan E. Harkins Shawn M.
Jackman
Certifi ed Wireless Security Professional Offi cial Study
Guide
The Offi cial Study Guide for Exam PW0-204 from CWNP®
CWSP ®
• Hundreds of Sample Questions
• Case Studies and Demo Software
Prepare for the Certifi ed Wireless Security Professional exam
(PW0-204) with this new Offi cial Study Guide from CWNP. This
comprehensive resource covers everything you need for the exam,
including wireless security basics, risks, and policies; legacy
802.11 security and robust network security (RSN); encryption
ciphers and methods; enterprise 802.11 layer 2 authentication
methods; fast secure roaming, wireless intrusion prevention; and
many other essential WLAN security topics and concepts. Inside
you’ll fi nd:
• Full coverage of all exam objectives in a systematic approach, so
you can be confi dent you’re getting the instruction you need for
the exam
• Practical hands-on exercises to reinforce critical skills
• Real-world scenarios that put what you’ve learned in the context
of actual job roles
• Challenging review questions in each chapter to prepare you for
exam day
• Exam Essentials, a key feature in each chapter that identifi es
critical areas you must become profi cient in before taking the
exam
• White papers, demo software, practice exams, and over 150 fl
ashcards on the CD to further facilitate your learning
• A handy tear card that maps every offi cial exam objective to the
corresponding chapter in the book, so you can track your exam prep
objective by objective
Look inside for complete coverage of all exam objectives.
SERIOUS SKILLS.
Exam PW0-204
Coleman Westcott Harkins Jackman
Exam PW0-204
A B O U T T H E A U T H O R S
David D. Coleman, CWNE #4, CWNA, CWSP, CWNT, is a WLAN security
consultant and technical trainer with over twenty years of IT
experience. The company he founded, AirSpy Networks
(www.airspy.com), specializes in corporate WLAN training. David A.
Westcott, CWNE #7, CWNA, CWSP, CWNT, is an independent consultant
and WLAN technical trainer with over twenty years of experience. He
has been a certifi ed trainer for over fi fteen years. Bryan E.
Harkins, CWNE #44, CWSP, CWNA, CWNT, is the Training and
Development Manager for Motorola AirDefense Solutions, a market
leader in wireless intrusion prevention systems. Shawn M. Jackman,
CWNE #54, CWNA, CWSP, CWAP is a principal WLAN engineer with Kaiser
Permanente. He has over fi fteen years’ experience working with
wireless manufacturers and integrators.
SYBEX TEST ENGINE: Test your knowledge with advanced testing
software. Includes all chapter review questions and practice
exams.
ELECTRONIC FLASHCARDS: Reinforce your understanding with electronic
fl ashcards.
The CD also includes white papers and demo software.
Study anywhere, any time, and approach the exam with confi
dence.
ABOUT THE CWNP PROGRAM CWNP is the industry standard for vendor-
neutral, enterprise WLAN certifi cations. The focus is to educate
IT professionals in the technology behind all enterprise WLAN
products and to enable these profession- als to manage wireless LAN
enterprise infrastructures, regardless of the vendor solution
utilized. CWNP is a privately held corporation based in Atlanta,
Georgia. For more information, visit www.cwnp.com.
www.sybex.com
CWSP®
Study Guide
CWSP®
Study Guide
ffirs.indd iiiffirs.indd iii 1/12/10 9:05:35 PM1/12/10 9:05:35
PM
Acquisitions Editor: Jeff Kellum Development Editor: Gary Schwartz
Technical Editors: Sam Coyl and Marcus Burton Production Editor:
Rachel McConlogue Copy Editor: Liz Welch Editorial Manager: Pete
Gaughan Production Manager: Tim Tate Vice President and Executive
Group Publisher: Richard Swadley Vice President and Publisher: Neil
Edde Media Project Manager 1: Laura Moss-Hollister Media Associate
Producer: Marilyn Hummel Media Quality Assurance: Josh Frank Book
Designers: Judy Fung and Bill Gibson Proofreader: Publication
Services, Inc. Indexer: Ted Laux Project Coordinator, Cover: Lynsey
Stanford Cover Designer: Ryan Sneed
Copyright © 2010 by Wiley Publishing, Inc., Indianapolis,
Indiana
Published simultaneously in Canada
ISBN: 978-0-470-43891-6
No part of this publication may be reproduced, stored in a
retrieval system or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording, scanning or
otherwise, except as permitted under Sections 107 or 108 of the
1976 United States Copyright Act, without either the prior written
permission of the Publisher, or authorization through payment of
the appropriate per-copy fee to the Copyright Clearance Center, 222
Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978)
646-8600. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons,
Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax
(201) 748-6008, or online at
http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the
author make no representations or warranties with respect to the
accuracy or completeness of the contents of this work and
specifically disclaim all warran- ties, including without
limitation warranties of fitness for a particular purpose. No
warranty may be created or extended by sales or promotional
materials. The advice and strategies contained herein may not be
suitable for every situation. This work is sold with the
understanding that the publisher is not engaged in rendering legal,
accounting, or other professional services. If professional
assistance is required, the services of a competent professional
person should be sought. Neither the publisher nor the author shall
be liable for damages arising here- from. The fact that an
organization or Web site is referred to in this work as a citation
and/or a potential source of further information does not mean that
the author or the publisher endorses the information the
organization or Web site may provide or recommendations it may
make. Further, readers should be aware that Internet Web sites
listed in this work may have changed or disappeared between when
this work was written and when it is read.
For general information on our other products and services or to
obtain technical support, please contact our Customer Care
Department within the U.S. at (877) 762-2974, outside the U.S. at
(317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats.
Some content that appears in print may not be available in
electronic books.
Library of Congress Cataloging-in-Publication Data
CWSP : certified wireless security professional official study
guide (exam PW0-204) / David D. Coleman . . . [et al.]. — 1st
ed.
p. cm.
ISBN 978-0-470-43891-6
TK5103.2.C87 2010
005.8076—dc22
2009042658
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are
trademarks or registered trademarks of John Wiley & Sons, Inc.
and/or its affiliates, in the United States and other countries,
and may not be used without written permission. CWSP is a
registered trademark of CWNP, Inc. All other trademarks are the
property of their respective owners. Wiley Publishing, Inc., is not
associated with any product or vendor mentioned in this book.
10 9 8 7 6 5 4 3 2 1
ffirs.indd ivffirs.indd iv 1/12/10 9:05:36 PM1/12/10 9:05:36
PM
Dear Reader,
Thank you for choosing CWSP: Certifi ed Wireless Security
Professional Offi cial Study Guide. This book is part of a family
of premium-quality Sybex books, all of which are written by
outstanding authors who combine practical experience with a gift
for teaching.
Sybex was founded in 1976. More than 30 years later, we’re still
committed to producing consistently exceptional books. With each of
our titles, we’re working hard to set a new standard for the
industry. From the paper we print on, to the authors we work with,
our goal is to bring you the best books available.
I hope you see all that refl ected in these pages. I’d be very
interested to hear your comments and get your feedback on how we’re
doing. Feel free to let me know what you think about this or any
other Sybex book by sending me an email at
[email protected]. If you
think you’ve found a technical error in this book, please visit
http://sybex.custhelp .com. Customer feedback is critical to our
efforts at Sybex.
Best regards,
Neil Edde Vice President and Publisher Sybex, an Imprint of
Wiley
ffirs.indd vffirs.indd v 1/12/10 9:05:37 PM1/12/10 9:05:37 PM
ffirs.indd viffirs.indd vi 1/12/10 9:05:37 PM1/12/10 9:05:37
PM
We dedicate this book to all the men and women of the United
States
Armed Forces for putting their private lives aside to preserve and
protect
freedom. Thank you for your service and your sacrifi ce.
ffirs.indd viiffirs.indd vii 1/12/10 9:05:37 PM1/12/10 9:05:37
PM
Acknowledgments David Coleman would once again like to thank his
children, Brantley and Carolina, for their patience and
understanding of their father throughout the writing of yet another
book. I love you kids very much. David would also like to thank his
mother, Marjorie Barnes, and his stepfather, William Barnes, for
many years of support and encouragement. David would also like to
thank his brother, Rob Coleman, for all his help during a tough
year.
David Westcott would like to thank his parents, Kathy and George,
who have provided so much support and love and from whom he has
learned so much. He would also like to thank Janie, Jennifer, and
Samantha for their patience and understanding of life on the road
and for their support throughout the writing of this book.
Bryan Harkins would like to thank his wife, Ronda, and his two
daughters, Chrystan and Catelynn, for enduring the constant travel
and time away from them it has taken to create this book. I love
the three of you very much. I would also like to thank my parents
for always being there and my brother Chris for getting me into IT
in the fi rst place. Additionally, I would like to thank David
Thomas and Ralf Deltrap of Motorola AirDefense Solutions for making
me part of the AirDefense team years ago.
Shawn Jackman would like to thank his parents, Alice and Steve, for
the many years of encouragement and unquestioning support, but most
of all for leading by example as a parent, provider, and character
example. Shawn would also like to thank his wife, Joy, the world’s
most supportive and wonderful woman a Wi-Fi geek could ever ask
for. And, of course, to his children, Summer, Pierce, and Julia,
who are loved by their daddy more than they will ever know.
Writing CWSP: Certifi ed Wireless Security Professional Offi cial
Study Guide has been an adventure from the start. We would like to
thank the following individuals for their support and contributions
during the entire process.
We must fi rst thank Sybex acquisitions editor Jeff Kellum for
initially fi nding us and bringing us on to this project. Jeff is
an extremely patient and understanding editor who occasionally
sends a nasty email message. We would also like to thank our
development editor, Gary Schwartz. We also need to send special
thanks to our editorial manager, Pete Gaughan; our production
editor, Rachel McConlogue; and Liz Welch, our copyeditor.
We also need to give a big shout-out to our technical editor, Sam
Coyl. Sam is a member of the IEEE with many years of practical
experience in wireless communications. His contributions to the
book were nothing short of invaluable. When Sam is not providing
awesome technical editing, he is vice president of business
development for Netrepid (www.netrepid.com), a wireless solutions
provider.
We would also like to thank Marcus Burton, Cary Chandler, Abbey
Cole, and Kevin Sandlin of the CWNP program (www.cwnp.com). All
CWNP employees, past and present, should be proud of the
internationally renowned wireless certifi cation program that sets
the education standard within the enterprise Wi-Fi industry. It has
been a pleasure working with all of you the past 10 years. Special
thanks go to Marcus Burton for his feedback and content
review.
ffirs.indd viiiffirs.indd viii 1/12/10 9:05:37 PM1/12/10 9:05:37
PM
Thanks goes to the students who attended an October 2009 CWSP
evaluation class held in Atlanta. Those students include Ray Baum
and Max Lopez from the University of Colorado, Joe Altmann from
Polycom, and Randall Bobula from the CME Group. Also contributing
that week was our favorite Meruvian, Diana Cortes from the
University of Miami.
We would also like to thank Devin Akin, Chief Architect of Aerohive
Networks. Devin has been a Wi-Fi guru for all four authors for many
years.
Shawn would also like to thank the following co-workers and
professional colleagues: Nico Arcino, Ken Fisch, Tom Head, Jon
Krabbenschmidt, and George Stefanick.
We would also like to thank the following individuals and companies
for their support and contributions to the book:
Aerohive Networks (www.aerohive.com) — Devin Akin, Adam Conway, and
Paul Levasseur
AeroScout (www.aeroscout.com) — Steffan Haithcox and Scott
Phillips.
AirDefense (www.airdefense.net) — Ralf Deltrap and David
Thomas
AirMagnet (www.airmagnet.com) — Dilip Advani
AirWave (www.airwave.com) — Patrick Smith
By-Light (www.by-light.com) — Steve Hurdle
CACE Technologies (www.cacetech.com) — Janice Spampinato
Cisco Systems (www.cisco.com) — Chris Allen, John Helm, Matt
Swartz, and Hao Zhao
Fluke Networks (www.flukenetworks.com) — Carolyn Carter, Dan
Klimke, and Lori Whitmer
Immunity (www.immunityinc.com) — Steven Laskowski
NetStumbler (www.netstumbler.com) — Marius Milner
Vocera (www.vocera.com) — Arun Mirchandani, Steve Newsome, and
Brian Sturges
Wi-Fi Alliance (www.wifi.org) — Kelly Davis-Felner and Krista
Ford
WildPackets (www.wildpackets.com) — Stephanie Temples
ffirs.indd ixffirs.indd ix 1/12/10 9:05:38 PM1/12/10 9:05:38
PM
About the Authors David D. Coleman is a WLAN security consultant
and trainer. He teaches the CWNP classes that are recognized
throughout the world as the industry standard for wireless
networking certifi cation, and he also conducts vendor-specifi c
Wi-Fi training. He has also taught numerous “train-the-trainer”
classes and “beta” classes for the CWNP program. David has
instructed IT professionals from around the globe in wireless
networking administration, wireless security, and wireless frame
analysis. The company he founded, AirSpy Networks (www.airspy.com),
specializes in corporate training and has worked in the past with
Avaya, Nortel, Polycom, and Siemens. AirSpy Networks also
specializes in government classes, and it has trained numerous
computer security employees from various law enforcement agencies,
the U.S. Marines, the U.S. Army, the U.S. Navy, the U.S. Air Force,
and other federal and state government agencies. David has written
many books and white papers about wireless networking, and he is
considered an authority on 802.11 technology.
David is also a member of the Certifi ed Wireless Network Expert
(CWNE) Roundtable, a selected group of individuals who work with
the CWNP program to provide direction for the CWNP exams and
certifi cations. David resides in Atlanta, Georgia, where he shares
a home with his two children, Carolina and Brantley. David Coleman
is CWNE #4, and he can be reached via email at
[email protected].
David Westcott is an independent consultant and technical trainer
with over 25 years of experience in information technology,
specializing in computer networking and security. In addition to
providing advice and direction to corporate clients, David has been
a certifi ed trainer for over 17 years, providing training to
government agencies, corporations, and universities around the
world. David was an adjunct faculty member for Boston University’s
Corporate Education Center for over 10 years, and he has developed
courseware on wireless networking, wireless mesh networking, wired
networking, and security for Boston University and many other
clients.
Since installing his fi rst wireless network in 1999, David has
become a Certifi ed Wireless Network Trainer, Administrator,
Security Professional, and Analysis Professional. David is also a
member of the CWNE Roundtable. David has earned certifi cations
from Cisco, Aruba, Microsoft, EC-Council, CompTIA, and Novell.
David lives in Concord, Massachusetts with his wife Janie and his
stepdaughters, Jennifer and Samantha. A licensed pilot, he enjoys
fl ying his Piper Cherokee 180 around New England when he is not fl
ying around the world commercially. David is CWNE #7, and he can be
reached via email at
[email protected].
ffirs.indd xffirs.indd x 1/12/10 9:05:39 PM1/12/10 9:05:39 PM
Shawn Jackman currently oversees wireless enterprise engineering
for a large healthcare provider and adopter of 802.11 technology.
Prior to that, Shawn has been on both sides of the table, working
for a WLAN manufacturer and with wireless integrators. Shawn has
been intensely focused on large-scale VoWiFi, QoS, and RTLS
applications for over three years, and he spends a considerable
amount of his time doing end-user design, deployment, and
troubleshooting for various vendors’ equipment. Shawn has traveled
the United States and internationally designing wired and wireless
networks, from concept to completion, for healthcare, warehouse,
hospitality, education, metro/municipal, government, franchise, and
retail environments. He has served as an on-air technical
personality for a weekly syndicated call-in talk radio show with
over 5 million listeners worldwide and is considered an authority
on Wi-Fi technology.
Shawn is a member of the CWNE Roundtable. He lives in the San
Francisco Bay area with his wife Joy and their three children,
Summer, Pierce, and Julia. Shawn is CWNE #54, and he can be reached
via email at
[email protected].
Bryan Harkins is currently the training and development manager for
Motorola AirDefense Solutions and has over 20 years experience in
the IT fi eld. He has been involved in areas ranging from customer
support and sales to network security and design. He has developed
custom curriculum for government agencies and Fortune 500 companies
alike. Over the years, he has helped numerous students reach their
certifi cation and knowledge goals through his exceptional skills
as an instructor. He delivers both public and private wireless
security classes around the world and holds several prestigious
industry certifi cations, including MCSE, CWNE, and CWNT.
Bryan has spoken during Secure World Expo, Armed Forces
Communications and Electronics Association (AFCEA) events, and
Microsoft Broad Reach as well as many other industry events. He
holds a degree in aviation from Georgia State University. Bryan is
a native of Atlanta, Georgia, and still lives in the area with his
wife Ronda and two daughters, Chrystan and Catelynn. Bryan is also
a member of the CWNE Roundtable. Bryan is CWNE #44, and he can be
reached via email at
[email protected].
About the Authors xi
Contents at a Glance Introduction xxvii
Assessment Test xlii
Chapter 3 Encryption Ciphers and Methods 65
Chapter 4 Enterprise 802.11 Layer 2 Authentication Methods
101
Chapter 5 802.11 Layer 2 Dynamic Encryption Key Generation
173
Chapter 6 SOHO 802.11 Security 221
Chapter 7 802.11 Fast Secure Roaming 249
Chapter 8 Wireless Security Risks 291
Chapter 9 Wireless LAN Security Auditing 337
Chapter 10 Wireless Security Monitoring 369
Chapter 11 VPNs, Remote Access, and Guest Access Services 429
Chapter 12 WLAN Security Infrastructure 455
Chapter 13 Wireless Security Policies 509
Appendix A Abbreviations, Acronyms, and Regulations 553
Appendix B WLAN Vendors 575
Appendix C About the Companion CD 579
Glossary 583
Index 623
Contents Introduction xxvii
Assessment Test xlii
Standards Organizations 3 International Organization for
Standardization (ISO) 3 Institute of Electrical and Electronics
Engineers (IEEE) 4 Internet Engineering Task Force (IETF) 5 Wi-Fi
Alliance 7
802.11 Networking Basics 10 802.11 Security Basics 12
Data Privacy 13 Authentication, Authorization, Accounting (AAA) 15
Segmentation 15 Monitoring 16 Policy 16
802.11 Security History 16 802.11i Security amendment and WPA
Certifications 17 Robust Security Network (RSN) 19 The Future of
802.11 Security 19
Summary 21 Exam Essentials 22 Key Terms 22 Review Questions 24
Answers to Review Questions 29
Chapter 2 Legacy 802.11 Security 31
Authentication 32 Open System Authentication 33 Shared Key
Authentication 35
Wired Equivalent Privacy (WEP) Encryption 38 Virtual Private
Networks (VPNs) 43
Point-to-Point Tunneling Protocol (PPTP) 45 Layer 2 Tunneling
Protocol (L2TP) 46 Internet Protocol Security (IPsec) 46
Configuration Complexity 47 Scalability 47
MAC Filters 48 SSID Segmentation 49 SSID Cloaking 51
ftoc.indd xvftoc.indd xv 1/11/10 3:15:56 PM1/11/10 3:15:56 PM
xvi Contents
Summary 55 Exam Essentials 55 Key Terms 56 Review Questions 57
Answers to Review Questions 62
Chapter 3 Encryption Ciphers and Methods 65
Encryption Basics 66 Symmetric and Asymmetric Algorithms 67 Stream
and Block Ciphers 68 RC4 69 RC5 70 DES 70 3DES 71
AES 71 WLAN Encryption Methods 72 WEP 73
WEP MPDU 74 TKIP 75
TKIP MPDU 80 CCMP 83
CCMP MPDU 85 WPA/WPA2 88 Proprietary Layer 2 Implementations 89
Summary 90 Exam Essentials 90 Key Terms 91 Review Questions 93
Answers to Review Questions 98
Chapter 4 Enterprise 802.11 Layer 2 Authentication Methods
101
WLAN Authentication Overview 103 AAA 104
Authentication 105 Authorization 106 Accounting 108
802.1X 109 Supplicant 110 Authenticator 115 Authentication Server
119
Supplicant Credentials 122 Usernames and Passwords 123 Digital
Certificates and PACs 124 One-time Passwords 126
ftoc.indd xviftoc.indd xvi 1/11/10 3:15:56 PM1/11/10 3:15:56
PM
Contents xvii
Smart Cards and USB Tokens 128 Machine Authentication 129 Preshared
Keys 130 Proximity Badges and RFID Tags 130 Biometrics 131
Authentication Server Credentials 131 Shared Secret 136 Legacy
Authentication Protocols 137
PAP 137 CHAP 137 MS-CHAP 137 MS-CHAPv2 138
EAP 138 Weak EAP Protocols 141 EAP-MD5 142 EAP-LEAP 142 Strong EAP
Protocols 145 EAP-PEAP 146 EAP-TTLS 150 EAP-TLS 151 EAP-FAST 153
PACs 154 Miscellaneous EAP Protocols 158 EAP-SIM 158 EAP-AKA
158
Summary 161 Exam Essentials 161 Key Terms 162 Review Questions 164
Answers to Review Questions 169
Chapter 5 802.11 Layer 2 Dynamic Encryption Key Generation
173
Advantages of Dynamic Encryption 174 Robust Security Network (RSN)
179
RSN Information Element 184 Authentication and Key Management (AKM)
189 RSNA Key Hierarchy 194 4-Way Handshake 198 Group Key Handshake
201 PeerKey Handshake 203 RSNA Security Associations 204
Passphrase-to-PSK Mapping 205 Roaming and Dynamic Keys 207
ftoc.indd xviiftoc.indd xvii 1/11/10 3:15:57 PM1/11/10 3:15:57
PM
xviii Contents
Summary 207 Exam Essentials 208 Key Terms 209 Review Questions 210
Answers to Review Questions 216
Chapter 6 SOHO 802.11 Security 221
WPA/WPA2-Personal 222 Preshared Keys (PSK) and Passphrases 223
WPA/WPA2-Personal Risks 228 Entropy 228 Proprietary PSK 231
Wi-Fi Protected Setup (WPS) 232 WPS Architecture 233
SOHO Security Best Practices 238 Summary 238 Exam Essentials 239
Key Terms 240 Review Questions 241 Answers to Review Questions
246
Chapter 7 802.11 Fast Secure Roaming 249
History of 802.11 Roaming 250 Client Roaming Thresholds 251
AP-to-AP Handoff 252
RSNA 254 PMKSA 254 PMK Caching 257 Preauthentication 259
Opportunistic Key Caching (OKC) 260 Proprietary FSR 264 Fast BSS
Transition (FT) 264
Information Elements 268 FT Initial Mobility Domain Association 268
Over-the-Air Fast BSS Transition 270 Over-the-DS Fast BSS
Transition 271
802.11k 273 Voice Personal and Voice Enterprise 273 Layer 3 Roaming
274 Troubleshooting 276 SCA Roaming 277 Exam Essentials 280 Key
Terms 281 Review Questions 283 Answers to Review Questions
287
ftoc.indd xviiiftoc.indd xviii 1/11/10 3:15:58 PM1/11/10 3:15:58
PM
Contents xix
Unauthorized Rogue Access 292 Rogue Devices 292 Rogue Prevention
296
Eavesdropping 298 Casual Eavesdropping 298 Malicious Eavesdropping
300 Eavesdropping Risks 301 Eavesdropping Prevention 302
Authentication Attacks 303
Denial-of-Service Attacks 305 Layer 1 DoS Attacks 306 Layer 2 DoS
Attacks 310 MAC Spoofing 314 Wireless Hijacking 317 Management
Interface Exploits 321 Vendor Proprietary Attacks 322 Physical
Damage and Theft 323 Social Engineering 324
Public Access and WLAN Hotspots 326 Summary 327 Exam Essentials 327
Key Terms 328 Review Questions 330 Answers to Review Questions
334
Chapter 9 Wireless LAN Security Auditing 337
WLAN Security Audit 338 OSI Layer 1 Audit 340 OSI Layer 2 Audit 344
Penetration Testing 347 Wired Infrastructure Audit 349 Social
Engineering Audit 349 WIPS Audit 350 Documenting the Audit 350
Audit Recommendations 352
WLAN Security Auditing Tools 353 Linux-Based Tools 356
Windows-Based Tools 359
Summary 359 Exam Essentials 360 Key Terms 360 Review Questions 361
Answers to Review Questions 366
ftoc.indd xixftoc.indd xix 1/11/10 3:15:58 PM1/11/10 3:15:58
PM
xx Contents
Wireless Intrusion Detection and Prevention Systems (WIDS and WIPS)
371
WIDS/WIPS Infrastructure Components 372 WIDS/WIPS Architecture
Models 375 Multiple Radio Sensors 382 Sensor Placement 383
Device Classification 384 Rogue Detection 386 Rogue Mitigation 389
Device Tracking 392
WIDS/WIPS Analysis 397 Signature Analysis 397 Behavioral Analysis
398 Protocol Analysis 398 Spectrum Analysis 400 Forensic Analysis
402 Performance Analysis 403
Monitoring 404 Policy Enforcement 404 Alarms and Notification 406
False Positives 409 Reports 410
802.11n 410 Proprietary WIPS 413
Cloaking 414 Management Frame Protection 414
802.11w 415 Summary 416 Exam Essentials 417 Key Terms 418 Review
Questions 419 Answers to Review Questions 424
Chapter 11 VPNs, Remote Access, and Guest Access Services 429
VPN Technology in 802.11 WLAN Architecture 430 VPN 101 431 VPN
Client 433 WLAN Controllers: VPN Server for Client Access 433 VPN
Client Security at Public Hotspots 434 Controller-to-Controller
VPNs and Site-to-Site VPNs 435 VPNs Used to Protect Bridge Links
436
Remote Access 437
Contents xxi
Hotspots/Public Access Networks 441 Captive Portal 442
Summary 445 Exam Essentials 445 Key Terms 446 Review Questions 447
Answers to Review Questions 452
Chapter 12 WLAN Security Infrastructure 455
WLAN Architecture Capabilities Overview 457 Distribution System
(DS) 458 Autonomous APs 458 WLAN Controllers 460 Split MAC 465 Mesh
465 WLAN Bridging 467 Cooperative Control 467 Location-Based Access
Control 469 Hot Standby/Failover 469
Device Management 470 Protocols for Management 471 CAPWAP and LWAPP
475 Wireless Network Management System 476
RADIUS/LDAP Servers 477 Proxy Services 477 Features and Components
478 Integration 480 EAP Type Selection 481 Deployment Architectures
and Scaling 482 RADIUS Failover 487 Timer Values 488 WAN Traversal
490 Multifactor Authentication Servers 491
Public Key Infrastructure (PKI) 491 Role-Based Access Control 494
Enterprise Encryption Gateways 497 Summary 498 Exam Essentials 499
Key Terms 500 Review Questions 501 Answers to Review Questions
505
ftoc.indd xxiftoc.indd xxi 1/11/10 3:16:00 PM1/11/10 3:16:00
PM
xxii Contents
General Policy 511 Policy Creation 511 Policy Management 514
Functional Policy 515 Password Policy 516 RBAC Policy 517 Change
Control Policy 517 Authentication and Encryption Policy 518 WLAN
Monitoring Policy 519 Endpoint Policy 519 Acceptable Use Policy 523
Physical Security 523 Remote Office Policy 523
Government and Industry Regulations 524 The US Department of
Defense (DoD) Directive 8100.2 525 Federal Information Processing
Standards (FIPS) 140-2 527 The Sarbanes-Oxley Act of 2002 (SOX) 528
Health Insurance Portability and Accountability
Act (HIPAA) 532 Payment Card Industry (PCI) Standard 534 Compliance
Reports 539
802.11 WLAN Policy Recommendations 539 Summary 540 Exam Essentials
541 Key Terms 542 Review Questions 543 Answers to Review Questions
549
Appendices
Certifications 554 Organizations and Regulations 554 Measurements
555 Technical Terms 556
Power Regulations 569 2.4 GHz ISM Point-to-Multipoint (PtMP)
Communications 570 5 GHz UNII Point-to-Multipoint (PtMP)
Communications 570 2.4 GHz ISM Point-to-Point (PtP) Communications
571 5 GHz UNII Point-to-Point (PtP) Communications 572
ftoc.indd xxiiftoc.indd xxii 1/11/10 3:16:00 PM1/11/10 3:16:00
PM
Contents xxiii
Windows Registry Values that Control Preauthentication and PMK
Caching 572
Appendix B WLAN Vendors 575
WLAN Infrastructure 576 WLAN Mesh Infrastructure 576 WLAN Auditing,
Diagnostic, and Design Solutions 577 WLAN Management 577 WLAN
Security Solutions 577 VoWiFi Solutions 578 WLAN Fixed Mobile
Convergence 578 WLAN RTLS Solutions 578 WLAN SOHO Vendors 578
Appendix C About the Companion CD 579
What You’ll Find on the CD 580 Sybex Test Engine 580 Electronic
Flashcards 580
System Requirements 581 Using the CD 581 Troubleshooting 581
Customer Care 582
ftoc.indd xxiiiftoc.indd xxiii 1/11/10 3:16:01 PM1/11/10 3:16:01
PM
Table of Exercises Exercise 2.1 Viewing Open System and Shared Key
Authentication Frames. . . . . . . . 37
Exercise 2.2 Viewing Encrypted MSDU Payload of 802.11 Data Frames .
. . . . . . . . . . . 42
Exercise 2.3 Viewing Hidden SSIDs . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 53
Exercise 3.1 TKIP Encrypted Frames . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . 82
Exercise 3.2 CCMP Encrypted Frames . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 86
Exercise 4.1 802.1X/EAP Frame Exchanges. . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . 159
Exercise 5.1 Dynamic WEP . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Exercise 5.2 Authentication and Key Management . . . . . . . . . .
. . . . . . . . . . . . . . . . . . 193
Exercise 5.3 The 4-Way Handshake . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . 200
Exercise 6.1 Passphrase-PSK Mapping . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 226
Exercise 10.1 Spectrum Analysis . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . 402
ftoc.indd xxivftoc.indd xxiv 1/11/10 3:16:01 PM1/11/10 3:16:01
PM
Foreword Wi-Fi is nearly ubiquitous. The term Wi-Fi is certainly
well known and well understood. With such widespread acceptance
comes widespread usage, requiring robust security. The IEEE has, as
of this writing, succeeded in ratifying two major amendments to the
802.11 standard: 802.11i and 802.11n. Both require major
adjustments to any enterprise’s WLAN security strategy.
The ratifi cation of the 802.11n amendment will likely have an even
greater effect on Wi-Fi security than did the 802.11i amendment for
one simple reason: 802.11n has caused many more enterprises to
adopt Wi-Fi for regular, daily, and mission-critical networking
applications because they now believe that wireless is about as
close to wired as it can get. In other words, most people think
802.11n makes wireless fast enough to use in the enterprise.
That’s a great step. It means that there will be even more WLAN
installations in every industry—which means more people will need
to know how to install, manage, and troubleshoot these
boundary-less networks. More importantly, you will have to know how
to secure these networks!
With your acquisition of CWSP: Certifi ed Wireless Security
Professional Offi cial Study Guide, you have taken a huge step
toward making yourself indispensible to your organization’s
wireless team. Well done! Now you can start preparing to prove your
knowledge of enterprise Wi-Fi security. You can learn how hackers
are trying to attack your wireless LAN, how to prevent them from
doing so, and how to guide your organization’s policy toward
large-scale deployment of enterprise Wi-Fi infrastructure and
applications.
The CWSP certifi cation is now the third step in the CWNP line of
certifi cations and remains focused on securing an enterprise
802.11 WLAN. CWSP includes topics such as 802.1X/EAP types, fast
secure roaming, robust security networks, Layer 2 and 3 VPNs,
wireless intrusion prevention system (WIPS) implementation,
intrusion and attack techniques, and much more. Additional CWNP
certifi cations focus more intensely on protocol analysis, quality
of service, design, advanced surveying, VoWiFi, location tracking,
and RF spectrum management.
David Coleman (CWNE #4) and David Westcott (CWNE #4) have worked as
Certifi ed Wireless Network Trainers (CWNTs) for as long as the
CWNT certifi cation has been available, and each was quick to
pursue all CWNP certifi cations as they were released. Each has
years of experience with a breadth of WLAN technologies and
leading-edge products, which is obvious to their students and
anyone working alongside them in the fi eld. Having worked with
each of these gentlemen for years, I can confi dently say there
could be no fi ner pair of seasoned trainers collaborating on a
CWSP book.
The addition of Shawn Jackman (CWNE #54) and Bryan Harkins (CWNE
#44) brings to the book a wealth of fi eld experience from the WLAN
security and healthcare markets. Jackman leads the WLAN team at a
major healthcare organization and Harkins is the lead
flast.indd xxvflast.indd xxv 1/12/10 7:34:00 PM1/12/10 7:34:00
PM
technical instructor for Motorola’s AirDefense unit. These WLAN
veterans have devoted hundreds of hours to pouring their experience
into this book, and the reader is certain to acquire a plethora of
802.11 knowledge. Coleman, Harkins, Jackman, and Westcott have
played a big role in the shaping of CWNP and have each added
tremendous value to the CWNA and CWSP certifi cations specifi
cally.
We thank each of these fi ne authors for their constant support of
CWNP, and congratulate them on the completion of their second Study
Guide.
Kevin Sandlin Co-founder and CEO CWNP Inc.
xxvi Foreword
flast.indd xxviflast.indd xxvi 1/12/10 7:34:01 PM1/12/10 7:34:01
PM
Introduction If you have purchased this book or if you are even
thinking about purchasing this book, you probably have some
interest in taking the CWSP ® (Certifi ed Wireless Security Profes-
sional) certifi cation exam or in learning what the CWSP certifi
cation exam is about. The authors would like to congratulate you on
this fi rst step, and we hope that our book can help you on your
journey. Wireless local area networking (WLAN) is currently one of
the hottest technologies on the market. Security is an important
and mandatory aspect of 802.11 wireless technology. As with many
fast - growing technologies, the demand for knowledgeable people is
often greater than the supply. The CWSP certifi cation is one way
to prove that you have the knowledge and skills to secure 802.11
wireless networks success- fully. This study guide is written with
that goal in mind.
This book is designed to teach you about WLAN security so that you
have the knowledge needed not only to pass the CWSP certifi cation
test, but also to be able to design, install, and support wireless
networks. We have included review questions at the end of each
chapter to help you test your knowledge and prepare for the exam.
We have also included labs, white papers, and presentations on the
CD to facilitate your learning further.
Before we tell you about the certifi cation process and its
requirements, we must mention that this information may have
changed by the time you are taking your test. We recommend that you
visit www.cwnp.com as you prepare to study for your test to check
out the current objectives and requirements.
Do not just study the questions and answers! The practice questions
in this book are designed to test your knowledge of a concept or
objective that is likely to be on the CWSP exam. The practice
questions will be different from the actual exam questions. If you
learn and understand the topics and objectives in this book, you
will be better prepared for the test.
About CWSP ® and CWNP ®
If you have ever prepared to take a certifi cation test for a
technology with which you are unfamiliar, you know that you are not
only studying to learn a different technology, but you are also
probably learning about an industry with which you are unfamiliar.
Read on and we will tell you about the CWNP Program. CWNP is an
abbreviation for Certifi ed Wireless Network Professional . There
is no CWNP test. The CWNP Program develops courseware and certifi
cation exams for wireless LAN technologies in the computer net-
working industry. The CWNP certifi cation program is a vendor -
neutral program.
The objective of the CWNP Program is to certify people on wireless
networking, not on a specifi c vendor ’ s product. Yes, at times
the authors of this book and the creators of the certifi cation
will talk about, or even demonstrate how to use a specifi c
product; however,
flast.indd xxviiflast.indd xxvii 1/12/10 7:34:01 PM1/12/10 7:34:01
PM
xxviii Introduction
the goal is the overall understanding of wireless technology, not
the product itself. If you learned to drive a car, you physically
had to sit and practice in one. When you think back and reminisce,
you probably do not tell anyone that you learned to drive a Ford;
you probably say you learned to drive using a Ford.
There are fi ve wireless certifi cations offered by the CWNP
Program:
CWTS ™ : Certified Wireless Technology Specialist The CWTS certifi
cation is the latest certifi cation from the CWNP Program. CWTS is
an entry - level enterprise WLAN certifi cation, and it is a
recommended prerequisite for the CWNA certifi cation. This certifi
cation is geared specifi cally toward both WLAN sales and support
staff for the enterprise WLAN industry. The CWTS certifi cation
exam (PW0 - 070) verifi es that sales and support staffs are
specialists in WLAN technology and have all the fundamental
knowledge, tools, and terminology to sell and support WLAN
technologies more effectively.
CWNA ® : Certified Wireless Network Administrator The CWNA certifi
cation is a foundation - level Wi - Fi certifi cation; however, it
is not considered an “ entry - level ” technology certifi cation.
Individuals taking the CWNA exam (PW0 - 104) typically have a solid
grasp of network basics such as the OSI model, IP addressing, PC
hardware, and network operating systems. Many candidates already
hold other industry - recognized certifi cations, such as CompTIA
Network+ or Cisco CCNA, and are looking to the CWNA certifi cation
to enhance or complement existing skills.
CWSP ® : Certified Wireless Security Professional The CWSP certifi
cation exam (PW0 - 204) is focused on standards - based wireless
security protocols, security policy, and secure wireless network
design. This certifi cation introduces candidates to many of the
technologies and techniques that intruders use to compromise
wireless networks and administrators use to protect wireless
networks. With recent advances in wireless security, WLANs can be
secured beyond their wired counterparts.
CWNE ® : Certified Wireless Network Expert The CWNE certifi cation
(PW0 - 300) is the highest - level certifi cation in the CWNP
Program. By successfully completing the CWNE requirements, you will
have demonstrated that you have the most advanced skills available
in today ’ s wireless LAN market. The CWNE exam (PW0 - 300) focuses
on advanced WLAN analysis, design, troubleshooting, quality of
service (QoS) mechanisms, spectrum management, and extensive
knowledge of the IEEE 802.11 standard as amended.
CWNT ® : Certified Wireless Network Trainer Certifi ed Wireless
Network Trainers are qualifi ed instructors certifi ed by the CWNP
Program to deliver CWNP training courses to IT professionals. CWNTs
are technical and instructional experts in wireless technologies,
products, and solutions. To ensure a superior learning experience
for our customers, CWNP Education Partners are required to use
CWNTs when delivering training using Offi cial CWNP
Courseware.
flast.indd xxviiiflast.indd xxviii 1/12/10 7:34:02 PM1/12/10
7:34:02 PM