Free and Premium CWNP CWSP-208 Dumps Questions Answers

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

In environments where PSK-based authentication (like WPA2-Personal) is still in use due to legacy device constraints:

C. Regularly changing static passwords helps limit exposure from credential leaks or previous employees retaining access.

Incorrect:

A. MSCHAPv2 is vulnerable to offline attacks; recommending strong passwords is good, but that alone isn’t sufficient.

B. WEP is insecure regardless of password strength due to IV reuse.

D. Certificates are stronger, but not always feasible for legacy systems.

E. EAP-TLS is ideal but not always compatible with all devices; policies should be flexible to device capabilities.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

EAP-TTLS (Tunneled Transport Layer Security) supports flexible inner authentication methods including:

MS-CHAPv2

EAP-GTC (Generic Token Card)

EAP-TLS (in some configurations)

This versatility allows EAP-TTLS to be used with a wide range of back-end authentication systems, while only requiring a server-side certificate.

Incorrect:

A. H-REAP (now FlexConnect) is a Cisco AP deployment mode, not an EAP type.

B. EAP-GTC is a simple authentication method and not a tunnel or container for others.

D. PEAP typically supports MS-CHAPv2 but not EAP-GTC or EAP-TLS as inner methods.

E. LEAP uses MS-CHAPv1 and is considered deprecated and insecure.

The Pairwise Transient Key (PTK) is derived during the 4-Way Handshake and is used to generate:

The EAPOL-Key Confirmation Key (KCK)

The EAPOL-Key Encryption Key (KEK)

The Temporal Key (TK), which encrypts unicast traffic

Incorrect:

A. The Group Master Key (GMK) is used to derive the GTK, not the PTK.

C. PTK is not XOR’d with the PSK—PTK is derived from PMK + other session parameters.

D. PMK is never encrypted or transmitted; it is pre-shared or derived and remains local.

The Message Integrity Code (MIC) is:

A cryptographic checksum applied to the data payload.

It ensures the payload was not modified in transit and guards against tampering.

With AES-CCMP, the MIC is generated as part of the encryption process and verified upon decryption.

Incorrect:

A. Signal integrity is validated at the physical layer, not through the MIC.

C. The MIC protects data payload integrity, not just MAC headers.

D. The MIC is not generated during the 4-Way Handshake.

Mutual authentication involves both the client and the authentication server verifying each other’s identity before network access is granted. This prevents attackers from spoofing an access point (AP) and luring clients to connect to rogue APs (often used in wireless hijacking or evil twin attacks). When mutual authentication (typically via 802.1X with EAP-TLS) is used, clients will not connect unless they can verify the server certificate, which thwarts hijacking attempts.

The frame sequence described shows:

802.11 Open System authentication and association

DHCP communication (for IP configuration)

ISAKMP packets, which are part of IPSec (used for key exchange and tunnel negotiation)

This indicates that link-layer authentication is not used, but instead, higher-layer encryption (IPSec VPN) secures communications.

Incorrect:

A and C. Would show EAP negotiation and 802.1X authentication frames.

D. WPA2-Personal would include a 4-Way Handshake before DHCP.

E. EAP-MD5 does not involve ISAKMP and is used within 802.1X authentication.

MS-CHAPv2 is a widely used authentication protocol, but it has notable weaknesses:

B. MS-CHAPv2 is vulnerable to offline dictionary attacks. Attackers can capture authentication exchanges and attempt password guesses offline due to predictable hashing behavior.

D. The only secure use of MS-CHAPv2 is inside a secure tunnel (e.g., EAP-TTLS or PEAP), where credentials are protected during transmission.

Incorrect:

A. MS-CHAPv2 is used in WPA2-Enterprise, not WPA-Personal, and it is allowed under WPA2-Enterprise via PEAP.

C. WEP does not enhance LEAP’s security; it compounds vulnerabilities.

E and F. MS-CHAPv2 does not use AES for authentication. Using AES-CCMP for encryption does not fix MS-CHAPv2's weaknesses.

Though AES-CCMP is secure and 802.1X authentication is strong, LEAP is inherently weak because:

B. LEAP uses MS-CHAPv1, making it vulnerable to offline dictionary attacks once challenge/response exchanges are captured.

F. Layer 1 DoS attacks (such as RF jamming or interference) can be launched regardless of authentication mechanisms.

Incorrect:

A. AES-CCMP resists encryption cracking.

C. Peer-to-peer at Layer 3 is unrelated to LEAP or 802.1X vulnerabilities.

D. Application-layer eavesdropping is mitigated if encryption is properly implemented.

E. Session hijacking is more difficult with proper authentication and encryption in place.

In this scenario, although the bank’s website uses HTTPS (which encrypts communications between John’s browser and the bank’s server), the compromise did not occur during the banking session itself. Instead, the attacker exploited a common security mistake: credential reuse.

John reused his email credentials for his bank login, and he accessed his email using a POP3 client without encryption at a public hotspot. This means his username and password were sent in cleartext, which is trivially easy to sniff on an open wireless network. Once an attacker obtained those credentials, they could use them to log into his bank account if the same credentials were used there.

Here's how this aligns with CWSP knowledge domains:

CWSP Security Threats & Attacks: This is a classic example of credential harvesting via cleartext protocols (POP3), and password reuse, both of which are significant risks in WLAN environments.

CWSP Secure Network Design: Recommends use of encrypted protocols (e.g., POP3S or IMAPS) and user education against password reuse.

CWSP WLAN Security Fundamentals: Emphasizes that open Wi-Fi networks offer no encryption by default, leaving unprotected protocols vulnerable to sniffing and interception.

Other answer options and why they are incorrect:

A & D are invalid because an expired or unsigned certificate may cause browser warnings but won’t result in sending credentials unencrypted unless the user bypasses HTTPS (which wasn’t stated).

C is incorrect: IPSec VPNs encrypt all data between the client and VPN endpoint—including credentials.

E is technically incorrect and misleading: intercepting the public key of an HTTPS session doesn't allow decryption of the credentials due to asymmetric encryption and session key security. Real-time decryption of HTTPS traffic without endpoint compromise is not feasible.

Open networks with captive portals do not provide link-layer encryption, so:

A. Man-in-the-Middle (MitM): Attackers can intercept or modify traffic between the user and the legitimate network (especially before HTTPS negotiation).

B. Wi-Fi phishing: Evil twin APs may mimic the legitimate hotspot and show a fake captive portal, stealing user credentials or prompting malicious downloads.

Incorrect:

C. Management interface exploits target device admin panels, not typical client users.

D. UDP port redirection and

E. IGMP snooping are network-layer behaviors, not common user-targeted attacks.

To hijack a wireless client, attackers often use:

An RF jamming device to disconnect the client from the legitimate AP (via deauth attacks or RF disruption)

A rogue AP (created using access point software) that impersonates the real network

DHCP server software to assign IP addresses and act as a gateway, completing the fake network

Incorrect:

B. Terminal emulation is not relevant.

C. Workgroup bridges and protocol analyzers are for monitoring, not attacking.

E. MAC spoofing and DoS do not complete a hijack.

A Robust Security Network (RSN) is defined by the IEEE 802.11i standard and is designed to provide a framework for secure wireless LAN communications. One of the primary criteria for a network to qualify as an RSN is that WEP (Wired Equivalent Privacy) must not be used for encryption, as WEP has well-known vulnerabilities and is considered insecure. RSN-compliant networks must use either CCMP (AES) or GCMP for encryption and 802.1X/EAP or WPA2-Personal for authentication.

Incorrect:

A. Token cards are not part of RSN criteria.

B. Dynamic WEP is still WEP and disqualifies RSN status.

D. WPA-Personal may be supported, but alone does not define an RSN.

E. SSHv1 concerns device management security, not RSN qualification.

Wireless Intrusion Prevention Systems (WIPS) are excellent for detecting on-air threats such as rogue APs, DoS attacks, spoofing, and misconfigured devices. However, WIPS cannot detect:

C. Eavesdropping — Passive listening on wireless transmissions cannot be detected because no signal is transmitted by the attacker.

D. Social engineering — Human-based attacks like phishing or pretexting fall outside the scope of wireless monitoring.

Incorrect:

A. Rogue APs can be detected via MAC address comparison, frame analysis, and signal triangulation.

B. DoS attacks, such as deauth floods or RF jamming, can be detected with appropriate WIPS sensors.

For troubleshooting fast roaming (e.g. 802.11r) across channels, a portable protocol analyzer with dual- or multi-band 802.11n adapters enables:

Simultaneous packet capture on different channels

Capturing handoff-related frames and timing analysis in roaming scenarios

This setup allows detailed capture of reassociation, authentication, and 4-Way Handshake processes, essential for diagnosing roaming delays.

Other options (WIPS, spectrum analyzer, autonomous AP) do not support detailed 802.11 frame capture across multiple channels during roaming events.

Wireless Intrusion Prevention Systems (WIPS) can proactively respond to detected threats using various techniques. One such preventative measure is integration with the wired infrastructure to mitigate rogue APs by disabling the switch port they are connected to. This is typically done through SNMP or other switch management interfaces.

This form of wired-side containment is more secure and compliant than wireless-side attacks (e.g., deauthentication), which can violate regulations in some jurisdictions.

When compliance reporting and forensic analysis are required and the WLAN vendor’s centralized management system does not provide it, deploying a dedicated overlay WIPS is the most effective solution. Overlay WIPS uses dedicated sensors independent of the WLAN’s operational radios, offering detailed threat detection, compliance logging, and reporting capabilities that often surpass native WLAN features.

WIPS (Wireless Intrusion Prevention Systems) monitor the RF environment and detect unauthorized activities. However, eavesdropping involves passive listening to wireless communications without transmitting any signals. Because the attacker is not transmitting or generating any detectable activity, a WIPS has no RF signal to detect and is thus unable to identify or prevent this attack.

PCI-DSS (Payment Card Industry Data Security Standard) applies to all entities that process, store, or transmit credit card data. Since Point-of-Sale (PoS) systems handle such transactions in retail environments, the wireless network supporting them must comply with PCI-DSS. This includes encrypting wireless transmissions, segmenting network traffic, and implementing WIPS for rogue detection and logging.

Many protocol analyzers require special drivers or place the NIC into monitor/promiscuous mode. When used this way, the original driver stack may be altered or replaced. Afterward, if not correctly reloaded, the adapter may lack full 802.1X support or required encryption features. This is likely the case here — Mary's WLAN adapter is still under the control of or affected by the analyzer’s NIC driver, which doesn’t support PEAP properly.

A Wireless Network Management System (WNMS) often uses SNMP to manage APs. SNMPv3 is the secure version of SNMP because it supports authentication, encryption, and message integrity. Unlike SNMPv1 and SNMPv2c, which transmit data (including community strings) in plaintext, SNMPv3 provides secure management communications.

WIPS systems often enforce policies based on MAC addresses and associated hardware fingerprints. If Joe uses a different wireless adapter than the one authorized, it may trigger a rogue device or unauthorized client alarm—even if it’s the same laptop. This behavior is common in environments with strict WIPS enforcement policies.

A. WPA2-Enterprise authentication: The multiple EAP Request/Response exchanges followed by an EAP Success and a 4-Way Handshake (EAPOL-Key frames) indicate 802.1X authentication, characteristic of WPA2-Enterprise.

C. 802.11 Open System authentication: Two Auth frames (request and response) without encryption negotiation signify Open System Authentication — a default in RSN setups.

F. Active Scanning: Begins with Probe Request and Probe Response — part of an active scan process.

G. 4-Way Handshake: Identified by four sequential EAPOL-Key frames, completing the authentication process in WPA2.