CWSP-208 Certified Wireless Security Professional (CWSP) Questions and Answers

When connecting over untrusted public networks:

An IPSec VPN provides encryption and authentication from the client to the corporate network.

This protects against eavesdropping, man-in-the-middle attacks, and spoofed hotspots.

Incorrect:

B. HTTPS only protects web sessions—not all traffic.

C. Enterprise WIPS at the office won’t protect remote users.

D. Laptop-based WIPS software is rare and less effective than using a VPN.

E. 802.1X/PEAP is not designed for remote use over public hotspots.

F. FTP is not secure; secure alternatives include SFTP or FTPS.

This solution meets all the requirements:

Captive portals allow simple authentication for guest users.

VLAN separation enforces network segmentation.

HTTPS ensures authentication is encrypted.

Incorrect:

A. Separate controllers are unnecessary and costly.

B. WIPS enforcement is reactive, not proactive for normal access control.

C. ACLs alone don’t enforce authentication.

E. VPN requirements would be overly complex for guests.

RSNA (Robust Security Network Association), as defined by 802.11i, requires:

TKIP (WPA) or CCMP (WPA2) for encryption.

WEP is deprecated and not supported for RSNA since it does not meet RSN standards.

Incorrect:

B & C. BIP is not required for RSNA formation—it is used for management frame protection (802.11w).

D. VLANs are orthogonal to RSNA—network segmentation does not interfere with RSNA formation.

Secure configuration of network devices requires encrypted management protocols:

HTTPS: Provides secure web-based GUI access using TLS encryption.

SSHv2: Provides secure CLI access using encrypted channels.

Incorrect:

A. SNMPv1 is not secure — lacks encryption and authentication.

C. Telnet sends credentials and commands in clear text.

D. TFTP is used for file transfer without encryption or authentication.

E. FTP is also insecure—transmits credentials in plain text.

Role-Based Access Control (RBAC) enables dynamic assignment of permissions and access rights based on a user's job function. A WLAN controller with RBAC:

Can apply policies post-authentication.

Controls access to internal services (e.g., file shares, apps).

Assigns users to different VLANs or applies firewall rules based on roles.

Incorrect:

A. MAC filtering is not scalable or secure.

B. WPA2-Personal does not support user-based policies or LDAP integration.

C. DHCP scope assignment is not linked to user roles.

E. VLAN assignment via SSID is static and does not consider job function.

EAP-TLS is considered one of the most secure EAP types, but:

It requires a Public Key Infrastructure (PKI).

Every client device must have a unique certificate, adding to administrative burden and cost.

Incorrect:

A. Roaming speed is not inherently slower with EAP-TLS if supported by the infrastructure.

B. EAP-TLS protects client credentials; passwords aren’t even used—it uses certificates.

C. EAP-TLS does establish a secure tunnel—it's the original TLS-based method.

D. EAP-TLS is vendor-agnostic and supported by most enterprise WLAN infrastructure.

The frame sequence described shows:

802.11 Open System authentication and association

DHCP communication (for IP configuration)

ISAKMP packets, which are part of IPSec (used for key exchange and tunnel negotiation)

This indicates that link-layer authentication is not used, but instead, higher-layer encryption (IPSec VPN) secures communications.

Incorrect:

A and C. Would show EAP negotiation and 802.1X authentication frames.

D. WPA2-Personal would include a 4-Way Handshake before DHCP.

E. EAP-MD5 does not involve ISAKMP and is used within 802.1X authentication.

In this scenario, although the bank’s website uses HTTPS (which encrypts communications between John’s browser and the bank’s server), the compromise did not occur during the banking session itself. Instead, the attacker exploited a common security mistake: credential reuse.

John reused his email credentials for his bank login, and he accessed his email using a POP3 client without encryption at a public hotspot. This means his username and password were sent in cleartext, which is trivially easy to sniff on an open wireless network. Once an attacker obtained those credentials, they could use them to log into his bank account if the same credentials were used there.

Here's how this aligns with CWSP knowledge domains:

CWSP Security Threats & Attacks: This is a classic example of credential harvesting via cleartext protocols (POP3), and password reuse, both of which are significant risks in WLAN environments.

CWSP Secure Network Design: Recommends use of encrypted protocols (e.g., POP3S or IMAPS) and user education against password reuse.

CWSP WLAN Security Fundamentals: Emphasizes that open Wi-Fi networks offer no encryption by default, leaving unprotected protocols vulnerable to sniffing and interception.

Other answer options and why they are incorrect:

A & D are invalid because an expired or unsigned certificate may cause browser warnings but won’t result in sending credentials unencrypted unless the user bypasses HTTPS (which wasn’t stated).

C is incorrect: IPSec VPNs encrypt all data between the client and VPN endpoint—including credentials.

E is technically incorrect and misleading: intercepting the public key of an HTTPS session doesn't allow decryption of the credentials due to asymmetric encryption and session key security. Real-time decryption of HTTPS traffic without endpoint compromise is not feasible.

Open networks with captive portals do not provide link-layer encryption, so:

A. Man-in-the-Middle (MitM): Attackers can intercept or modify traffic between the user and the legitimate network (especially before HTTPS negotiation).

B. Wi-Fi phishing: Evil twin APs may mimic the legitimate hotspot and show a fake captive portal, stealing user credentials or prompting malicious downloads.

Incorrect:

C. Management interface exploits target device admin panels, not typical client users.

D. UDP port redirection and

E. IGMP snooping are network-layer behaviors, not common user-targeted attacks.

Peer-to-peer blocking (also called client isolation) is useful in open or public WLANs to prevent devices from communicating directly with each other.

B. In public hot-spots, isolating users helps protect against malware spread, snooping, and attacks from nearby devices.

Incorrect:

A. In home networks, peer-to-peer communication is often desired for file sharing.

C. Voice over Wi-Fi may rely on peer communication (e.g., multicast).

D. In university setups using multicast, peer-to-peer restrictions could hinder functionality.

EAP-TLS requires both server and client-side digital certificates, which adds complexity in client certificate management.

EAP-TTLS uses a server certificate to establish a secure TLS tunnel, after which user credentials (e.g., username/password) are sent inside the encrypted tunnel. No client certificate is needed.

Incorrect:

A. EAP-TLS also encrypts credentials using TLS.

B. EAP-TLS supports client certificates (it’s the core requirement).

C. Both EAP methods require an authentication server.

In environments where PSK-based authentication (like WPA2-Personal) is still in use due to legacy device constraints:

C. Regularly changing static passwords helps limit exposure from credential leaks or previous employees retaining access.

Incorrect:

A. MSCHAPv2 is vulnerable to offline attacks; recommending strong passwords is good, but that alone isn’t sufficient.

B. WEP is insecure regardless of password strength due to IV reuse.

D. Certificates are stronger, but not always feasible for legacy systems.

E. EAP-TLS is ideal but not always compatible with all devices; policies should be flexible to device capabilities.

A strong WLAN security policy should encompass both technical controls and user education.

C. Educating users about secure password creation and acceptable use policies helps reduce risks due to weak authentication and misuse.

E. Social engineering is a common attack vector, and educating users to recognize and report such attempts is critical.

Incorrect:

A. MAC addresses are always transmitted in the clear, even with encryption.

B. Policies should be shared with users to promote compliance and awareness.

D. Passwords for administrative systems should not be disclosed in public documentation or policy documents.

Rogue APs pose a significant risk and should be detected and mitigated automatically.

D. A properly configured Wireless Intrusion Prevention System (WIPS) can detect unauthorized APs and prevent client associations to them in real time.

Incorrect:

A. While WPA2-Enterprise adds client-level protection, it does not detect rogue APs.

B. Hiding SSIDs is ineffective—SSIDs are still discoverable in management frames.

C. Manual scans are labor-intensive and impractical for ongoing monitoring.

E. Port security controls wired threats but cannot detect rogue APs using wireless signals.

Developing a robust WLAN security policy requires buy-in from executive or senior management. Without management support, it’s difficult to enforce compliance, allocate resources, or prioritize security among other organizational objectives. This foundational step ensures that policy creation and enforcement are feasible and aligned with organizational goals.

Incorrect:

A. Device/vendor specifics are addressed later during implementation.

C. End-user training materials are created after the policy is finalized.

D. Security policy software can assist, but is not essential compared to management support.

For a WIPS system to perform location patterning (also called RF fingerprinting), it must first perform an RF calibration or RF site survey. This process involves sampling signal strengths from known locations to develop a model of how signals propagate in the environment. This "fingerprint" is then used to triangulate or estimate the positions of rogue devices.

The correct sequence of the 4-Way Handshake frames in WPA/WPA2 is:

Message 1: Authenticator sends ANonce to the supplicant → (3)

Message 2: Supplicant sends SNonce and a MIC to the authenticator → (4)

Message 3: Authenticator sends GTK and confirms keys with MIC → (1)

Message 4: Supplicant confirms installation of PTK/GTK → (2)

This process ensures mutual key confirmation and integrity before data traffic begins.

In a security context, outdated firmware is one of the most critical vulnerabilities. Firmware updates typically patch known security issues, fix bugs, and provide new features or improved encryption support. If the APs have not been updated or checked in over 18 months, they could be running firmware with known exploits or lacking critical security patches, making firmware review a top priority.

The key clue in this sequence is the four EAPOL-Key frames, which indicate a 4-way handshake — a hallmark of WPA and WPA2 authentication processes. There is no EAP exchange preceding the 4-way handshake, which eliminates WPA/WPA2-Enterprise and 802.1X/EAP methods. This points directly to WPA2-Personal, where PSK (Pre-Shared Key) is used and there is no EAP exchange before key generation.

Also, the second "Auth" frame suggests Open System Authentication was used, which is typical for RSN-based networks (not Shared Key as in WEP).

WIPS (Wireless Intrusion Prevention Systems) monitor the RF environment and detect unauthorized activities. However, eavesdropping involves passive listening to wireless communications without transmitting any signals. Because the attacker is not transmitting or generating any detectable activity, a WIPS has no RF signal to detect and is thus unable to identify or prevent this attack.

WIPS provides multiple functionalities:

B. Policy enforcement – detects and responds to wireless threats such as rogue APs and misconfigurations.

D. Security monitoring – alerts staff when threats like deauth attacks or malware-hosting APs are detected.

A. Performance monitoring – supports diagnostics by capturing information on channel conditions, interference, and device behavior.

Incorrect options:

C. Detecting eavesdropping isn’t feasible—passive listening cannot be identified by sensors.

E. Carrier sense DoS and F. Wired device classification are outside WIPS's scope.

An 802.11a/g-based WIPS cannot detect rogue activity that occurs in 802.11n/ac-specific modes, including Greenfield (HT-only) operation and use of 40 MHz channels, which are not part of the 802.11a/g specification. Greenfield mode disables legacy support, so a WIPS limited to 802.11a/g radios won’t even “see” these frames. This leaves a significant blind spot for detecting certain types of rogue devices or attacks using newer PHYs.

The RSN (Robust Security Network) Information Element (IE) is used to advertise the security capabilities of a wireless network, particularly for WPA2 and WPA3 networks. This RSN IE is contained in Beacon and Probe Response management frames, not in Probe Request, RTS, CTS, or Data frames. The Beacon frame is sent periodically by an AP to announce its presence and includes critical information about the BSS, including security settings like the RSN IE.

You would use a protocol analyzer to capture Beacon frames and inspect the RSN IE field to confirm if a BSS is properly configured to use RSN protections such as WPA2-Enterprise or WPA2-Personal.

Wireless Intrusion Prevention Systems (WIPS) can proactively respond to detected threats using various techniques. One such preventative measure is integration with the wired infrastructure to mitigate rogue APs by disabling the switch port they are connected to. This is typically done through SNMP or other switch management interfaces.

This form of wired-side containment is more secure and compliant than wireless-side attacks (e.g., deauthentication), which can violate regulations in some jurisdictions.