Which is a correct description of a stage in the Lockheed Martin kill chain?
Correct Answer: B
Question 102
You have configured a WLAN to use Enterprise security with the WPA3 version. How does the WLAN handle encryption?
Correct Answer: D
WPA3-Enterprise is a security protocol introduced to enhance the security of wireless networks, particularly in enterprise environments. It builds on the foundation of WPA2 but introduces stronger encryption and key management practices. In WPA3-Enterprise, authentication is typically performed using 802.1X, and encryption is handled using the Advanced Encryption Standard (AES). WPA3-Enterprise Encryption: WPA3-Enterprise uses AES with the Galois/Counter Mode Protocol (GCMP) or Cipher Block Chaining Message Authentication Code Protocol (CCMP), both of which are AES-based encryption methods. WPA3 does not use TKIP (Temporal Key Integrity Protocol), which is a legacy encryption method used in WPA and early WPA2 deployments and is considered insecure. Pairwise Master Key (PMK): In WPA3-Enterprise, the PMK is derived during the 802.1X authentication process (e.g., via EAP-TLS or EAP-TTLS). Each client authenticates individually with the authentication server (e.g., ClearPass), resulting in a unique PMK for each client. This PMK is then used to derive session keys (Pairwise Transient Keys, PTKs) for encrypting the client's traffic, ensuring that each client's traffic is encrypted with unique keys. Option A, "Traffic is encrypted with TKIP and keys derived from a PMK shared by all clients on the WLAN," is incorrect because WPA3 does not use TKIP (it uses AES), and the PMK is not shared among clients in WPA3-Enterprise; each client has a unique PMK. Option B, "Traffic is encrypted with TKIP and keys derived from a unique PMK per client," is incorrect because WPA3 does not use TKIP; it uses AES. Option C, "Traffic is encrypted with AES and keys derived from a PMK shared by all clients on the WLAN," is incorrect because, in WPA3-Enterprise, the PMK is unique per client, not shared. Option D, "Traffic is encrypted with AES and keys derived from a unique PMK per client," is correct. WPA3-Enterprise uses AES for encryption, and each client derives a unique PMK during 802.1X authentication, which is used to generate unique session keys for encryption. The HPE Aruba Networking AOS-8 8.11 User Guide states: "WPA3-Enterprise enhances security by using AES encryption with GCMP or CCMP. In WPA3-Enterprise mode, each client authenticates via 802.1X, resulting in a unique Pairwise Master Key (PMK) for each client. The PMK is used to derive session keys (Pairwise Transient Keys, PTKs) that encrypt the client's traffic with AES, ensuring that each client's traffic is protected with unique keys. WPA3 does not support TKIP, which is a legacy encryption method." (Page 285, WPA3-Enterprise Security Section) Additionally, the HPE Aruba Networking Wireless Security Guide notes: "WPA3-Enterprise requires 802.1X authentication, which generates a unique PMK for each client. This PMK is used to derive AES-based session keys, providing individualized encryption for each client's traffic and eliminating the risks associated with shared keys." (Page 32, WPA3 Security Features Section) : HPE Aruba Networking AOS-8 8.11 User Guide, WPA3-Enterprise Security Section, Page 285. HPE Aruba Networking Wireless Security Guide, WPA3 Security Features Section, Page 32.
Question 103
How can hackers implement a man-in-the-middle (MITM) attack against a wireless client?
Correct Answer: D
A man-in-the-middle (MITM) attack involves an attacker positioning themselves between a wireless client and the legitimate network to intercept or manipulate traffic. HPE Aruba Networking documentation often discusses MITM attacks in the context of wireless security threats and mitigation strategies. Option D, "The hacker connects a device to the same wireless network as the client and responds to the client's ARP requests with the hacker device's MAC address," is correct. This describes an ARP poisoning (or ARP spoofing) attack, a common MITM technique in wireless networks. The hacker joins the same wireless network as the client (e.g., by authenticating with the same SSID and credentials). Once on the network, the hacker sends fake ARP responses to the client, associating the hacker's MAC address with the IP address of the default gateway (or another target device). This causes the client to send traffic to the hacker's device instead of the legitimate gateway, allowing the hacker to intercept, modify, or forward the traffic, thus performing an MITM attack. Option A, "The hacker uses a combination of software and hardware to jam the RF band and prevent the client from connecting to any wireless networks," is incorrect. Jamming the RF band would disrupt all wireless communication, including the hacker's ability to intercept traffic. This is a denial-of-service (DoS) attack, not an MITM attack. Option B, "The hacker runs an NMap scan on the wireless client to find its MAC and IP address. The hacker then connects to another network and spoofs those addresses," is incorrect. NMap scans are used for network discovery and port scanning, not for implementing an MITM attack. Spoofing MAC and IP addresses on another network does not position the hacker to intercept the client's traffic on the original network. Option C, "The hacker uses spear-phishing to probe for the IP addresses that the client is attempting to reach. The hacker device then spoofs those IP addresses," is incorrect. Spear-phishing is a delivery method for malware or credentials theft, not a direct method for implementing an MITM attack. Spoofing IP addresses alone does not allow the hacker to intercept traffic unless they are on the same network and can manipulate routing (e.g., via ARP poisoning). The HPE Aruba Networking AOS-8 8.11 User Guide states: "A common man-in-the-middle (MITM) attack against wireless clients involves ARP poisoning. The hacker connects a device to the same wireless network as the client and sends fake ARP responses to the client, associating the hacker's MAC address with the IP address of the default gateway. This causes the client to send traffic to the hacker's device, allowing the hacker to intercept and manipulate the traffic." (Page 422, Wireless Threats Section) Additionally, the HPE Aruba Networking Security Guide notes: "ARP poisoning is a prevalent MITM attack in wireless networks. The attacker joins the same network as the client and responds to the client's ARP requests with the attacker's MAC address, redirecting traffic through the attacker's device. This allows the attacker to intercept sensitive data or modify traffic between the client and the legitimate destination." (Page 72, Wireless MITM Attacks Section) : HPE Aruba Networking AOS-8 8.11 User Guide, Wireless Threats Section, Page 422. HPE Aruba Networking Security Guide, Wireless MITM Attacks Section, Page 72.
Question 104
You are deploying a new wireless solution with an Aruba Mobility Master (MM). Aruba Mobility Controllers (MCs), and campus APs (CAPs). The solution will include a WLAN that uses Tunnel for the forwarding mode and WPA3-Enterprise for the security option. You have decided to assign the WLAN to VLAN 301, a new VLAN. A pair of core routing switches will act as the default router for wireless user traffic. Which links need to carry VLAN 301?
Correct Answer: B
In a wireless network deployment with Aruba Mobility Master (MM), Mobility Controllers (MCs), and Campus APs (CAPs), where a WLAN is configured to use Tunnel mode for forwarding, the user traffic is tunneled from the APs to the MCs. VLAN 301, which is assigned to the WLAN, must be present on the links from the MCs to the core routing switches because these switches act as the default router for the wireless user traffic. It is not necessary for the VLAN to be present on all campus LAN links or AP links, only between the MCs and the core routing switches where the routing for VLAN 301 will occur.
Question 105
What is a benefit of Protected Management Frames (PMF). sometimes called Management Frame Protection (MFP)?
Correct Answer: D
Protected Management Frames (PMF), also known as Management Frame Protection (MFP), is designed to protect clients from denial-of-service (DoS) attacks that involve forged de-authentication and disassociation frames. These attacks can disconnect legitimate clients from the network. PMF provides a way to authenticate these management frames, ensuring that they are not forged, thus enhancing the security of the wireless network. References: IEEE 802.11w amendment, which introduces PMF as a security enhancement to protect management frames. Wi-Fi Alliance security guidelines for Protected Management Frames (PMF).
