David D. ColemanDavid A. WestcottBryan E. HarkinsShawn M. Jackman

Certifi ed Wireless Security Professional Offi cial Study Guide

The Offi cial Study Guide for Exam PW0-204 from CWNP®

CWSP®

Includes Real-World Scenarios, Hands-On Exercises, and Leading-Edge Exam Prep Software Featuring:

• Hundreds of Sample Questions

• Electronic Flashcards

• Case Studies and Demo Software

Prepare for the Certifi ed Wireless Security Professional exam (PW0-204) with this new Offi cial Study Guide from CWNP. This comprehensive resource covers everything you need for the exam, including wireless security basics,risks, and policies; legacy 802.11 security and robust network security (RSN); encryption ciphers and methods; enterprise 802.11 layer 2 authentication methods; fast secure roaming, wireless intrusion prevention; and many other essential WLAN security topics and concepts. Inside you’ll fi nd:

• Full coverage of all exam objectives in a systematic approach, so you can be confi dent you’re getting the instruction you need for the exam

• Practical hands-on exercises to reinforce critical skills

• Real-world scenarios that put what you’ve learned in the context of actual job roles

• Challenging review questions in each chapter to prepare you for exam day

• Exam Essentials, a key feature in each chapter that identifi es critical areas you must become profi cient in before taking the exam

• White papers, demo software, practice exams, and over 150 fl ashcards on the CD to further facilitate your learning

• A handy tear card that maps every offi cial exam objective to the corresponding chapter in the book, so you can track your exam prep objective by objective

Look inside for complete coverage of all exam objectives.

SERIOUS SKILLS.

Exam PW0-204

Offi cial Study Guide

Offi cial Stu

dy G

uid

eC

WSP

®C

ertifi ed Wireless

Security Professional O

ffi cial Study Guide

ColemanWestcottHarkinsJackman

Exam PW0-204

A B O U T T H E A U T H O R S

David D. Coleman, CWNE #4, CWNA, CWSP, CWNT, is a WLAN security consultant and technical trainer with over twenty years of IT experience. The company he founded, AirSpy Networks (www.airspy.com), specializes in corporate WLAN training. David A. Westcott, CWNE #7, CWNA, CWSP, CWNT, is an independent consultant and WLAN technical trainer with over twenty years ofexperience. He has been a certifi ed trainer for over fi fteen years. Bryan E. Harkins, CWNE #44, CWSP,CWNA, CWNT, is the Training and Development Manager for Motorola AirDefense Solutions, a market leader in wireless intrusion prevention systems. Shawn M. Jackman, CWNE #54, CWNA, CWSP, CWAP is a principal WLAN engineer with Kaiser Permanente. He has over fi fteen years’ experience working with wireless manufacturers and integrators.

SYBEX TEST ENGINE: Test your knowledge with advanced testing software. Includes all chapter review questions and practice exams.

ELECTRONIC FLASHCARDS: Reinforce your understanding with electronic fl ashcards.

The CD also includes white papers and demo software.

Study anywhere, any time, and approach the exam with confi dence.

ABOUT THE CWNP PROGRAMCWNP is the industry standard for vendor-neutral, enterprise WLAN certifi cations. The focus is to educate IT professionals in the technology behind all enterprise WLAN products and to enable these profession-als to manage wireless LAN enterprise infrastructures, regardless of the vendor solution utilized. CWNP is a privately held corporation based in Atlanta, Georgia. For more information, visit www.cwnp.com.

www.sybex.com

CATEGORY:COMPUTERS/Certifi cation Guides

FEATURED ON THE CD

$69.99 US$83.99 CN

ISBN 978-0-470-43891-6

ffirs.indd iiffirs.indd ii 1/12/10 9:05:35 PM1/12/10 9:05:35 PM

CWSP®

Certified Wireless Security Professional Official

Study Guide

ffirs.indd iffirs.indd i 1/12/10 9:05:32 PM1/12/10 9:05:32 PM

ffirs.indd iiffirs.indd ii 1/12/10 9:05:35 PM1/12/10 9:05:35 PM

CWSP®

Certified Wireless Security Professional Official

Study Guide

David Coleman, David Westcott,

Bryan Harkins, and Shawn Jackman

ffirs.indd iiiffirs.indd iii 1/12/10 9:05:35 PM1/12/10 9:05:35 PM

Acquisitions Editor: Jeff KellumDevelopment Editor: Gary SchwartzTechnical Editors: Sam Coyl and Marcus BurtonProduction Editor: Rachel McConlogueCopy Editor: Liz WelchEditorial Manager: Pete GaughanProduction Manager: Tim TateVice President and Executive Group Publisher: Richard SwadleyVice President and Publisher: Neil EddeMedia Project Manager 1: Laura Moss-HollisterMedia Associate Producer: Marilyn HummelMedia Quality Assurance: Josh FrankBook Designers: Judy Fung and Bill GibsonProofreader: Publication Services, Inc.Indexer: Ted LauxProject Coordinator, Cover: Lynsey StanfordCover Designer: Ryan Sneed

Copyright © 2010 by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-0-470-43891-6

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warran-ties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising here-from. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

Library of Congress Cataloging-in-Publication Data

CWSP : certified wireless security professional official study guide (exam PW0-204) / David D. Coleman . . . [et al.]. — 1st ed.

p. cm.

ISBN 978-0-470-43891-6

1. Wireless communication systems — Security measures — Examinations — Study guides. 2. Telecommunications engineers — Certification. I. Coleman, David D.

TK5103.2.C87 2010

005.8076—dc22

2009042658

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CWSP is a registered trademark of CWNP, Inc. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.

10 9 8 7 6 5 4 3 2 1

ffirs.indd ivffirs.indd iv 1/12/10 9:05:36 PM1/12/10 9:05:36 PM

Dear Reader,

Thank you for choosing CWSP: Certifi ed Wireless Security Professional Offi cial Study Guide. This book is part of a family of premium-quality Sybex books, all of which are written by outstanding authors who combine practical experience with a gift for teaching.

Sybex was founded in 1976. More than 30 years later, we’re still committed to producing consistently exceptional books. With each of our titles, we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available.

I hope you see all that refl ected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at nedde@wiley.com. If you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts at Sybex.

Best regards,

Neil Edde Vice President and Publisher Sybex, an Imprint of Wiley

ffirs.indd vffirs.indd v 1/12/10 9:05:37 PM1/12/10 9:05:37 PM

ffirs.indd viffirs.indd vi 1/12/10 9:05:37 PM1/12/10 9:05:37 PM

We dedicate this book to all the men and women of the United States

Armed Forces for putting their private lives aside to preserve and protect

freedom. Thank you for your service and your sacrifi ce.

ffirs.indd viiffirs.indd vii 1/12/10 9:05:37 PM1/12/10 9:05:37 PM

AcknowledgmentsDavid Coleman would once again like to thank his children, Brantley and Carolina, for their patience and understanding of their father throughout the writing of yet another book. I love you kids very much. David would also like to thank his mother, Marjorie Barnes, and his stepfather, William Barnes, for many years of support and encouragement. David would also like to thank his brother, Rob Coleman, for all his help during a tough year.

David Westcott would like to thank his parents, Kathy and George, who have provided so much support and love and from whom he has learned so much. He would also like to thank Janie, Jennifer, and Samantha for their patience and understanding of life on the road and for their support throughout the writing of this book.

Bryan Harkins would like to thank his wife, Ronda, and his two daughters, Chrystan and Catelynn, for enduring the constant travel and time away from them it has taken to create this book. I love the three of you very much. I would also like to thank my parents for always being there and my brother Chris for getting me into IT in the fi rst place. Additionally, I would like to thank David Thomas and Ralf Deltrap of Motorola AirDefense Solutions for making me part of the AirDefense team years ago.

Shawn Jackman would like to thank his parents, Alice and Steve, for the many years of encouragement and unquestioning support, but most of all for leading by example as a parent, provider, and character example. Shawn would also like to thank his wife, Joy, the world’s most supportive and wonderful woman a Wi-Fi geek could ever ask for. And, of course, to his children, Summer, Pierce, and Julia, who are loved by their daddy more than they will ever know.

Writing CWSP: Certifi ed Wireless Security Professional Offi cial Study Guide has been an adventure from the start. We would like to thank the following individuals for their support and contributions during the entire process.

We must fi rst thank Sybex acquisitions editor Jeff Kellum for initially fi nding us and bringing us on to this project. Jeff is an extremely patient and understanding editor who occasionally sends a nasty email message. We would also like to thank our development editor, Gary Schwartz. We also need to send special thanks to our editorial manager, Pete Gaughan; our production editor, Rachel McConlogue; and Liz Welch, our copyeditor.

We also need to give a big shout-out to our technical editor, Sam Coyl. Sam is a member of the IEEE with many years of practical experience in wireless communications. His contributions to the book were nothing short of invaluable. When Sam is not providing awesome technical editing, he is vice president of business development for Netrepid (www.netrepid.com), a wireless solutions provider.

We would also like to thank Marcus Burton, Cary Chandler, Abbey Cole, and Kevin Sandlin of the CWNP program (www.cwnp.com). All CWNP employees, past and present, should be proud of the internationally renowned wireless certifi cation program that sets the education standard within the enterprise Wi-Fi industry. It has been a pleasure working with all of you the past 10 years. Special thanks go to Marcus Burton for his feedback and content review.

ffirs.indd viiiffirs.indd viii 1/12/10 9:05:37 PM1/12/10 9:05:37 PM

Thanks goes to the students who attended an October 2009 CWSP evaluation class held in Atlanta. Those students include Ray Baum and Max Lopez from the University of Colorado, Joe Altmann from Polycom, and Randall Bobula from the CME Group. Also contributing that week was our favorite Meruvian, Diana Cortes from the University of Miami.

We would also like to thank Devin Akin, Chief Architect of Aerohive Networks. Devin has been a Wi-Fi guru for all four authors for many years.

Shawn would also like to thank the following co-workers and professional colleagues: Nico Arcino, Ken Fisch, Tom Head, Jon Krabbenschmidt, and George Stefanick.

We would also like to thank the following individuals and companies for their support and contributions to the book:

Aerohive Networks (www.aerohive.com) — Devin Akin, Adam Conway, and Paul Levasseur

AeroScout (www.aeroscout.com) — Steffan Haithcox and Scott Phillips.

AirDefense (www.airdefense.net) — Ralf Deltrap and David Thomas

AirMagnet (www.airmagnet.com) — Dilip Advani

AirWave (www.airwave.com) — Patrick Smith

Aruba Networks (www.arubanetworks.com) — Carolyn Cutler, Chris Leach, Andy Logan, Susan Wells, and Micah Wilson

By-Light (www.by-light.com) — Steve Hurdle

CACE Technologies (www.cacetech.com) — Janice Spampinato

Cisco Systems (www.cisco.com) — Chris Allen, John Helm, Matt Swartz, and Hao Zhao

Fluke Networks (www.flukenetworks.com) — Carolyn Carter, Dan Klimke, and Lori Whitmer

Immunity (www.immunityinc.com) — Steven Laskowski

NetStumbler (www.netstumbler.com) — Marius Milner

Polycom (www.polycom.com) — Justin Borthwick, Geri Mitchell-Brown, and Steve Rolapp

Vocera (www.vocera.com) — Arun Mirchandani, Steve Newsome, and Brian Sturges

Wi-Fi Alliance (www.wifi.org) — Kelly Davis-Felner and Krista Ford

WildPackets (www.wildpackets.com) — Stephanie Temples

Acknowledgments ix

ffirs.indd ixffirs.indd ix 1/12/10 9:05:38 PM1/12/10 9:05:38 PM

About the AuthorsDavid D. Coleman is a WLAN security consultant and trainer. He teaches the CWNP classes that are recognized throughout the world as the industry standard for wireless networking certifi cation, and he also conducts vendor-specifi c Wi-Fi training. He has also taught numerous “train-the-trainer” classes and “beta” classes for the CWNP program. David has instructed IT professionals from around the globe in wireless networking administration, wireless security, and wireless frame analysis. The company he founded, AirSpy Networks (www.airspy.com), specializes in corporate training and has worked in the past with Avaya, Nortel, Polycom, and Siemens. AirSpy Networks also specializes in government classes, and it has trained numerous computer security employees from various law enforcement agencies, the U.S. Marines, the U.S. Army, the U.S. Navy, the U.S. Air Force, and other federal and state government agencies. David has written many books and white papers about wireless networking, and he is considered an authority on 802.11 technology.

David is also a member of the Certifi ed Wireless Network Expert (CWNE) Roundtable, a selected group of individuals who work with the CWNP program to provide direction for the CWNP exams and certifi cations. David resides in Atlanta, Georgia, where he shares a home with his two children, Carolina and Brantley. David Coleman is CWNE #4, and he can be reached via email at david@airspy.com.

David Westcott is an independent consultant and technical trainer with over 25 years of experience in information technology, specializing in computer networking and security. In addition to providing advice and direction to corporate clients, David has been a certifi ed trainer for over 17 years, providing training to government agencies, corporations, and universities around the world. David was an adjunct faculty member for Boston University’s Corporate Education Center for over 10 years, and he has developed courseware on wireless networking, wireless mesh networking, wired networking, and security for Boston University and many other clients.

Since installing his fi rst wireless network in 1999, David has become a Certifi ed Wireless Network Trainer, Administrator, Security Professional, and Analysis Professional. David is also a member of the CWNE Roundtable. David has earned certifi cations from Cisco, Aruba, Microsoft, EC-Council, CompTIA, and Novell. David lives in Concord, Massachusetts with his wife Janie and his stepdaughters, Jennifer and Samantha. A licensed pilot, he enjoys fl ying his Piper Cherokee 180 around New England when he is not fl ying around the world commercially. David is CWNE #7, and he can be reached via email at david@westcott-consulting.com.

ffirs.indd xffirs.indd x 1/12/10 9:05:39 PM1/12/10 9:05:39 PM

Shawn Jackman currently oversees wireless enterprise engineering for a large healthcare provider and adopter of 802.11 technology. Prior to that, Shawn has been on both sides of the table, working for a WLAN manufacturer and with wireless integrators. Shawn has been intensely focused on large-scale VoWiFi, QoS, and RTLS applications for over three years, and he spends a considerable amount of his time doing end-user design, deployment, and troubleshooting for various vendors’ equipment. Shawn has traveled the United States and internationally designing wired and wireless networks, from concept to completion, for healthcare, warehouse, hospitality, education, metro/municipal, government, franchise, and retail environments. He has served as an on-air technical personality for a weekly syndicated call-in talk radio show with over 5 million listeners worldwide and is considered an authority on Wi-Fi technology.

Shawn is a member of the CWNE Roundtable. He lives in the San Francisco Bay area with his wife Joy and their three children, Summer, Pierce, and Julia. Shawn is CWNE #54, and he can be reached via email at shawn.jackman@cwne.com.

Bryan Harkins is currently the training and development manager for Motorola AirDefense Solutions and has over 20 years experience in the IT fi eld. He has been involved in areas ranging from customer support and sales to network security and design. He has developed custom curriculum for government agencies and Fortune 500 companies alike. Over the years, he has helped numerous students reach their certifi cation and knowledge goals through his exceptional skills as an instructor. He delivers both public and private wireless security classes around the world and holds several prestigious industry certifi cations, including MCSE, CWNE, and CWNT.

Bryan has spoken during Secure World Expo, Armed Forces Communications and Electronics Association (AFCEA) events, and Microsoft Broad Reach as well as many other industry events. He holds a degree in aviation from Georgia State University. Bryan is a native of Atlanta, Georgia, and still lives in the area with his wife Ronda and two daughters, Chrystan and Catelynn. Bryan is also a member of the CWNE Roundtable. Bryan is CWNE #44, and he can be reached via email at bryan.harkins@motorola.com.

About the Authors xi

ffirs.indd xiffirs.indd xi 1/12/10 9:05:39 PM1/12/10 9:05:39 PM

ffirs.indd xiiffirs.indd xii 1/12/10 9:05:40 PM1/12/10 9:05:40 PM

Contents at a GlanceIntroduction xxvii

Assessment Test xlii

Chapter 1 WLAN Security Overview 1

Chapter 2 Legacy 802.11 Security 31

Chapter 3 Encryption Ciphers and Methods 65

Chapter 4 Enterprise 802.11 Layer 2 Authentication Methods 101

Chapter 5 802.11 Layer 2 Dynamic Encryption Key Generation 173

Chapter 6 SOHO 802.11 Security 221

Chapter 7 802.11 Fast Secure Roaming 249

Chapter 8 Wireless Security Risks 291

Chapter 9 Wireless LAN Security Auditing 337

Chapter 10 Wireless Security Monitoring 369

Chapter 11 VPNs, Remote Access, and Guest Access Services 429

Chapter 12 WLAN Security Infrastructure 455

Chapter 13 Wireless Security Policies 509

Appendix A Abbreviations, Acronyms, and Regulations 553

Appendix B WLAN Vendors 575

Appendix C About the Companion CD 579

Glossary 583

Index 623

ftoc.indd xiiiftoc.indd xiii 1/11/10 3:15:55 PM1/11/10 3:15:55 PM