CND (312-38) Network Defense Simulation

Welcome to the Network Defense Simulation. In this module, you will analyze legacy wireless network configurations and access control policies. You will learn how to align device configurations with strict organizational security policies regarding WLAN visibility and endpoint association.

Network Scenario

You are a Network Security Analyst reviewing the deployment architecture of a highly restrictive, air-gapped network segment. Due to legacy industrial control software, this segment still utilizes Windows 2000 Active Directory and Windows XP endpoints. The administrator, Mark, is tasked with deploying an 802.11 WLAN for this specific environment.

The strict security policy dictates that the network must be invisible to casual wireless scanners, must automatically associate recognized client devices, and must explicitly reject any unauthorized computers at the Access Point (AP) layer before full network layer authentication can even occur. Because of legacy hardware constraints, the environment is limited to WEP (Wired Equivalent Privacy).

Traffic & Logs

[WLC-CONFIG] AP-01: SSID Broadcast: DISABLED [WLC-CONFIG] AP-01: MAC Filter Policy: ALLOW_LIST_ONLY [WLC-CONFIG] AP-01: Auth Policy: SHARED_KEY_WEP [802.11-PCAP] BEACON: BSSID 00:14:22:01:23:45, SSID: [Length 0/Hidden] [802.11-PCAP] PROBE_REQ: Client MAC 00:2A:F0:11:22:33 requesting SSID "INFONET-SEC" [WLC-ALERT] AP-01: Association Denied - Client MAC 00:1B:44:11:99:88 not in ACL [WLC-ALERT] AP-01: Auth Failed - Client MAC 00:2A:F0:11:22:33 attempted OPEN_SYSTEM

Question

Mark works as a Network Administrator for Infonet Inc. The company has a Windows 2000 Active Directory domain-based network. The domain contains one hundred Windows XP Professional client computers. Mark is deploying an 802.11 wireless LAN on the network. The wireless LAN will use Wired Equivalent Privacy (WEP) for all the connections. According to the company's security policy, the client computers must be able to automatically connect to the wireless LAN. However, the unauthorized computers must not be allowed to connect to the wireless LAN and view the wireless network. Mark wants to configure all the wireless access points and client computers to act in accordance with the company's security policy. What will he do to accomplish this? Each correct answer represents a part of the solution. (Choose three.)

A. Install a firewall software on each wireless access point. B. Configure the authentication type for the wireless LAN to Shared Key. C. Disable SSID Broadcast and enable MAC address filtering on all wireless access points. D. Broadcast SSID to connect to the access point (AP). E. Configure the authentication type for the wireless LAN to Open system. F. On each client computer, add the SSID for the wireless LAN as the preferred network.

Expert Analysis

1. What is happening in the network

The Access Point is transmitting Beacon frames with a null (empty) SSID to prevent the network name from appearing in casual wireless scans. Simultaneously, the AP is strictly enforcing MAC Address filtering to whitelist the 100 authorized Windows XP machines, denying Layer 2 association to any unknown MAC address. Finally, authorized clients are sending active Probe Requests to seek out the hidden network.

2. Identify attack or behavior

We are observing attempts by unauthorized devices to associate with the AP, which are successfully being dropped due to MAC filter policies. We are also seeing a device fail authentication because it attempted to use "Open System" authentication rather than proving it held the WEP key via "Shared Key" authentication.

3. Why correct answers are correct

B, C, and F are correct.
(C) Disabling SSID broadcast fulfills the requirement that unauthorized users cannot easily "view" the network. Enabling MAC filtering ensures that unknown computers are explicitly blocked.
(B) Changing the authentication to "Shared Key" ensures that clients must prove they possess the WEP key before they are allowed to associate, providing a necessary (albeit legacy) layer of authentication.
(F) Because the AP is no longer broadcasting its SSID, the client computers will not find it passively. Adding the SSID as a "preferred network" forces the Windows clients to actively send out Probe Requests for that specific SSID, allowing them to automatically connect.

4. Why others are wrong

A (Firewall on APs): Access Points function primarily at Layer 2. A host-based firewall on the AP does not manage 802.11 SSID broadcasting or wireless association states.
D (Broadcast SSID): This directly violates the company policy that the network must not be viewable by unauthorized computers.
E (Open System Auth): Open System allows any client to associate with the AP before any higher-level authentication occurs, which is contrary to the strict security policy requirements.

5. Defensive action

While the configuration described satisfies the legacy policy, a modern Network Defender knows that WEP, MAC Filtering, and Hidden SSIDs represent a fundamentally flawed "Security through Obscurity" approach. MAC addresses are transmitted in plain text and can easily be spoofed by attackers. Furthermore, when a client actively probes for a hidden network (Option F), it broadcasts the hidden SSID in plain text to anyone listening. The true defensive action today is to migrate off legacy hardware entirely and deploy WPA3 or WPA2-Enterprise (802.1X), relying on strong cryptographic authentication rather than obscured broadcasts and MAC lists.

MINI LESSON: 802.11 Association & WEP Fundamentals

Traffic Pattern Recognition: 802.11 Management frames dictate connection. Beacons are sent by APs to announce networks. Probe Requests are sent by clients to find networks.
Protocol Behavior (Shared vs Open): In WEP, "Open System" means the AP authenticates anyone immediately, leaving encryption to later payloads. "Shared Key" requires a 4-way challenge-response to prove the client holds the WEP key before association. Ironically, Shared Key is vulnerable because it exposes the challenge plaintext and ciphertext, making the WEP key trivial to crack.
Detection vs Prevention: MAC filtering prevents casual association (Prevention), but is easily bypassed by an attacker running a packet capture (Detection of valid MACs) and changing their adapter's MAC address (Spoofing).
Common Attack Signatures: Identifying high volumes of Deauthentication frames or rapid Initialization Vector (IV) collisions often indicates active WEP cracking (e.g., using tools like Aircrack-ng).

Ready for the Real Exam?

Explore more CND simulations and master network defense.

Explore more CND simulations