HP Updated HPE6-A78 Exam Questions and Answers by zaynah

In an HPE Aruba Networking AOS-8 solution, the Wireless Intrusion Prevention (WIP) system is used to detect and classify rogue Access Points (APs). When a rogue AP is detected, the AOS system provides various pieces of information about the detected radio, such as the SSID, BSSID, match method, match type, confidence level, and the devices that detected the rogue AP. The goal is to locate the physical rogue device, which requires identifying its approximate location in the network environment.

Option A, "The detecting devices," is correct. The "detecting devices" refer to the authorized APs or radios that detected the rogue AP’s signal. This information is critical for locating the rogue device because it provides the physical locations of the detecting APs. By knowing which APs detected the rogue AP and their signal strength (RSSI) readings, you can triangulate the approximate location of the rogue AP. For example, if AP-1 in Building A and AP-2 in Building B both detect the rogue AP, and AP-1 reports a stronger signal, the rogue AP is likely closer to AP-1 in Building A.

Option B, "The match method," is incorrect. The match method (e.g., "Plus one," "Eth-Wired-Mac-Table") indicates how the rogue AP was classified (e.g., based on a BSSID close to a known MAC or its presence on the wired network). While this helps understand why the AP was classified as rogue, it does not directly help locate the physical device.

Option C, "The confidence level," is incorrect. The confidence level indicates the likelihood that the AP is correctly classified as rogue (e.g., 90% confidence). This is useful for assessing the reliability of the classification but does not provide location information.

Option D, "The match type," is incorrect. The match type (e.g., "Rogue," "Suspected Rogue") specifies the category of the classification. Like the match method, it helps understand the classification but does not aid in physically locating the device.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

"When a rogue AP is detected by the Wireless Intrusion Prevention (WIP) system, the ‘detecting devices’ information lists the authorized APs or radios that detected the rogue AP’s signal. This is the most useful information for locating the rogue device, as it provides the physical locations of the detecting APs. By analyzing the signal strength (RSSI) reported by each detecting device, you can triangulate the approximate location of the rogue AP. For example, if AP-1 and AP-2 detect the rogue AP, and AP-1 reports a higher RSSI, the rogue AP is likely closer to AP-1." (Page 416, Rogue AP Detection Section)

Additionally, the HPE Aruba Networking Security Guide notes:

"To locate a rogue AP, use the ‘detecting devices’ information in the AOS Detected Radios page. This lists the APs that detected the rogue AP, along with signal strength data, enabling triangulation to pinpoint the rogue device’s location." (Page 80, Locating Rogue APs Section)

A Server Certificate is required by Aruba Mobility Controller when using RadSec to secure RADIUS communication. RadSec provides a secure transport for RADIUS traffic through SSL/TLS which requires the use of a Server Certificate to establish the secure tunnel. In the other scenarios listed, a Server Certificate is not explicitly required for the operations mentioned.

A honeypot in the context of wireless networks is a rogue access point (AP) set up by an attacker to lure wireless clients into connecting to it, often to steal credentials, intercept traffic, or launch further attacks. A man-in-the-middle (MITM) attack involves the attacker positioning themselves between the client and the legitimate network to intercept or manipulate traffic.

Option D, "It examines wireless clients' probes and broadcasts the SSIDs in the probes, so that wireless clients will connect to it automatically," is correct. Wireless clients periodically send probe requests to discover available networks, including SSIDs they have previously connected to (stored in their Preferred Network List, PNL). A honeypot AP can capture these probe requests, identify the SSIDs the client is looking for, and then broadcast those SSIDs. If the honeypot AP has a stronger signal or the legitimate AP is not available, the client may automatically connect to the honeypot AP (especially if the SSID is in the PNL and auto-connect is enabled). Once connected, the attacker can intercept the client’s traffic, making this an effective MITM attack.

Option A, "It uses ARP poisoning to disconnect wireless clients from the legitimate wireless network and force clients to connect to the hacker’s wireless network instead," is incorrect. ARP poisoning is a technique used on wired networks (or within the same broadcast domain) to redirect traffic by spoofing ARP responses. In a wireless context, ARP poisoning is not typically used to disconnect clients from a legitimate AP. Instead, techniques like deauthentication attacks or SSID spoofing (as in Option D) are more common.

Option B, "It runs an NMap scan on the wireless client to find the client's MAC and IP address. The hacker then connects to another network and spoofs those addresses," is incorrect. NMap scans are used for network discovery and port scanning, not for launching an MITM attack via a honeypot. Spoofing MAC and IP addresses on another network does not position the attacker as a honeypot to intercept wireless traffic.

Option C, "It uses a combination of software and hardware to jam the RF band and prevent the client from connecting to any wireless networks," is incorrect. Jamming the RF band would disrupt all wireless communication, including the attacker’s honeypot, and would not facilitate an MITM attack. Jamming might be used in a denial-of-service (DoS) attack, but not for MITM.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

"A common technique for launching a man-in-the-middle (MITM) attack using a honeypot AP involves capturing wireless clients’ probe requests to identify SSIDs in their Preferred Network List (PNL). The honeypot AP then broadcasts these SSIDs, tricking clients into connecting automatically if the SSID matches a known network and auto-connect is enabled. Once connected, the attacker can intercept the client’s traffic, performing an MITM attack." (Page 422, Wireless Threats Section)

Additionally, the HPE Aruba Networking Security Guide notes:

"Honeypot APs can be used to launch MITM attacks by spoofing SSIDs that clients are probing for. Clients often automatically connect to known SSIDs in their PNL, especially if the legitimate AP is unavailable or the honeypot AP has a stronger signal, allowing the attacker to intercept traffic." (Page 72, Wireless MITM Attacks Section)

Based on the exhibit showing the firewall rules, the following traffic is permitted:

Client 1 is allowed to send HTTPS traffic to any destination within the subnet 10.1.10.0/24 because there is a permit rule for the user to access svc-https to that subnet.

Responses to initiated connections are typically allowed by stateful firewalls; hence, an HTTPS response from 10.1.10.10 to client 1 is expected to be permitted even though it is not explicitly mentioned in the firewall rules (assuming the stateful nature of the firewall).