Window 7 Virtual AP - Not at all a "new" threat!
Posted by Chia-Chee Kuan, CTO at AirMagnet
Date: March 04, 2010
The growing popularity of Wi-Fi is driving wireless applications and connectivity for consumers. But, is it doing it at the cost of enterprise WLAN security? For as long as access points (APs) have been available via the local electronic stores, enterprise security has been battling the rogue AP threat (or unauthorized APs connected to enterprise wired networks). Recently, the world of rogue APs got a little trickier with the introduction of the virtual AP feature by Microsoft in the new Windows 7 operating system. This virtual AP feature allows a Windows 7 PC to act as an AP for other wireless clients looking to share Internet access. This feature also allows the user to leverage the virtual AP to create a Personal Area Network (PAN) where he/she can connect personal devices, such as a wireless printer and/or multi-media equipment. If a virtual AP is connected to the enterprise network via wire or wireless, it is a rogue AP capable of compromising the network security of an enterprise.
How does the virtual AP threat differ from a physical rogue AP threat? First, a physical rogue is intentionally installed on the network, while a virtual AP can be brought onto the enterprise network unintentionally by an employee. For example, if I turn on the virtual AP feature on my laptop at home, to help a guest get on Internet, my laptop will become a virtual rogue AP when I bring it to work the next day. Second, a virtual AP can be easily configured at work and brought online instantly for consumer convenience. Finally, the virtual AP is a free feature in Windows 7 and once you have the supported Wi-Fi radios, the process for deployment is simple. (The only thing that might make you feel slightly better about a virtual AP is that it does not support unencrypted "open" connections and the notorious WEP encryption.)
What can enterprise security officers do about this "new" threat, besides setting policies that prohibit the use of virtual APs at the office? If you're a Wi-Fi enthusiast, you know that the Windows 7 virtual AP is not really a "new" innovation at all and if you're using a WIDS/WIPS system from AirMagnet (Enterprise), you've been protected from this threat for years. Before Windows 7 was released, there were other 'soft APs' in the Wi-Fi community. A soft AP essentially does the same thing the Windows 7 virtual AP does, but on a Linux or Windows XP system (with special radio and utility software). The Windows 7 virtual AP feature has just made the threat more mainstream and easily available to a massive user group, and easier to use (GUI vs. command line interface).
What lessons should we all take from the latest Windows 7 virtual AP frenzy?
WLAN threats are as dynamic, if not more so, than their wired counterparts. Enterprises rigorously demand 24x7 firewall and antivirus security infrastructure, so why should they not demand rigorous 24x7 WIDS/WIPS systems? WLAN security innovators have introduced proven solution to serve the needs of the WIDS/WIPS industry. That fact that the 'new' Windows 7 virtual AP threat can already be detected and mitigated by the existing AirMagnet product is a testament to the maturity of the market. Though new WLAN threats and attack tools continue to emerge, they're mostly based on similar and known vulnerabilities with variation in application, for example, like the virtual AP. The fundamentals of WLAN security (IEEE 802.11 standards) are still robust and can absolutely be assured with proper effort, policies, and most importantly a WIDS/WIPS solution.
Great post!!!
Thanks for sharing your information on 'soft' APs.
I did't know the Windows 7 soft AP would only work with WPA authentication.
Good summary, but would like to make few clarifications.
Well, Soft APs have been around since long time. But the "new" thing about virtual WiFi feature in Windows 7 is that *for the first time* it allows a Rogue AP to connect to an enterprise *WiFi* network while sharing that enterprise WiFi access with other (potentially unauthorized) devices. Older generation of Soft APs connected to the enterprise network through Ethernet. Which means that WIPS that rely on wire-side scanning alone won't have a clue about the presence of such virtual WiFi AP.
Secondly, even if by default, Virtual WiFi allows only WPA2-PSK, that's not necessarily a very good news. Because this is a perfect recipe for an insider attack -- to set up a private Virtual WiFi network that is WPA2 encrypted!
Finally, the Intel MyWiFi utility allows one to set up Open and WEP Virtual AP on Windows 7 laptops that use the Intel Centrino2 chip.
I agree with Kim.
It is possible to create open Virtual APs using Windows 7. Further, insider threats should never be ruled out - check out a recent incidence of insider threat @ http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/7360640/Spycatchers-trap-MI6-man-trying-to-sell-secrets.html
The bottomline is that the commoditization of Wi-Fi adds a whole new dimension to Wi-Fi security and this is just one example of the same. Enterprises need to take a serious note of these issues and address them.
Gopinath
AirTight Networks
How can a WIPS detect and mitigate such a threat? If it's encrypted you can't associate to it and if it's a valid client you can't wireline trace it.
It is true that if the virtual AP is encrypted, which it should be as it is the only way Windows 7 supports virtual AP (WPA PSK), a WIDS/WIPS system won’t be able to associate with it to conduct a wireless trace to determine if the rogue is on the enterprise network. WIDS/WIPS can use other methods to determine rogue on-wire risks, for example a rogue AP location in a predefined parameter.
As to the valid client question, a WIDS/WIPS system should treat any 'valid client' as a rogue device if the 'valid client' is offering virtual AP services. Depending on the radio types (Intel, Atheros, Ralink, etc), the WIDS/WIPS solution can wire trace to wire-line switches. For the radio types that cannot be traced to wire-line closet, there is always wireless blocking for mitigation.
Your scenario and question highlights an important point -- WIDS/WIPS solutions need to have multiple detection and mitigation mechanisms to deal with new threats which are similar in nature but different enough for WIDS/WIPS evasion. A limited WIDS/WIPS will not be effective in dealing with the fast paced Wi-Fi dynamics.
Thank you for your question.
Concur with Chia-Chee. Additionally, if any WLAN "client" station is sending management response frames to Probe, Authentication or Association request management frames from another WLAN client they should be viewed as suspect/malicious. This highlights the necessity of real-time layer-2 analysis of whats occurring in the airspace to see that probe response frames are coming from a "Station" type device that is also sending probe request frames. Legitimate AP's do not typically send probe requests as an example.
Chia-Chee Kuan is CTO and co-founder of AirMagnet. Chia-Chee will contribute his expertise on technology, security vulnerabilities, and future trends in the WLAN industry.