What, if any, threat do these "soft APs" pose? And do the threats differ in any way from a typical, unauthorized hardware AP? If so, how?
Thanks in advance!
Good question Joanie. Windows 7 Virtual WiFi Adapter is a bigger threat than hardware-enabled rogue APs. Here you have a scenario hundreds of laptops can be turned into software-enabled rogue APs within minutes. While Microsoft has enabled this for ease of use to allow users to connect their personal devices (example: Smartphones) via laptop to get internet connectivity, this represents a significant threat to enterprise security. End-users have a good case of using this at home or while on the road but can cause significant breach to enterprise security if used at work.
Lastly, one shall note these software-enable APs can appear and disappear quickly and in large numbers as compared to hardware-enabled rogue APs. Thus integrated-WIDS systems which do part time scanning are not capable of quickly detecting these threats and dealing with them. You really do need dedicated overlay WIPS system for managing threats like these.
I agree with the Sri and Wade’s comments. "Soft APs" pose a bigger attack surface in the long run because there will eventually be far more Windows 7 type laptops than hardware rogue APs. Even enterprises that have used the argument that they have IEEE 802.1x based port lockdown which prevents their employees from connecting rogue APs to the wired network, now have to contend with authorized laptops that have "opened" the wired port and are simultaneously offering wireless access on their WLAN interface.
While WIPS can detect such "SoftAPs", relentlessly terminating them is not an effective long term strategy since that uses up wireless bandwidth. Eventually you will need to deploy a laptop agent such as AirDefense Personal that can centrally manage wireless profiles, disable simultaneous wireless/wired access scenarios and enforce wireless usage policies outside the monitored perimeter of sensors as well.
http://www.airdefense.net/products/adpersonal/
This is a great topic, and definitely one of those areas that underscores why WIDS/WIPS solutions that monitor traffic in the air are becoming mandatory for the enterprise. At its most reduced form, these virtualized soft APs allow any laptop in your environment to become a rogue AP that you can't see from the wire.
Virtualization is really at the heart of the matter, and its not an issue that is going away or limited to just one OS or technology. What we are seeing here is a WiFi adapter that can not only behave normally as a client, but can also simultaneously behave as an access point that other devices can connect to. This means that a laptop could be properly logged in and authenticated to the enterprise network, and then essentially bridge that connection to other unapproved devices. Wired only methods would miss this threat because the rogue AP is riding along on top of an approved wired connection, so it really does force you to be statefully monitoring all wireless connections over the air.