That being said, the landscape HAS changed. Windows 7's ability to run virtual APs is about to make the threat vector a WHOLE lot easier for hackers to make mince-meat of your network security. You're 802.1x authentication.... kiss it goodbye; your WPA2-AES encryption.... doesn't mean a thing.
Authorized network users will connect to your network using whatever security you have in-place, then virtualize, bridge and re-broadcast the connection. You thought rogue APs were tough to handle. You ain't seen nothin' yet!
The tools and resources for everyday users to turn your network against you are growing by the minute, and you had better be prepared to make some changes. Connectify has been around for a while, but requires specific adapters. Now this website makes it even simpler and configures Windows for you. For dedicated hackers, how about a whole web-based (cloud based SaaS) solution to manage a whole swarm of devices.
Things just got interesting, in a big way! I can see botnets of infected Windows 7 machines heading toward my network, eager to connect, virtualize, and bridge connections. They're coming, and chanting "virtualize, virtualize" while in lock-step formation like a platoon of soldiers ready to blow your network to pieces.
How will you prepare your wireless network? For starters:
- Don't let users have access to network credentials. How will they get on then? Transition away from PEAP user authentication to something based on the device or company asset, rather than user accounts. Try PEAP using machine accounts, or EAP-TLS using machine certificates.
- Secure the operating system. Hard drive encryption, anti-virus... you know the usual suspects.
- Remove local admin access from your users! If they can't configure virtual APs on company assets, they're stuck trying to bring in personal devices.
- Prevent personal devices from connecting. If you've implemented point #1, then you've gone a long way to making this a reality. Common everyday users won't know how to dig machine credentials or certificates out of a system. Dedicated hackers, well they're another story.
- Deploy a NAC/NAP solution to control access to internal network segments.
- Deploy WIPS/WIDS solutions to monitor your airspace and alert on virtualized hosts.
None of this is foolproof, but it's a start. Security ain't easy. The "Defense-in-Depth" strategy for this threat is going to take a lot of layers, get to building! After all, we don't want these virtual APs to make you look like a fool.
If you have other suggestions, please feel free to share!