Mobile
Commentary
8/15/2011
03:00 PM
Kurt Marko
Kurt Marko
Commentary
Connect Directly
LinkedIn
Twitter
Facebook
RSS
E-Mail
50%
50%

Public Hotspot Safety Hinges On VPNs

Virtual private networks prevent wireless snooping, alert you to man-in-the-middle attacks, and encrypt the network payload should you be diverted through such an attack.

Face it, a computer or tablet without Internet access is about as useful as a car without gas; it provides a nice environment to play around in, but you won't get very far. In fact, Internet access is so central to our lives that in a survey earlier this year, when asked what they could least live without, more people said they would give up eating (8%) than broadband Internet (6%). (Cable TV was first on the chopping block, at 49%.)

And in this mobile age, "Internet access" most often means "Wi-Fi access." As carriers throttle back unlimited data plans, Wi-Fi will be in demand for smartphone users, too. Fortunately, Wi-Fi is about as ubiquitous as 3G -- it's at coffee shops, fast-food chains, airports, hotels, hospitals, even the campground. Yet, as I've written before, public Wi-Fi networks are to security what an open gutter is to hygiene -- you just know there are nasty things lurking, even if you can't see them. It's trivially easy to snoop on unencrypted protocols and perform traffic analysis with Wireshark or a similar network protocol analyzer, or hijack browser sessions with a plug-in such as Firesheep. Public networks are also fertile ground for man-in-the-middle attacks, in which a rogue access point diverts all your traffic through a hacker's PC, where it can be captured, analyzed, and mined for passwords and other sensitive information. And don't think you're immune just because you're a security-savvy IT pro. Software such as KARMA and its Jasager port can turn cheap APs flashed with OpenWRT into instant honeypots. These exploit the auto-reconnect feature of most wireless devices by listening to 802.11 beacon frames and responding with the appropriate SSID.

Client: Hello, is Corp-WLAN-1 around?

Rogue AP: Why yes, this is Corp-WLAN-1. Would you like to connect?

Once hooked, every bit of your traffic goes through the rogue AP and hacker's PC, and since the perpetrator is almost certainly routing traffic out to the Internet through a second connection (like the location's legitimate AP or a 3G card), you'll never know the difference.

A wireless "abstinence-only" policy is hopelessly unrealistic and, thankfully, unnecessary. The usual Wi-Fi hygiene recommendations -- using a client-side firewall, disabling file-sharing protocols, and using Secure Sockets Layer connections whenever possible -- are helpful but insufficient. The firewall won't guard against sniffing on port 80, current exploits rarely use LAN file-sharing protocols to compromise devices, and software such as sslstrip mean even SSL isn't immune from attack. So, besides taking all the standard security precautions, when connecting to a public Wi-Fi network, it's highly advisable to use a VPN. No, it's not foolproof, but a VPN prevents wireless snooping; provides a tripwire, alerting you to man-in-the-middle attacks (since your VPN connection will likely fail); and encrypts the network payload should you be diverted through such an attack.

Most large enterprises have deployed VPNs for their remote employees. For these IT teams, double check whether all traffic is routed through the corporate VPN or if your end-user device clients do split tunneling, in which only traffic bound for internal networks is encrypted. Normally, you'd allow split tunneling on a secure network (such as a home broadband link); however, when on a public Wi-Fi network, it's more secure to turn it off and force all traffic over the encrypted link to the corporate network and then back out to the public Internet.

Thankfully, there are plenty of options for individuals and small businesses as well. For SMEs, investigate whether your existing router or security appliance has an optional VPN module (it probably does). If so, upgrade. If not, consider the latest generation of surprisingly affordable unified threat management appliances, such as those from Cyberoam, Fortinet, SonicWall, and WatchGuard, that support IPSec, L2TP, and SSL VPNs. Since every PC and mobile client ships with support for one or more of these protocols, whether employees are carrying iPads, Windows PCs, or Macs, you'll have them covered.

Individuals aren't left out in the cold. The market for third-party VPN services is growing, fueled largely by people in oppressive countries seeking to bypass restrictive network controls. I've used WiTopia for a while. The price is reasonable at $70 a year for both SSL and PPTP/L2TP (which is necessary if you're using a mobile device since few, if any, ship with SSL clients), installation and setup are easy, performance degradation is minuscule to nonexistent (especially since you can connect to dozens of VPN servers scattered throughout the world, thus minimizing network latency between your local POP and its gateway), and reliability is great (I've never been affected by an outage). Of course, you should do some homework on the provider. Investigate the company's viability, privacy policies, and service levels, because tunneling traffic through a VPN equates to the same level of trust as you put in your broadband ISP, since the VPN provider will theoretically have the same access to do traffic snooping, logging, or shaping.

What you can't do is nothing. Until the Wi-Fi industry develops standards for encrypting and seamlessly authenticating users to public hotspots (see my earlier column for one innovative approach to this), without intervention, your users are on their own when it comes to network security.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
amalmorshedy
50%
50%
amalmorshedy,
User Rank: Apprentice
7/4/2014 | 9:08:23 PM
best cheap VPN

VPN service is the most suitable solution to mask your IP address and ovecome all websites accessibility issues in many countries. Wasel Pro is one of the best VPN service providers which are unlimited and best cheapest VPN I've ever used to open Facebook, YouTube, and any banned services I can't open.

dinaafifi
50%
50%
dinaafifi,
User Rank: Apprentice
6/27/2014 | 3:04:39 PM
VPN for iphone
Get access to your favorite websites on your iphone with European IP address using VPN for iphone in complete privacy and security through encrypted servers.
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.