Published on August 18th, 2011 | by Alexis Argent0
Public Hotspot Safety Hinges On VPNs
Internet access is so central to our lives that in a survey earlier this year, when asked what they could least live without, more people said they would give up eating (8%) than broadband Internet (6%). (Cable TV was first on the chopping block, at 49%.)
And in this mobile age, “Internet access” most often means “Wi-Fi access.” As carriers throttle back unlimited data plans, Wi-Fi will be in demand for smartphone users, too. Fortunately, Wi-Fi is about as ubiquitous as 3G — it’s at coffee shops, fast-food chains, airports, hotels, hospitals, even the campground. Yet, as I’ve written before, public Wi-Fi networks are to security what an open gutter is to hygiene — you just know there are nasty things lurking, even if you can’t see them. It’s trivially easy to snoop on unencrypted protocols and perform traffic analysis with Wireshark or a similar network protocol analyzer, or hijack browser sessions with a plug-in such as Firesheep. Public networks are also fertile ground for man-in-the-middle attacks, in which a rogue access point diverts all your traffic through a hacker’s PC, where it can be captured, analyzed, and mined for passwords and other sensitive information. And don’t think you’re immune just because you’re a security-savvy IT pro. Software such as KARMA and its Jasager port can turn cheap APs flashed with OpenWRT into instant honeypots. These exploit the auto-reconnect feature of most wireless devices by listening to 802.11 beacon frames and responding with the appropriate SSID.
Client: Hello, is Corp-WLAN-1 around?
Rogue AP: Why yes, this is Corp-WLAN-1. Would you like to connect?
Once hooked, every bit of your traffic goes through the rogue AP and hacker’s PC, and since the perpetrator is almost certainly routing traffic out to the Internet through a second connection (like the location’s legitimate AP or a 3G card), you’ll never know the difference.
A wireless “abstinence-only” policy is hopelessly unrealistic and, thankfully, unnecessary. The usual Wi-Fi hygiene recommendations — using a client-side firewall, disabling file-sharing protocols, and using Secure Sockets Layer connections whenever possible — are helpful but insufficient. The firewall won’t guard against sniffing on port 80, current exploits rarely use LAN file-sharing protocols to compromise devices, and software such as sslstrip mean even SSL isn’t immune from attack. So, besides taking all the standard security precautions, when connecting to a public Wi-Fi network, it’s highly advisable to use a VPN. No, it’s not foolproof, but a VPN prevents wireless snooping; provides a tripwire, alerting you to man-in-the-middle attacks (since your VPN connection will likely fail); and encrypts the network payload should you be diverted through such an attack.
Most large enterprises have deployed VPNs for their remote employees. For these IT teams, double check whether all traffic is routed through the corporate VPN or if your end-user device clients do split tunneling, in which only traffic bound for internal networks is encrypted. Normally, you’d allow split tunneling on a secure network (such as a home broadband link); however, when on a public Wi-Fi network, it’s more secure to turn it off and force all traffic over the encrypted link to the corporate network and then back out to the public Internet.
Thankfully, there are plenty of options for individuals and small businesses as well. For SMEs, investigate whether your existing router or security appliance has an optional VPN module (it probably does). If so, upgrade. If not, consider the latest generation of surprisingly affordable unified threat management appliances, such as those from Cyberoam, Fortinet, SonicWall, and WatchGuard, that support IPSec, L2TP, and SSL VPNs. Since every PC and mobile client ships with support for one or more of these protocols, whether employees are carrying iPads, Windows PCs, or Macs, you’ll have them covered.
Individuals aren’t left out in the cold. The market for third-party VPN services is growing, fueled largely by people in oppressive countries seeking to bypass restrictive network controls. I’ve used WiTopia for a while. The price is reasonable at roughly £58 a year for both SSL and PPTP/L2TP (which is necessary if you’re using a mobile device since few, if any, ship with SSL clients), installation and setup are easy, performance degradation is minuscule to nonexistent (especially since you can connect to dozens of VPN servers scattered throughout the world, thus minimizing network latency between your local POP and its gateway), and reliability is great (I’ve never been affected by an outage). Of course, you should do some homework on the provider. Investigate the company’s viability, privacy policies, and service levels, because tunneling traffic through a VPN equates to the same level of trust as you put in your broadband ISP, since the VPN provider will theoretically have the same access to do traffic snooping, logging, or shaping.
What you can’t do is nothing. Until the Wi-Fi industry develops standards for encrypting and seamlessly authenticating users to public hotspots, without intervention, users are on their own when it comes to network security.
Kurt Marko, Via InformationWeek