Public Hotspot Safety Hinges On VPNs - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:00 PM
Kurt Marko
Kurt Marko
Connect Directly

Public Hotspot Safety Hinges On VPNs

Virtual private networks prevent wireless snooping, alert you to man-in-the-middle attacks, and encrypt the network payload should you be diverted through such an attack.

Face it, a computer or tablet without Internet access is about as useful as a car without gas; it provides a nice environment to play around in, but you won't get very far. In fact, Internet access is so central to our lives that in a survey earlier this year, when asked what they could least live without, more people said they would give up eating (8%) than broadband Internet (6%). (Cable TV was first on the chopping block, at 49%.)

And in this mobile age, "Internet access" most often means "Wi-Fi access." As carriers throttle back unlimited data plans, Wi-Fi will be in demand for smartphone users, too. Fortunately, Wi-Fi is about as ubiquitous as 3G -- it's at coffee shops, fast-food chains, airports, hotels, hospitals, even the campground. Yet, as I've written before, public Wi-Fi networks are to security what an open gutter is to hygiene -- you just know there are nasty things lurking, even if you can't see them. It's trivially easy to snoop on unencrypted protocols and perform traffic analysis with Wireshark or a similar network protocol analyzer, or hijack browser sessions with a plug-in such as Firesheep. Public networks are also fertile ground for man-in-the-middle attacks, in which a rogue access point diverts all your traffic through a hacker's PC, where it can be captured, analyzed, and mined for passwords and other sensitive information. And don't think you're immune just because you're a security-savvy IT pro. Software such as KARMA and its Jasager port can turn cheap APs flashed with OpenWRT into instant honeypots. These exploit the auto-reconnect feature of most wireless devices by listening to 802.11 beacon frames and responding with the appropriate SSID.

Client: Hello, is Corp-WLAN-1 around?

Rogue AP: Why yes, this is Corp-WLAN-1. Would you like to connect?

Once hooked, every bit of your traffic goes through the rogue AP and hacker's PC, and since the perpetrator is almost certainly routing traffic out to the Internet through a second connection (like the location's legitimate AP or a 3G card), you'll never know the difference.

A wireless "abstinence-only" policy is hopelessly unrealistic and, thankfully, unnecessary. The usual Wi-Fi hygiene recommendations -- using a client-side firewall, disabling file-sharing protocols, and using Secure Sockets Layer connections whenever possible -- are helpful but insufficient. The firewall won't guard against sniffing on port 80, current exploits rarely use LAN file-sharing protocols to compromise devices, and software such as sslstrip mean even SSL isn't immune from attack. So, besides taking all the standard security precautions, when connecting to a public Wi-Fi network, it's highly advisable to use a VPN. No, it's not foolproof, but a VPN prevents wireless snooping; provides a tripwire, alerting you to man-in-the-middle attacks (since your VPN connection will likely fail); and encrypts the network payload should you be diverted through such an attack.

Most large enterprises have deployed VPNs for their remote employees. For these IT teams, double check whether all traffic is routed through the corporate VPN or if your end-user device clients do split tunneling, in which only traffic bound for internal networks is encrypted. Normally, you'd allow split tunneling on a secure network (such as a home broadband link); however, when on a public Wi-Fi network, it's more secure to turn it off and force all traffic over the encrypted link to the corporate network and then back out to the public Internet.

Thankfully, there are plenty of options for individuals and small businesses as well. For SMEs, investigate whether your existing router or security appliance has an optional VPN module (it probably does). If so, upgrade. If not, consider the latest generation of surprisingly affordable unified threat management appliances, such as those from Cyberoam, Fortinet, SonicWall, and WatchGuard, that support IPSec, L2TP, and SSL VPNs. Since every PC and mobile client ships with support for one or more of these protocols, whether employees are carrying iPads, Windows PCs, or Macs, you'll have them covered.

Individuals aren't left out in the cold. The market for third-party VPN services is growing, fueled largely by people in oppressive countries seeking to bypass restrictive network controls. I've used WiTopia for a while. The price is reasonable at $70 a year for both SSL and PPTP/L2TP (which is necessary if you're using a mobile device since few, if any, ship with SSL clients), installation and setup are easy, performance degradation is minuscule to nonexistent (especially since you can connect to dozens of VPN servers scattered throughout the world, thus minimizing network latency between your local POP and its gateway), and reliability is great (I've never been affected by an outage). Of course, you should do some homework on the provider. Investigate the company's viability, privacy policies, and service levels, because tunneling traffic through a VPN equates to the same level of trust as you put in your broadband ISP, since the VPN provider will theoretically have the same access to do traffic snooping, logging, or shaping.

What you can't do is nothing. Until the Wi-Fi industry develops standards for encrypting and seamlessly authenticating users to public hotspots (see my earlier column for one innovative approach to this), without intervention, your users are on their own when it comes to network security.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll