Public Hotspot Safety Hinges On VPNs - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:00 PM
Kurt Marko
Kurt Marko
Connect Directly

Public Hotspot Safety Hinges On VPNs

Virtual private networks prevent wireless snooping, alert you to man-in-the-middle attacks, and encrypt the network payload should you be diverted through such an attack.

Face it, a computer or tablet without Internet access is about as useful as a car without gas; it provides a nice environment to play around in, but you won't get very far. In fact, Internet access is so central to our lives that in a survey earlier this year, when asked what they could least live without, more people said they would give up eating (8%) than broadband Internet (6%). (Cable TV was first on the chopping block, at 49%.)

And in this mobile age, "Internet access" most often means "Wi-Fi access." As carriers throttle back unlimited data plans, Wi-Fi will be in demand for smartphone users, too. Fortunately, Wi-Fi is about as ubiquitous as 3G -- it's at coffee shops, fast-food chains, airports, hotels, hospitals, even the campground. Yet, as I've written before, public Wi-Fi networks are to security what an open gutter is to hygiene -- you just know there are nasty things lurking, even if you can't see them. It's trivially easy to snoop on unencrypted protocols and perform traffic analysis with Wireshark or a similar network protocol analyzer, or hijack browser sessions with a plug-in such as Firesheep. Public networks are also fertile ground for man-in-the-middle attacks, in which a rogue access point diverts all your traffic through a hacker's PC, where it can be captured, analyzed, and mined for passwords and other sensitive information. And don't think you're immune just because you're a security-savvy IT pro. Software such as KARMA and its Jasager port can turn cheap APs flashed with OpenWRT into instant honeypots. These exploit the auto-reconnect feature of most wireless devices by listening to 802.11 beacon frames and responding with the appropriate SSID.

Client: Hello, is Corp-WLAN-1 around?

Rogue AP: Why yes, this is Corp-WLAN-1. Would you like to connect?

Once hooked, every bit of your traffic goes through the rogue AP and hacker's PC, and since the perpetrator is almost certainly routing traffic out to the Internet through a second connection (like the location's legitimate AP or a 3G card), you'll never know the difference.

A wireless "abstinence-only" policy is hopelessly unrealistic and, thankfully, unnecessary. The usual Wi-Fi hygiene recommendations -- using a client-side firewall, disabling file-sharing protocols, and using Secure Sockets Layer connections whenever possible -- are helpful but insufficient. The firewall won't guard against sniffing on port 80, current exploits rarely use LAN file-sharing protocols to compromise devices, and software such as sslstrip mean even SSL isn't immune from attack. So, besides taking all the standard security precautions, when connecting to a public Wi-Fi network, it's highly advisable to use a VPN. No, it's not foolproof, but a VPN prevents wireless snooping; provides a tripwire, alerting you to man-in-the-middle attacks (since your VPN connection will likely fail); and encrypts the network payload should you be diverted through such an attack.

Most large enterprises have deployed VPNs for their remote employees. For these IT teams, double check whether all traffic is routed through the corporate VPN or if your end-user device clients do split tunneling, in which only traffic bound for internal networks is encrypted. Normally, you'd allow split tunneling on a secure network (such as a home broadband link); however, when on a public Wi-Fi network, it's more secure to turn it off and force all traffic over the encrypted link to the corporate network and then back out to the public Internet.

Thankfully, there are plenty of options for individuals and small businesses as well. For SMEs, investigate whether your existing router or security appliance has an optional VPN module (it probably does). If so, upgrade. If not, consider the latest generation of surprisingly affordable unified threat management appliances, such as those from Cyberoam, Fortinet, SonicWall, and WatchGuard, that support IPSec, L2TP, and SSL VPNs. Since every PC and mobile client ships with support for one or more of these protocols, whether employees are carrying iPads, Windows PCs, or Macs, you'll have them covered.

Individuals aren't left out in the cold. The market for third-party VPN services is growing, fueled largely by people in oppressive countries seeking to bypass restrictive network controls. I've used WiTopia for a while. The price is reasonable at $70 a year for both SSL and PPTP/L2TP (which is necessary if you're using a mobile device since few, if any, ship with SSL clients), installation and setup are easy, performance degradation is minuscule to nonexistent (especially since you can connect to dozens of VPN servers scattered throughout the world, thus minimizing network latency between your local POP and its gateway), and reliability is great (I've never been affected by an outage). Of course, you should do some homework on the provider. Investigate the company's viability, privacy policies, and service levels, because tunneling traffic through a VPN equates to the same level of trust as you put in your broadband ISP, since the VPN provider will theoretically have the same access to do traffic snooping, logging, or shaping.

What you can't do is nothing. Until the Wi-Fi industry develops standards for encrypting and seamlessly authenticating users to public hotspots (see my earlier column for one innovative approach to this), without intervention, your users are on their own when it comes to network security.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/4/2014 | 9:08:23 PM
best cheap VPN

VPN service is the most suitable solution to mask your IP address and ovecome all websites accessibility issues in many countries. Wasel Pro is one of the best VPN service providers which are unlimited and best cheapest VPN I've ever used to open Facebook, YouTube, and any banned services I can't open.

User Rank: Apprentice
6/27/2014 | 3:04:39 PM
VPN for iphone
Get access to your favorite websites on your iphone with European IP address using VPN for iphone in complete privacy and security through encrypted servers.
Gartner Forecast Sees 7.3% Shrinkage in IT Spending for 2020
Joao-Pierre S. Ruth, Senior Writer,  7/15/2020
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
White Papers
Register for InformationWeek Newsletters
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll