Wi-Fi security is a popular topic these days, and the "best approach" is being vigorously debated on many forums, including TechRepublic's. One fact I discerned from reading the various forum posts is that there are many opinions as to what's required to securely associate with unknown and possibly hostile Wi-Fi networks.
With this in mind, I'd like to look at Wi-Fi security concerns from the viewpoint of the road warrior. Since road warriors deal with unknown and usually wide-open Wi-Fi environments, a solution that works for them will offer some benefit to everyone. Here are 10 security tips that should allow the road warrior to have a secure encounter -- of the best kind -- with unknown Wi-Fi networks.
Note: This information is also available as a PDF download.
#1: Turn off the Wi-Fi client adapter when you're not using it
The reasons for this are twofold. First, it conserves battery life -- always a concern for road warriors. Second, it's the simplest way to prevent penetration attacks using a procedure named "Microsoft Windows silent ad hoc network advertisement." Basically, the attack takes advantage of the fact that Microsoft Windows Zero Configuration is set by default to allow anonymous ad hoc connections. For more details, check out my blog post "How to prevent automatic association with ad hoc networks."
#2: Verify that the SSID actually represents the provider's Wi-Fi network
Verifying the SSID will help prevent associating with an evil twin. Evil twin is patterned after the man-in-the-middle attack where a hacker sets up equipment to falsely represent the facility's Wi-Fi network. In elegant simplicity, the user unknowingly associates with the fake network, allowing the hacker to obtain every byte of traffic that is sent or received.
#3: Make sure a software firewall is running on your notebook
Microsoft Windows XP and Vista already incorporate a firewall, but in both cases, it's inadequate. There are many good freeware firewall applications that are more competent, providing the additional protection a road warrior needs. I use Online-Armor, a somewhat new application that's been getting good reviews.
#4: Disable Window's file and printer sharing
By default, file and printer sharing is disabled, but many users enable this feature to share printers or files while on a work or home network. Having this feature enabled while on the road is just asking for trouble. It allows unauthorized access to your files by anyone who happens to be on that particular Wi-Fi network. The Microsoft Knowledge Base article "Disable File and Printer Sharing for Additional Security" explains how to determine whether file and printer sharing is enabled and outlines the required steps to disable the feature.
#5: Avoid sensitive online transactions when using open Wi-Fi networks
This is self-evident, but I felt it important enough to mention.
#6: Keep your notebook's operating system up to date
Along with your OS, make sure your antivirus, firewall, Web browser, and Wi-Fi client applications are current as well. By doing so, you'll eliminate many attack venues caused by application vulnerabilities.
#7: Secure any personal, banking, or credit card details
Allowing the Web browser to remember personal information is another avenue hackers can use to easily retrieve sensitive material if the notebook is lost or stolen. I've been using Bruce Schneier's Password Safe for many years. It requires you to remember only one access password, which is useful even if you are not a road warrior.
#8: Use secure and anonymous Web surfing techniques
This is very important if a VPN service is not available or the VPN will not set up correctly. There are various Web services that provide SSL VPN solutions by creating an encrypted tunnel from the notebook to their secure server. This eliminates a whole slew of possible issues. Some of the more preeminent services are Megaproxy and TOR. I use a slightly different approach based on USB flash drive technology. IronKey is a secure USB flash drive with FireFox and TOR technology pre-installed. If Internet access is available, the device automatically configures an SSL tunnel to secure IronKey servers. See "IronKey: Simple, safe, and secure surfing over Wi-Fi" for more details.
#9: If required, use VPN technology
The problem with the previous tip is that it applies only to Web-based applications. What about e-mail applications, like Outlook? This is where the full-blown VPN comes into play. Most business road warriors use this approach exclusively. The VPN tunnel allows the road warrior to remotely become part of the home or office network. Then, all the normal business applications, file sharing, and Internet access are handled by the company's network. There are many hardware and software VPN applications to choose from. My choice would be OpenVPN.
#10: Use remote access applications for security
Not having any sensitive data travel over questionable networks to your notebook is a unique solution. This is possible by using a service like LogMeIn, which allows the road warrior to remotely control a home or office computer through an SSL tunnel. Web surfing, e-mail, and other applications are active only on the remote computer. So no data is being transmitted to the road warrior's notebook, unless so desired.
Road warriors have to be creative. Besides their normal work, they are asked to maintain an almost continuous electronic presence while away from their office or home. These simple tips can help secure their computers and resident information no matter where they go.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.