I recently penned a "10 thing" post called "10 Wi-Fi security tips for the road warrior" and TechRepublic member DonnaKline responded with an excellent observation:
"The point of varying the level of security required by location might have been stressed more, especially for those of us who are less sophisticated about tech issues. For example, there may be more risk using the wifi in an airport lounge than in an upscale business traveler hotel, which hopefully will be more careful about security issues."
I appreciate DonnaKline's candor in pointing out certain ambiguities surrounding perceived versus real security when using public Wi-Fi networks. Let's see if we can clear some of them up.Defining public Wi-Fi
To make sure we're all on the same page, let's first define public Wi-Fi networks as those that allow unrestricted access. That's a simplistic definition, but what's typically available at venues like airports, hotels, and hotspots. Since unrestricted access eliminates the ability to encrypt Wi-Fi traffic, it also means there's no real security.Is there more risk at airports?
So, is there more risk to using public Wi-Fi access at an airport lounge when compared to an upscale hotel? I would say yes, but not for technical reasons. People who steal information and identities want to do so using the least amount of effort. That means airports, simply because there are more targets of opportunity. I certainly see this whenever I'm traveling. At any given airport, it's very easy to capture copious amounts of unencrypted digital traffic.
I hope that explanation made sense, but I'm concerned that many people share DonnaKline's viewpoint. With that in mind I would like to discuss some high level Wi-Fi security concepts. Theoretically, achieving information security and lowering risk is simple. If the information is undecipherable to everyone except the intended viewer, it's secure. In real life information security is anything but simple. That's why an informed Wi-Fi user is the most powerful security tool available.Three distinct security zones
I find it helps to divide the path that digital traffic travels along into distinct security zones. By doing so, attention is focused on the entire connection, not just the initial Wi-Fi portion. To keep it simple, I use the three following zones:Wi-Fi security zone: This zone is the one most people are aware of, as it is first step to gain access to the Internet. Wired security zone: This zone is the in house infrastructure that acts as a go between for the Wi-Fi network and the Internet. Internet security zone: This zone is the conglomeration of linked networks that can traverse significant geographical areas. OK, I should just say the Internet.
To many, realizing that all three zones are important for secure transmission of their information is a new concept. The following example clearly points this out. My financial adviser, who is near and dear to me, argues that Internet access at her favorite coffee shop is secure since she has to enter a new WPA passcode each time she visits. Using my security zone concept, we can see that the Wi-Fi security zone is covered, but how secure is my advisor's information as it traverses the wired and Internet security zones?
To explain, that particular coffee shop could be capturing customer's personal information as it passes through the wired security zone. I'm not saying that it's being done, but it could be. It's also possible for people who steal information and identities to setup capture equipment in the coffee shop without the owner's permission. Now that my financial adviser understands that there are different security zones, it's easier for her to make an informed decision about what security measures to use.Proper tool for the job
Good news for road warriors is the availability of security tools that will protect information traveling across all three security zones or any combination thereof. From a security expert's viewpoint, utopia would be everyone using an IPsec VPN (pdf) at all times. Nice, but let's get back to the real world. Security does not come free and it's the user that carries the additional burden created by increased security. Let's continue using my financial adviser in the two following examples, which depict situations where both security and convenience are considered:Highly sensitive traffic: My adviser needs to access the office database from the coffee shop. Since the data is very sensitive, the security tool used should produce the maximum amount of security. That would be some sort of VPN application. So she enables the computer's VPN client, creating a digital tunnel that traverses all three security zones connecting to the VPN server at the office. Once the VPN tunnel is setup, digital traffic is encrypted and sent through the tunnel. If any of this traffic was captured by an attacker it would be complete gibberish and virtually impossible to decipher. That's about as good as it gets and most security experts would be happy. Anonymity and local security: Next, my adviser wants to surf the Internet. Checking out some vacations spots, now that April 15 has past. She'd rather not use the VPN, since it's piped through the office's Internet access and may create an unnecessary bottleneck. Only thing, there's this rather odd looking guy using a notebook with a strange antenna attached to it sitting in the next booth. What if he's snooping? Does he know the encryption pass-code? Wait a minute, I convinced her to get an "IronKey" for safe portable file storage. Luckily, it's configured to connect to a SSL proxy server. Using that to access the Internet, my adviser has the Wi-Fi, wired, and a portion of the Internet security zones covered. No worries about that guy snooping and it's simpler than a VPN connection to use. Final thoughts
The two examples are only meant to show what's possible, not to advocate specific devices or methodology. That's unrealistic, since each encountered situation is unique. It is my goal to help enlighten and make it easier for road warriors to determine the best security option for a given situation. I hope that this post and the information in "10 Wi-Fi security tips for the road warrior" will be good additions to the road warrior's security tool kit.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.