Wi-Fi

Wi-Fi security for the road warrior; revisited

Wi-Fi security for the road warrior; revisited is a response to a TR member pointing out the need to clear up certain ambiguities surrounding perceived versus real security when using public Wi-Fi networks.

I recently penned a "10 thing" post called "10 Wi-Fi security tips for the road warrior" and TechRepublic member DonnaKline responded with an excellent observation:

"The point of varying the level of security required by location might have been stressed more, especially for those of us who are less sophisticated about tech issues. For example, there may be more risk using the wifi in an airport lounge than in an upscale business traveler hotel, which hopefully will be more careful about security issues."

I appreciate DonnaKline's candor in pointing out certain ambiguities surrounding perceived versus real security when using public Wi-Fi networks. Let's see if we can clear some of them up.

Defining public Wi-Fi

To make sure we're all on the same page, let's first define public Wi-Fi networks as those that allow unrestricted access. That's a simplistic definition, but what's typically available at venues like airports, hotels, and hotspots. Since unrestricted access eliminates the ability to encrypt Wi-Fi traffic, it also means there's no real security.

Is there more risk at airports?

So, is there more risk to using public Wi-Fi access at an airport lounge when compared to an upscale hotel? I would say yes, but not for technical reasons. People who steal information and identities want to do so using the least amount of effort. That means airports, simply because there are more targets of opportunity. I certainly see this whenever I'm traveling. At any given airport, it's very easy to capture copious amounts of unencrypted digital traffic.

I hope that explanation made sense, but I'm concerned that many people share DonnaKline's viewpoint. With that in mind I would like to discuss some high level Wi-Fi security concepts. Theoretically, achieving information security and lowering risk is simple. If the information is undecipherable to everyone except the intended viewer, it's secure. In real life information security is anything but simple. That's why an informed Wi-Fi user is the most powerful security tool available.

Three distinct security zones

I find it helps to divide the path that digital traffic travels along into distinct security zones. By doing so, attention is focused on the entire connection, not just the initial Wi-Fi portion. To keep it simple, I use the three following zones:

Wi-Fi security zone: This zone is the one most people are aware of, as it is first step to gain access to the Internet. Wired security zone: This zone is the in house infrastructure that acts as a go between for the Wi-Fi network and the Internet. Internet security zone: This zone is the conglomeration of linked networks that can traverse significant geographical areas. OK, I should just say the Internet.

To many, realizing that all three zones are important for secure transmission of their information is a new concept. The following example clearly points this out. My financial adviser, who is near and dear to me, argues that Internet access at her favorite coffee shop is secure since she has to enter a new WPA passcode each time she visits. Using my security zone concept, we can see that the Wi-Fi security zone is covered, but how secure is my advisor's information as it traverses the wired and Internet security zones?

To explain, that particular coffee shop could be capturing customer's personal information as it passes through the wired security zone. I'm not saying that it's being done, but it could be. It's also possible for people who steal information and identities to setup capture equipment in the coffee shop without the owner's permission. Now that my financial adviser understands that there are different security zones, it's easier for her to make an informed decision about what security measures to use.

Proper tool for the job

Good news for road warriors is the availability of security tools that will protect information traveling across all three security zones or any combination thereof. From a security expert's viewpoint, utopia would be everyone using an IPsec VPN (pdf) at all times. Nice, but let's get back to the real world. Security does not come free and it's the user that carries the additional burden created by increased security. Let's continue using my financial adviser in the two following examples, which depict situations where both security and convenience are considered:

Highly sensitive traffic: My adviser needs to access the office database from the coffee shop. Since the data is very sensitive, the security tool used should produce the maximum amount of security. That would be some sort of VPN application. So she enables the computer's VPN client, creating a digital tunnel that traverses all three security zones connecting to the VPN server at the office. Once the VPN tunnel is setup, digital traffic is encrypted and sent through the tunnel. If any of this traffic was captured by an attacker it would be complete gibberish and virtually impossible to decipher. That's about as good as it gets and most security experts would be happy. Anonymity and local security: Next, my adviser wants to surf the Internet. Checking out some vacations spots, now that April 15 has past. She'd rather not use the VPN, since it's piped through the office's Internet access and may create an unnecessary bottleneck. Only thing, there's this rather odd looking guy using a notebook with a strange antenna attached to it sitting in the next booth. What if he's snooping? Does he know the encryption pass-code? Wait a minute, I convinced her to get an "IronKey" for safe portable file storage. Luckily, it's configured to connect to a SSL proxy server. Using that to access the Internet, my adviser has the Wi-Fi, wired, and a portion of the Internet security zones covered. No worries about that guy snooping and it's simpler than a VPN connection to use. Final thoughts

The two examples are only meant to show what's possible, not to advocate specific devices or methodology. That's unrealistic, since each encountered situation is unique. It is my goal to help enlighten and make it easier for road warriors to determine the best security option for a given situation. I hope that this post and the information in "10 Wi-Fi security tips for the road warrior" will be good additions to the road warrior's security tool kit.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

20 comments
BannerCap
BannerCap

Wi-Fi security is easy, don't use Wi-Fi. If you or your company is to cheap to pay for cellular data service (such as a dedicated cellular card for the laptop or tethering your cell phone / blackberry to the cellular network and your laptop) then you deserve to get attacked. By using the cellular network, the likelihood of someone nearby trying to capture your data packets drops to nil. And how much is that Wi-Fi hot spot at the airport going to cost you, all of the airports I've been to, this service costs, so let's do the math, the unlimited data plan add-on for a blackberry is $15 - $20 per month, the Airport charges you $6 - $10 per hour, after 2 connections at the airport you have paid for the monthly data service on your blackberry, then let's throw in those trips to the coffee shop, buy a cup and we'll give you an hour for free, so how much did you spend on the coffee? Did you forget about the cost of getting to the coffee shop, with gas pushing $4/gal how much did that little trip cost you?. Now let's look at the hotel, some give free Internet, but most charge $10 a day, so the charges can add up quick. Now start adding up these little expenses and getting data service on your cell phone is looking better and better. Sure once you are out on the Internet all bets are off as to who is watching your data packets, but you have at least elimated the threat of someone nearby sniffing your data packets or using a rouge peer to peer Wi-Fi connection to steal your passwords and data.

igofman77
igofman77

VPN definetly is a great protection. But connecting to your office network through VPN usually means connecting with the same privileges as being in the office. And VPN tunnel ends at your computer network interface(simplifying). At the same time your laptop is connected to insecure wireless access point. So if anybody is able to compromise your laptop OS, he/she may be able to get access to everything you have access to, including office network through VPN.

ausside
ausside

"upscale business traveler hotel" more secure? Only if they are charging for the service and only then to get payment before you get service. Security is only as good as "you" make it. Assuming a provider is "secure" is a hackers dream.

jose.schmoe
jose.schmoe

is there any freebie software for securing the wi-fi link for vista and xp? short of ipsec vpn?

DonDassingerPhoenixZ
DonDassingerPhoenixZ

Yes a very good article on real life wireless security; could be more tips for adjusting settings, and more details about things to be aware of but very readable and good article. Thanks for describing the vulnerabilities in terms of several different zones.

Michael Kassner
Michael Kassner

Does the concept of dividing the path that digital traffic follows into security zones help at all?

Michael Kassner
Michael Kassner

I agree with your assessment. Being anal though I like have multiple options. I do have mobile wireless broadband and I use it extensively. There are times where it is nice to just quickly surf the Web using a faster connection. Using a TOR device like the IronKey affords simple, fast, and secure Internet access.

ebsfrmr
ebsfrmr

Thanks for your clear answer. It has been my suspicion that a Mobile Broadband account of my own could be one way to secure my personal identity information. The price of an account is small in comparison to what I understand people are spending in time and money to clear up identity theft incidents... Again, thanks for explaining how using a dedicated cellular account is preferable security-wise with regard to exposure to data sniffing--something I wondered about. Good point about the extra charges incurred when one does need to pay for access. Also, if you are out on the road for any length of time, you might need to do some internet banking. And, how convenient to be able to quickly show a customer something on the internet pertaining to our sales meeting. Rather than having to find a free computer, if I can just whip out my laptop and bring up some supporting information related to our meeting...I still haven't opened my wallet, but it seems viable and definitely the direction I plan to head toward for my business. I keep watching the prices and options available, hoping one of the carriers will see a way to bring pricing down just a bit more... One more thought, I personally know of one of my sales managers who had her credit card information sniffed out at a coffee shop, where she had to pay for internet time. What a wreck it made of her business trip. When she tried to pay her restaurant bill that night, her card would not go through due to fraud being detected, shortly after her coffee shop visit that day, by her credit card company. They called her home, but she was out of town, so she didn't realize the predicatment she was in. She had to ask another of the remaining attendees pay for our very large company dinner bill...quite embarrassing and inconvenient for her, as this was the first day of her trip and she only had the one company credit card with her...

Michael Kassner
Michael Kassner

Your comment is spot on. I know many admins that are very concerned about that attack vector. I seem to remember that's how some MS servers were compromised a few years ago. I advise clients, especially those with Windows 2003 AD to setup "Network Access Quarantine Control" as it eliminates some of the problem.

Michael Kassner
Michael Kassner

That was one of the crucial points I was trying to get across with this additional posting.

Michael Kassner
Michael Kassner

Hello Jose, Neon Samurai offered one good solution. I'd like to know more about your particular situation. Do you want secure access to the Internet or to a remote company network? That makes a difference as to what?s available. If you are referring to open Wi-Fi access at a hotel or coffee shop and just wanting to access the Internet, there are a few free options: TOR is a free and very secure service project that creates an encrypted tunnel from the computer to a series of TOR servers, through which the digital traffic passes and exists to the Internet. This application affords security as well as anonymity. http://www.torproject.org/ Using a SSL tunnel is one way to secure the Wi-Fi portion, but using SSL servers is normally a paid service. I have on occasion used LogMeIn to setup a SSL tunnel to a home computer and then surfed the Internet from that computer. You gain two things that way. No sensitive data is sent to your computer and you have a free SSL tunnel that encrypts all traffic being sent over the Wi-Fi link. https://secure.logmein.com/home.asp?lang=en There are other options, but as I mentioned I?m not sure what your requirements are. Please let me know as it will allow us to go into greater detail.

Neon Samurai
Neon Samurai

You should find it in Chad Perin's articles. I think it was using PuTTY to create a tunnel proxy from your Windows or Vista too a computer at home. All your traffic then goes through the tunnel too your home computer before it goes out to the internet.

Michael Kassner
Michael Kassner

Hello Don, I am curious if you read the article linked in the post called "10 Wi-Fi security tips for the road" warrior? I went into more detail there. http://blogs.techrepublic.com.com/10things/?p=335 If that is not enough, please let me know. I would be more than happy to post about any of your concerns. Michael P. Kassner

Penguin_me
Penguin_me

One thing which I don't think (please correct me if I'm wrong here) has been mentioned is public WiFi and keys. When you go to any public WiFi hotspot, as long as someone will give you the wireless key (say at a Starbucks) you need to consider that network to be an "unencrypted network". If I can walk into that Starbucks and get the WEP/WPA key, I can now decrypt all the wireless traffic that you send. Using a VPN (or other means of End-to-End security) *will* stop this being a problem. Just remember, if someone will give you the key, they'll give it to someone else, so you're not encrypted. (Techies, don't pick apart the simplistic analogy, it works for non-techies). Edit: Apart from that, good couple of articles.

ebsfrmr
ebsfrmr

Admittedly, I am not as technically knowledgeable as you all are. There is the area of encrypting my emails that I know I probably should look into and add to my aresenal of firewalls and such. Life is just so complicated and I wonder how users/customers of mine could handle complications from encryption on our communications. Maybe it is not that hard or difficult, and is seamless... I am wondering if we will have to consider paying for our own mobile broadband connection for our laptops, or using internet connected cell phones, to avoid the hotspot issues when sensitive data needs to be exchanged. Although, nothing will be 100% safe, I am thinking that having your own broadband service, while expensive could pay for itself in the convenience of having service with you almost all the time, and if you have your laptop or cell phone protected with various firewalls and such, wouldn't that be much like your home desktop computer? Perhaps I am mistaken... For instance, while I am traveling extensively, I find I need to order hotel rooms for my next day destinations. Ordering on the internet can often save money, but having to use a credit card is a concern in public hotspots. Right now, I can find a hotspot and search for hotel deals. Then call the 800 number to book, if available. How nice it would be to just research, order and confirm in one step like I can from home.

Michael Kassner
Michael Kassner

It can be confusing, that is why I referred to unrestricted access in the articles. There are too many options that can create confusion or a false sense of security. A required password does not necessarily mean that you are getting an encryption key. In many cases, it?s just a password to access a portal. You certainly brought up an excellent point though. I should have at least pointed out that there is no increased security by obtaining a password from the public hot spot. So, it?s best to consider every public Wi-Fi as totally not secure and use alternative methods to get adequate security through the Wi-Fi and wired zones at least. Edit: I think you have helped me by pointing out a new topic for the road warrior series.

Michael Kassner
Michael Kassner

Sorry that I?ve been slow to respond. I do want to address some of your questions as they are important and are a concern to many people. As for email encryption, it?s a good idea, but as you alluded to it?s one of those things that requires both parties to be in agreement. If the receiving party does not encrypt using a compatible application, there is no way the process will work. I see that as the major obstacle for businesses. It?s also painful to use and setup correctly. Most companies use encrypted attachments like the pdf format that can be as secure and require certificate authentication. It just requires an out-of-band method (phone call) to transfer the passcode to the receiving party. I would be lost without my mobile wireless broadband. For all of the reasons you mentioned. The carriers realize they are in a struggle now and mobile wireless broadband will get better and cheaper because of the competition. Especially with LTE on the horizon. Free public Wi-fi hot spots are not as available as most would suggest and the free aspect is rapidly dwindling as well. Overall, I would be hard-pressed to be as efficient as I am now if I had to rely on Wi-Fi access only. That said and done, I wanted to mention that having multiple access options is always a good idea. There are situations where you are not going to get a good wireless signal. I keep pushing a USB flash device (no affiliation) called the IronKey. It has secure storage and a secure access method that creates a SSL tunnel out to the Internet. It maybe something to consider if Wi-Fi is available and you are just surfing the Web. If you are sending sensitive information, add another layer of security. Enable the mobile wireless connection and then use the IronKey browser. Doing so doubles the security and is my preferred approach while on the road. If you are interested, I wrote an article about it and a link to it is below. http://blogs.techrepublic.com.com/networking/?p=464

DM67
DM67

In my part of the world cost is the prohibitive factor with mobile broadband. Having said that our more mobile and tech savvy users make use of it. We use our Next G phones as modems to connect and initiate a VPN session then connect to terminal servers for web, email ect. We operate in a very large MS environment so this is an easy solution for us but for smaller organisations there is some VPN and terminal services solutions that would be a bit easier on the pocket.