Desktops & Notebooks - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Desktops & Notebooks


How to Avoid Security Risks for Mobile Computing on Public WLANs



 By: John Gates
2008-07-11
Article Rating:starstarstarstarstar / 15


There are 0 user comments on this Desktops & Notebooks story.


  Table of Contents:
  1. How to Avoid Security Risks for Mobile Computing on Public WLANs
  2. VPN Client with Integrated Personal Firewall

Rate This Article:
Poor Best
How to Avoid Security Risks for Mobile Computing on Public WLANs
( Page 1 of 2 )

The good news about public hotspots is that they're everywhere. The bad news is that they're not secure. John Gates explains how to get past their problems and still be able to conduct secure computing over an insecure hotspot.

Wireless broadband Internet access via hotspots is convenient for both the casual surfer and the Internet-dependent teleworker. Unfortunately, current security technologies integrated into wireless LAN products offer insufficient protection here, and mobile users must be wary when accessing the central company network via a hotspot.

What is necessary is a security solution that protects the teleworkers' place in all phases of connection construction on hotspotswithout risky, foreboding configurations and without the help of users or administrators. This article will illuminate the effectiveness of VPN security mechanisms, data encryption, strong authentication and personal firewalls. Plus, it will show how optimal protection can be achieved by dynamically integrating each of these technologies.

Risks in the WLAN

Resource Library:

Each user can access public WLANs with correspondingly equipped terminals. The terminals automatically obtain an IP address, in the sense that they recognize the SSID (service set identifier) of the WLAN. Thus, they put themselves within range of the access points and are able to gain access permission onto the WLAN. Data security, or protection of participating devices from attacks, is not guaranteed by the WLAN operator. Security is limited to monitoring authorized network access in order to eliminate misuse of the server administration. User identification serves solely for the acquisition and the accounting of time online.

However, how does it look regarding the protection of sensitive information during data transmission? How can the PC optimally seal itself off from attacks from the WLAN and the Internet? Because the actual security risk on the hotspot originates from having to register with the operator outside the protected area of a VPN, as a rule it has to take place by means of the browser. During this time frame, the terminal device is unprotected. This stands in opposition to a company security policy that prohibits direct surfing on the Internet and that only permits certain protocols.

Basically, VPN mechanisms and data encryption serve to protect confidentiality. The corresponding security standards are IP Security tunneling and AES (Advanced Encryption Standard) encryption for data, and X.509 v3 for access protection. Additional security mechanisms such as certificates in a PKI (public-key infrastructure) or onetime password tokens complement or replace the usual user ID and password. A personal firewall offers the required protective mechanisms against attacks from the Internet and from the public WLAN. Here, stateful packet inspection is critical. If this is not provided, it is not advised to use a hotspot for mobile computing.

VPN client and external personal firewall

For a VPN solution with a separately installed firewall, the ports for HTTP/HTTPS data traffic to the personal firewall must be activated during hotspot registration. This can take place in three different ways:

1. The firewall rules for HTTP/HTTPS are firmly preconfigured in order to guarantee the functionality with the desired hotspots.

2. The configuration allows that the ports are opened for HTTP/HTTPS as needed for a certain time window (such as 2 minutes).

3. The user has administration rights and independently changes the firewall rules.

In all three cases there exists the risk that the user may surf outside of the secure VPN tunnel on the Internet and encounter destructive software such as viruses, worms or Trojans. Temporarily opening the firewall creates the danger of deliberate misuse by the user on the basis of multiple actuations of the time window. If the personal firewall fundamentally permits no communication outside of the configuration, then the user has to activate the corresponding firewall rules for the duration of registration on the hotspot. This requirements-based opening of the personal firewall involves the greatest risk of misconfigurations. The user must have a firm grasp of the exact changes being made and the exact environment in which they are made. Employee security awareness and technical know-how determine the security level quality.

A large security risk also exists when user data (user ID and password) is spied out externally on the hotspot during the registration process. With the aid of a notebook computer, a hacker can simulate both the hotspot and the WLAN SSIDs. If a user then registers on a hotspot, he does not land at the access point of the provider but rather on the notebook of the hacker. Because of the previously mirrored access point Web pages, the user assumes that he is authenticated on the hotspot. However, in reality, he is on the notebook of the hacker and his personal registration data is now exposed.

Providers always attempt to protect the hotspot registration pages through SSL (Secure Sockets Layer) processing (HTTPS), but that does not always succeed. For example, a user who arrives at a manipulated hotspot obtains the following report from the browser: "A problem exists with the security certificate on the Web site." In the background of this report, the attacker has only recreated the hotspot registration page and does not use the original certificate. For the lay person, this may not be recognizable at first glance, and it is incumbent to him to decide whether or not he should trust the certificate. To avoid placing a user in the position of having to make this decision, the hotspot registration should flow transparently before construction of the VPN. A solution that has proven itself in practice is the so-called registration script that takes over the transmission of registration and the inspection of the certificate at the hotspot.

The requirements for the functionality of a personal firewall with mobile computing on WLANs are multilayered. They also apply to the critical phases during the registration and sign-off process on the hotspot. Requirements must be known at the earliest possible time and should be in place from system start. They also must remain when no VPN connection exists or when it has been deactivated. Furthermore, the user should be safeguarded against arbitrarily reconfiguring or completely shutting off the personal firewall.





  Reader Comments: How to Avoid Security Risks for Mobile Computing on Public WLANs
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Desktops & Notebooks Articles          >>> More By John Gates
 


xr㶲(;Z(g3kH푦dK%/K3Τ*EBc")ۚuϮO7^t!-2o&-`n4Qȅ=&1(ٟ:KLzI;_BiZF!C5[2D4 ga5۵Nm:q@n}FwD%x_@jO UG.PsAu|ӱnKG r(˚59heYnJXU+Q\(Us^r7mù,Ӟ?89L͇z\i_eCKo45Va(.'^O:Ow~q is,owD_<0QQ)i<ͧDNj,{/BKoVs7-B5#5Cvqna5= 3+i3,q)?[Z~k~:E,[3sA)U̠`W:㝩So9m<_sܴ;MvI}!+|v.!5 0\6euu_ZzLvO|SQ&ںa#U*Ūd#3?_ć>_OHF,7Myw53Q[h,: }>c-? ,_%?f k3 J a)"C N ^mCJZ孱J+҄jM9BA`ܼeNR49Vˠ8蟉$Wm4@r1)6B̄H )s7jp ~,.|i* bԸrݢ@PS>Χ\!BN3tы BDԑ?CzC7=aDWT\U9ֆmǞ!|Аd6md-k$ ,70}HO!¤pV835fuӹgA {>0}sJY-VD4i-Dv<@9HhQ0\s︷0ܙ[S˂5ۀ JCˋF0Px@e^~6a|xuܣP{r`@=S9·;ʹiǀԘЇKw2F}gn ȥs-.B$(ZȻ!Al~ [wXxl++~'yuyGBJE6Os@PG҅3vJP,̈́’=*%nqR%f 930Y4lń(VFN!t(0Vn)4EW,==Т܃,`"[{akSS)4ٜi8:S@0>A̞P,[HB9Xv,_zt҇1 4fכ Wsj`>7nRgN@/p|WY 3EDVhdF!zC0{PlTKbnw{Jj ?%†pxfK͸oz"3hqNSЙBG9zQI$H5MۏR5p@r6y6+mmg2@H\͉/a 5D"b jw90,C l,.h/00Td6nSsdR6qoaQT9ȹ4 ȔeFyt~՜Z>RjR(y<-,D0(2n@ҿҲMVRej>uOMKױ("[fln: 6 8y8!6$38^D&&V +xRQ S=#kQb悊}OE30cŠ%lDw1c*ttfj²읶ה]ӐohNVp fctxF3FԑiQP3E\m6Hy5?Άb.(qڏ9&_G5 k^˥Wȱ,>2躢ƍ X:Ĕ"44hM©9f1|J 0"B(Vz٩yRlQм=궍xN='\sW["LJmwYдJ喺8sE% W*(r8+x%\Ag^vQet 57:trFg}m190;S}`1gs:7_u>8J[0;|d,l |/D<1=˰"Ursf=JZY?_HV:6ʼnG =q?@TEetXܚ 0(E{耰⢉!h{ӟ4 ^ƙl)*B~NK~hnJwԻE Xۡe=QeW_!BQe[p;xz跸2g@^5{5Č؇^cm/kJ\ʚ5^]hDAh`!ѝv;#ؐCKAm2)& 8UoF'Y[#WX tV ЛiQdS3Ud kCƮfPHrX!jz~RT2_]\xT͛#UPΗb.^ͳ!n3Fv`i&h9LltD<9[E 1ķʨTI+Gs;"ʌg b<r{q>'F{lj6cWՄθF'p0͎򗹵u8N4+1q]w3M">Ҁh k0>0Riʊ +> 2"J^R*Ϣs{@LpZ] {ߋ uRݥGTT7=5g>A"wS[=h^%5͇R*mX.e'04 O ʃR< KYdAj%(6@ EE@jϱ?% ?/E ?s c(mǥLGO7fUM}e!2`^==W^vy01Vf+kKxfq7i~=$#gݏԾl`WC,tΪ2e'A)p,w1]2}R*l;g56xv:72Cw4xw/Y#,}ҽ^C|GiIq#xxL#{R}9dQ&atոF>m48& RMF< {T75Cҝa+vHM()o/f3 \D]s>V\z8*\3`n,J~؍W{o#( Bfͮ3ۿ|CArNx 5 IG4۽0{mE-@؀:%e~ERiIMQhYuҽnp+l}AFJN^VZ-,ӷo@W蘧Y;GD{_q+=?EUnh'5۟H‐׉ NAvhq_Ǡ# Ab(A-Xnu zsH&aP;DN[3pu*hhw<)~[ħ{, /䎑)Bz*r[I;``eQfIlx8eRX)OF04H PV'q^VⲾlVI2 KhŃDb"A+,GRowlOpVHp._xvIl%dcgKu r [4.נE0V#[vx~/)m1>b%Ƶh0-sI^4@ R̅2O4YyVf =êJZuwju@ڶ% GNp7؆#^@)s^XL2k- ~-ܳ,:];wOv6g>&k?d@T']훣zlm D{O,Aik8n;e?=/P:V-s-h*113XufcԚl3,LjܵBpicHK:>i\[פ?5L[0c,H~$KoA4yY#s6yO>4dkwX7f8#gM[_ڭZn9O_۽eNie[nUZyB J=~l/t:D(Y[f[{C֫Ȋ̅S:=9 GG#pZp>2M#}ݺJf86hјAhnl}WoC]j`l_#et@^mI.%~W(TRn ﯼbOk(J馇\W%(|U-^TRJ>^_D˫Uj@,@{.=اH?6!bi8V3[Tf5'|Ȟ}Բ؁Ex82 /Cdؖrd"Ld<J;mmVpN Ϧv_ O%FJL-a-َ)!e_PRZ0i aj}Z$\y5 ߊ;bE#Ɠtǟ-ۊc򽵢zp:ip*9ߘP?=3q  ZЕqi+"@ыO-1j͟}ޏ;d<:5mXY?˚Բ*j)Wx L9<؆wHzڈB5³ СO{Oęn'M-\$cw `3:t5қ:"A`u=!A+~yHp8_PM?`%'gyMgwkşorq~FH5׉E5|uAtњk:u|*_߾+8c 'Lr\%=lBI/ԷtɎoS._=c ]<i~<~!M2G{igUuxS51$%*PZG{1Hvɬ1 1LexPcIȊ )pk>3`^.W3,Bǝ"(}͗xNg S_B8çAW):&8ϝ{﬷MiM4qo؜BpӔ׆9PLGvcYfi5O֩zZ[ybVGqIm^bS~RK^?xD ^\Eω)bG607߶yIJB;=='`bZ4)ϒ&"!1s[.t@s42xtTgd͢?0dz3{%57& \8aʹ3blB6hֿbca=,6k;@-66,5*OlHMߟ^&]+J9oYb-F-g2~2Rd rH0uո1$qR,$X L^I,ԟhD Z,!X {c4v8S$i{:_pdSͥJOA /_) y%Ep nK_I2u%Hpf(mtr/sܴO?`wYIH+0`F඲F:r 6D$/ {UeKKӘ 5%a9C_Ԥ8 ' RD"~K"8IjTM{> ~@HqbIP/NNϤMy?QK2j5 $GNE3R[f$ iPv]EdyM0:y~ַ>)n'ŗWhꏩJ]S6Ojב` +q-.]9G8֒|JpnA\V pwG+N [yK ?Fw\ ŜŊ!7gL} ǃx'soQcLկ3?vo]uKNP_oAXUGr^BC$ovYt`YJFC I=/Nz6/hK~|1'55$MӃ9@>I/`p79 `A4 E@|IB(]hS[Z᥷~m͓.R۠TR%eթ|M.p;s{rASmZ“;R|y1K-wL4xqҝ &a JǽP+RkcLSME+pXy#\rߎ6xAZ(琧|[2]!˨='@] +x2|7"|%6Cc5|F{IxyKz1l*b2qOBh=QE,kކ)&Kz@:L6H@V!@vX5j^?>M!N?U)W*o͟GB?ÉKAd둀|E`;xɐ;v0>E կB{䲳+Ҧn93ͲѾ%⛽O(74#ķzn7pr`6^ l߼7BSjԈdu#l(M#ۀձև͹xQ|j &=˺tѵ,{oJY9VCM}_MYyYfz>(^f`hI/3$I1Ʊ|i05T2l,9dn{=ӾHy3Zl`{2179(S/5oBuK /k_AG-//U;{U&_@gf`l=ː4ݴoQ'Jbn RzAS@a]$o,Swx7y_]Tmqʒ[%ZdYem `[ Zp b(gy+L]1+dB"@Րfo w{\o1;C}A:Eo]6(V ]4?Z v;Ľ MmA a=m9a'va]Q f6Ra\jg'n@к|F:1cGB(7YHS*kם^a$u~C:gM^<-ql9Șh MQ 6HxHɹy~1&V3&bqB4b #JلR7χ9IEvki>G sawQx ns6#Ƣw GcT+&(?p D bBKi6%_AYΣo@!pn@Q:EU T-G,(?B57{)%@w67p> ]-<9 lx sG\G RQXo[hّ_`\ϳ Sǘ_&1.ycq ظWyN4X'ƷJtoǰ:{S0(-Ō湊R'I]A.=XQFy<׸േ)h?H+ʲB^TF< fȈmxijQxu1bXz39^9nHq}7[.qڀ[02>NwOWO۝uOMFR慶XQ)lwYӸl1;eNq(ڃq&cWþHW.}QX\m,hIPJTَU1oLl+O=fԊjm9Gj:7sFN#EEu_ЦoJa2eNMoSH^u'N+SLjV}QqxR?忥_CurI8RޅnJ9rz? 4hRO$sB3,P1LL))I))ez)埡srH]2e|.)i)\KLONJ;SJ9忤_BeJ9o'e|; ?uRƯ wS.n~J+x*kA{)A{)S+\c }OiпO)B(I+Ih&࿛u2Ay#EWpz~;9N)/f)R,H{ VKiJySY))+z7_KJs)3%_/EK@~dnle־:6 aq)+ ]a%5L+p-/R}:c|M$X2of!)Hneb^ ydcB bye?=K}tȄq>pp̕ʹ]!&<ߔ[nNJ>J9.~ђ;Z9r,˹-;M:!5== 0 "Xp|aR1'ť,e*osqj%@ @9ξ tap qLdK5iP{[~|ydVҫ+cp'k͠~%sȓh! `v2x3?pq}o*6V WXv-J\[}ea tCW3mr3n~m=wk`;Ui->Y¯)hc/L{[ug@``礷Lx D|2gi+-$Og(0v$]5w :-ɡ+viOLԣ sEUאU,&J {@ul3!d9vMch$`(;O j,aaN-|m)۾b,ӧK"䴯 vbM)PD(N@Umk`sfX |LAR ~Qs^͂[#r/Rgg4b ]'pMDfΪRR˙afm% 1oxcSumɺ=Y= N!Oh|:fsπ Wsn!ߚR TDOV*v]tK=|Mɳdv/+ 0bŽOm=HiU5Y⏄ѤS)!؋&'!_S ak5.lvY }Jm='.}N5˟H' "@*dԴ5[Pŗ4) m'#8<ԸlQ޺5qm$xW}°ҀA0e]:γ@\W ܚ,~޴M9]I|n4~Uf2{N{:x  j6J݀)0t5wռr:ﯲAsl+Сa߂bcZimKEӢC ~9sߚ-rN稕K&VWvm:yDxt YD ~]xa붣2-ӛl~H׶VI &`: +ʕbA4\C 7tl#NgsZŮYHvt*4gX^c 0У,&09GYM.nD<˜g^n1n,D9@~a Yͽv)E=bIF.E]khT[Kvщzyww=v{ xQigNb cb@8f{%W=?5^2e;3F_{0^5OpN}\ȏ,ޙː6 /O BhXz=E"`ŌCa 0Ac:p 19.O)xI1%h3l䣈mAb?iʱL}aG? ę-X)j$aF!%իrX%Wx3H>Y;D5R7LP.9͒0fP\3z7tZ3qixı`]<üpf#S9 {ׄ izG4.<'Ȳ(`,VtA &M\CCĚ >e뇎܌aBEV Z<)טJpZsZ?a=q"6L^ cyx MSf}')VSL_Xћ_,P>R+O %ƕ)@X1^*7/Z8M@e;oByeu *`'΃gGoXoubaYXM}v?P|ҽ^.]F;47N>]w?vRPBYZP$Du Aecfsb`w r9F˳}G`bhP7gQSԒZGv-b$- U.ä+T[]vۙxovmJPQ&s)C+Mm7\^)M}jS9V/k7 *|Fp -α{3N_ ?#!h.