I read Tony Dye’s post on Wireless Safety: The VPN Question and wanted to share a comment. It turned into a post of its own, so I’ve moved it into one :-) Read his post first so this makes sense.
If a laptop user establishes a VPN connection to your corporate VPN server, and doesn’t use split tunneling (in other words, from the time they’re connected, all traffic goes through the VPN as its default gateway no matter what), assuming that you’re using a VPN client that verifies the identity of the server (rather than blindly trusting DNS, which is easily spoofable on a wireless network), the user moves from the realm of insecurity into a much more secure environment, similar to being plugged into your wired network at the office. Of course, then your office WAN connection has to support everything they do, including web browsing!
However, using a free or paid “VPN” service from a company that just turns your wireless connection into a VPN-enabled “wired” connection is only going to help thwart unencrypted wifi sniffing and other such attacks. Unless you also use SSL and other encryption technologies, those services are just giving you a wired internet connection just like your home connection rather than the easier-to-sniff unencrypted wireless. It’s better than nothing, but it’s not like an encrypted pipe into your own network.
Don’t discount unencrypted wireless attacks. It’s never happened to me, but if you hop over and read some of Security Monkey’s case files at you’ll discover that there’s a lot of bad stuff going on in the world on computers :-) Those case files are slightly modified true stories from this guy’s career! His old 2005-2007 podcast episodes are worth listening to for some cool security tips and tools as well, to digress for a moment!
I don’t have a good answer; VPN connections to the office make internet run very slowly unless you have the WAN bandwidth to support fast throughput to and from all your remote users including web browsing! But that’s a much more secure way to operate. The number of ways wireless can be hijacked, sniffed, spoofed, and hacked, especially if it’s unencrypted to begin with, is downright scary! At the very least use SSL with verified certificates for anything you do of any importance (or if passwords are transmitted) on an encrypted wireless connection. As an IT guy, I can tell you (or myself) whether a particular session (POP3, IMAP, RPC over HTTP, HTTPS, etc.) is happening over an encrypted connection or not and can be careful. However, the average user is, obviously, not going to know or even care necessarily if Outlook is using POP3 unencrypted or via SSL, or using RPC over HTTPS securely. And if they log into Gmail, they’re not likely to know that although their password is always encrypted on login, their email is transmitted in the clear unless they initiate the session using SSL from the start (using https://mail.google.com rather than http://mail.google.com). Even if their email contains passwords and confirmations for other accounts!
Stuart mentioned WiTopia on his comment to Tony’s original post. I’d never heard of them before, but I’ve seen similar services to their personalVPN product. That service appears to be, like I mentioned above, just a way to get a “wired quality” connection to the internet over unsecured wireless. An admirable service and a worthy goal even with its limitations, but what caught my eye even more was their SecureMyWifi service. It’s still a wireless service but it has to do with your own on-campus wireless access. It lets you move away from using WPA with a Pre-Shared Key (PSK), also known as WPA-Personal, and use their RADIUS services to authenticate users individually to your encrypted wireless access points. It seems a bit pricey (to me–it’s currently a $99 setup fee, $99/year for one access point, and $14.95/year for each additional access point), but we have the same thing set up using Microsoft’s free (built-in on Windows Server 2003) IAS RADIUS server in-house. If you aren’t familiar with how to set it all up, the WiTopia service could be quite beneficial! They charge per access point, but at Lakeview we have a centrally-managed access points system with one controller that takes care of authentication. I assume that the WiTopia service is based on unique RADIUS keys for each access point client; since the central controller (currently running 12 access points) acts as a single client, it should look like “one” access point to the service. Whether or not this is allowed with their terms of service I have no idea; we are not likely going to use the service since I already do this in-house for free, but I would recommend reading the terms and/or contacting them if you plan on doing something similar to remain in the spirit of their offering.
Anchor Free the operators of Hotspot Shield and Witopia are a giant data mining and marketing company. Of course they want you to do away with your nice secure WPA with pre-shared keys and let all of your users authenticate through them.
A quote from their standard press release:
About AnchorFree
AnchorFree, the largest Hotspot media network, is a new marketing channel for brand and direct response marketers to deliver interactive, timely and targeted advertisements to laptop and mobile device users when they are away from the home or office. The AnchorFree network connects advertisers with millions of consumers in a captive, persistent manner that is highly measurable and geo-targeted to these users’ exact locations.
Great stuff if you don’t care about your privacy.
While I disgree with WPA-PSK being more secure than WPA-Enterprise at an organizational level (home is fine but it doesn’t scale), thanks for the comment! Good to know about WiTopia and company. Their personal VPN service is likely still more secure than unencrypted wireless in public locations (having marketing stats collected about you is better than some wifi attacks in my opinion!), but there are other providers out there as well. I do think I’ll keep my low-cost (although a bit complex) WPA-Enterprise setup that’s done all in-house! I do see the draw for outsourcing it though, it’s not the easiest stuff to set up if you don’t already know how.
There’s a Firefox Plugin called Customize Google that keeps your GMail session over SSL the whole time. http://www.customizegoogle.com/
I tell my clients that anything they do online where there isn’t a padlock ($browser_specific_padlock_location) that whatever they are doing could be intercepted, spoofed, etc. This is not just the case with public WiFi, even though that is a big place for it to happen.
With the new wireless configuration at http://UBCafe.com, we employ NoCat Splash to display a warning (http://wireless.ubcafe.org/splash.html) to all of our users letting them know that this is an unencrypted connection and that their traffic can be seen by anyone on the system.
Personally, I’d recommend the following to anyone who uses the internet a lot (in general):
Install patches
Get Identity Theft Protection
Use a Firewall
Watch the Address Bar
Other than that, don’t worry about it too much…
@Karl
Dude, the whole point of witopia’s (https://www.witopia.net) VPN service is to mask your IP address and encrypt your traffic so you have online privacy. Beyond it being listed on their terms, I know it’s been mentioned in the press how they keep no info on your browsing, etc. They don’t market anything or look at/sell your info. Again, that’s the whole point!
AnchorFree likely does skim your info on some level because they target ads (like you mention) to pay for service, where witopia serves no ads, but charges like 40 ducats a year. I’ll pay the money for witopia and total privacy, but I see where anchorfree is a good solution for many too. That’s personal preference but, they are very different approaches.