David Szpunar: Owner, PC Help Services & indeedIT

David's Church Information Technology

May 31st, 2008 at 11:23 pm Print This Post Print This Post

Using Free Wireless and VPNs

I read Tony Dye’s post on Wireless Safety: The VPN Question and wanted to share a comment. It turned into a post of its own, so I’ve moved it into one :-) Read his post first so this makes sense.

If a laptop user establishes a VPN connection to your corporate VPN server, and doesn’t use split tunneling (in other words, from the time they’re connected, all traffic goes through the VPN as its default gateway no matter what), assuming that you’re using a VPN client that verifies the identity of the server (rather than blindly trusting DNS, which is easily spoofable on a wireless network), the user moves from the realm of insecurity into a much more secure environment, similar to being plugged into your wired network at the office. Of course, then your office WAN connection has to support everything they do, including web browsing!

However, using a free or paid “VPN” service from a company that just turns your wireless connection into a VPN-enabled “wired” connection is only going to help thwart unencrypted wifi sniffing and other such attacks. Unless you also use SSL and other encryption technologies, those services are just giving you a wired internet connection just like your home connection rather than the easier-to-sniff unencrypted wireless. It’s better than nothing, but it’s not like an encrypted pipe into your own network.

Don’t discount unencrypted wireless attacks. It’s never happened to me, but if you hop over and read some of Security Monkey’s case files at you’ll discover that there’s a lot of bad stuff going on in the world on computers :-) Those case files are slightly modified true stories from this guy’s career! His old 2005-2007 podcast episodes are worth listening to for some cool security tips and tools as well, to digress for a moment!

I don’t have a good answer; VPN connections to the office make internet run very slowly unless you have the WAN bandwidth to support fast throughput to and from all your remote users including web browsing! But that’s a much more secure way to operate. The number of ways wireless can be hijacked, sniffed, spoofed, and hacked, especially if it’s unencrypted to begin with, is downright scary! At the very least use SSL with verified certificates for anything you do of any importance (or if passwords are transmitted) on an encrypted wireless connection. As an IT guy, I can tell you (or myself) whether a particular session (POP3, IMAP, RPC over HTTP, HTTPS, etc.) is happening over an encrypted connection or not and can be careful. However, the average user is, obviously, not going to know or even care necessarily if Outlook is using POP3 unencrypted or via SSL, or using RPC over HTTPS securely. And if they log into Gmail, they’re not likely to know that although their password is always encrypted on login, their email is transmitted in the clear unless they initiate the session using SSL from the start (using https://mail.google.com rather than http://mail.google.com). Even if their email contains passwords and confirmations for other accounts!

Stuart mentioned WiTopia on his comment to Tony’s original post. I’d never heard of them before, but I’ve seen similar services to their personalVPN product. That service appears to be, like I mentioned above, just a way to get a “wired quality” connection to the internet over unsecured wireless. An admirable service and a worthy goal even with its limitations, but what caught my eye even more was their SecureMyWifi service. It’s still a wireless service but it has to do with your own on-campus wireless access. It lets you move away from using WPA with a Pre-Shared Key (PSK), also known as WPA-Personal, and use their RADIUS services to authenticate users individually to your encrypted wireless access points. It seems a bit pricey (to me–it’s currently a $99 setup fee, $99/year for one access point, and $14.95/year for each additional access point), but we have the same thing set up using Microsoft’s free (built-in on Windows Server 2003) IAS RADIUS server in-house. If you aren’t familiar with how to set it all up, the WiTopia service could be quite beneficial! They charge per access point, but at Lakeview we have a centrally-managed access points system with one controller that takes care of authentication. I assume that the WiTopia service is based on unique RADIUS keys for each access point client; since the central controller (currently running 12 access points) acts as a single client, it should look like “one” access point to the service. Whether or not this is allowed with their terms of service I have no idea; we are not likely going to use the service since I already do this in-house for free, but I would recommend reading the terms and/or contacting them if you plan on doing something similar to remain in the spirit of their offering.