Will using a VPN protect me against fake wireless hotspots?

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Wireless networking Why is my network adapter not working after a Vista Business upgrade? How many wireless base stations can connect to 802.11g access points? APs drop connection in WLAN configured as a wireless mesh network How does Wi-Fi ad-hoc mode react when 802.11n and legacy peers are present? Can wireless adapters operate as client access points to make SoftAPs? WLAN QoS and SLA monitoring with 7/24 Wireless Quality Assurance costs How can I hide my WLAN's SSID in an Aruba AP-61? How radio frequency (RF) of microwaves alter wireless signal strength Stolen laptop recovery using remote access and wireless network SSIDs How is wireless access point (AP) coverage affected by frequency? WLAN Security Where can I find a wire driver that unblocks recognized passwords? Fluke gets WLAN design, management, security cred with AirMagnet Is WPA2 secure enough for a commercial business wireless network? Health center cut cost securing wireless network edge with Aerohive Wi-Fi RTLS for WLAN management, location-based security, asset tracking Wireless LAN performance management and security standards beefed up How can I hide my WLAN's SSID in an Aruba AP-61? Wireless LAN security: SonicWall joins crowded WLAN market Stolen laptop recovery using remote access and wireless network SSIDs Enterprise wireless LAN security: 802.11 and seamless wireless roaming

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Any 802.11 access point (AP) or Ad Hoc can advertise an interesting SSID to lure unsuspecting clients. For example, in major airports and conference centers, you're likely to find at Ad Hoc(s) advertising the "Free Public WiFi" SSID. Most are other clients that at some point in the past tried to connect to "Free Public WiFi" and are now returning that favor – usually without user awareness or malicious intent. Nonetheless, it is never safe to assume those Ad Hocs – or APs that advertise hotspot SSIDs – are legitimate or harmless. Always protect your traffic against man-in-the-middle attacks that can be performed by wireless imposters.

Wireless security with VPNs To learn more about the role of VPNs in providing enterprise wireless security, check out this Wireless Lunchtime Learning Series tip: The role of VPN's in wireless network security.

VPNs can certainly help, and I highly recommend their use in Wi-Fi hotspots. However, VPNs are not necessarily the only or best answer. Why? The real culprit that makes your Wi-Fi client vulnerable to a fake hotspot is weak or absent server authentication. Anytime your Wi-Fi client launches a session, verify that it has in fact reached the intended server.

Before logging into any Wi-Fi hotspot, try to check the hotspot's credentials. If WPA/WPA2-protected access is available (e.g., tmobile1x), configure your Wi-Fi client to validate the server's certificate. If you frequent hotspots which use a connection manager (e.g., Boingo), those programs provide server validation on your behalf. Otherwise, eyeball the hotspot login page before entering your password or credit card number. Check for SSL protection (that is, a URL starting with https) and look for browser warnings about the SSL server's certificate. If a hotspot login page triggers browser warnings (or mental alarm bells), don't ignore them.

Once connected to a Wi-Fi hotspot, try to use only mutually-authenticated, end-to-end encrypted sessions. If you're only browsing public websites, you might opt to go skinny-dipping – but keep in mind that the websites you visit could be faked by a phony hotspot which returns a copy of the real deal, modified to contain malicious scripts or phishing URLs. For this reason, it's safer to send all hotspot traffic – sensitive or not – over secure sessions.

For example, when checking email, try to configure your email client to send POP and SMTP over TLS. Today, many email servers support or require TLS to prevent disclosure of email logins, passwords, and message content. Email clients configured to require TLS will validate the email server's certificate and either refuse a session to a phony server or alert you to a problem with the server's certificate. Here again, don't simply ignore email client warnings or make TLS optional.

Wireless hotspot security

Learn how to navigate wireless hot spots securely in this podcast: Wireless hotspot security.

For more complete protection, use a VPN tunnel to secure ALL of the traffic sent and received at a Wi-Fi hotspot. However, keep in mind that VPNs are not always immune to man-in-the-middle attacks. To be safe, use a VPN with strong mutual authentication – for example, IKE Phase 1 certificate authentication, followed by XAUTH user authentication. Avoid VPNs that use weak pre-shared keys or provide no server authentication at all. Furthermore, understand the traffic actually tunneled by your VPN – "split tunnels" secure only selected ports or destinations, letting other traffic bypass the VPN.

Finally, combine SSL/TLS or VPN tunneling with a host firewall that prevents unwanted traffic from leaking in or out of your Wi-Fi client. In Wi-Fi hotspots, a common mistake is to leak LAN broadcast traffic – especially NetBIOS file/printer sharing messages. Today, many commercial hotspots block inter-client traffic to neutralize this risk. However, if you've connected to a fake AP or Ad Hoc, you can't depend on the hotspot to protect you. If you take these basic steps to defend yourself, then you won't have to worry about the possibility of encountering a fake hotspot AP.