The rise of ever more powerful mobile devices has freed us from our desks. Our Internet-enabled smartphones and tablets allow us to remain constantly connected even while on the move.
People now spend more than half their time on mobile devices – much of it working.
Over the same period, Wi-Fi hotspots have sprung up in public spaces. From coffee shops, restaurants, shopping malls, hotels and exhibition halls, to trains, airports and even airplanes, they are everywhere.
Busy workers are frequently tempted to use public Wi-Fi hot spots to help them make productive use of idle time while out of the office. In doing so, they inadvertently put their devices and their employers at risk.
Many popular providers do not automatically encrypt Wi-Fi hot spots.
There are thought to be over 100,000 unsecured public Wi-Fi hotspots around the world.
To stay safe, organizations need to ensure employees are using mobile client VPN software on their devices.
Types of Threats
Open, unsecured public hotspots are easy targets for cybercriminals trawling for logins, passwords and other personally identifiable information such as credit card details with which to commit fraud.
The four basic types of hotspot threats are:
Snooping – Where a hacker uses a tool such as a packet analyser to gather personal data or confidential website logins.
Man-in-the-Middle attack – Where the attacker eavesdrops on people’s communications and tries to intercept personal data or exploit transactions in real-time.
Malware – Where malicious code is injected into devices in order to gain access to files, images or even control device features such as the microphone or camera.
Fake Networks – These are rogue Wi-Fi access points set up by cybercriminals close to a genuine hotspot to fool users into connecting with them and exposing the device to snooping or attack.
The organization’s first line of defense against hidden threats at public hotspots is to make sure a VPN and personal firewall are installed on every mobile client.
VPN client software encrypts data traffic passing between the mobile device and corporate network to ensure it stays private.
A personal firewall uses Stateful Packet Inspection technology to detect anomalous data packets and shield the device from malicious attack. It also restricts network communication at public W-Fi access points so that only VPN traffic is permitted.
Together, they form the minimum level of protection for an organization whose employees will be regularly using public Wi-Fi hotspots to carry out work-related tasks.
Answer the Secure or Insecure Question
An important second step is to optimize the user experience.
The best personal firewalls should automatically be able to tell the difference between a safe network such as the office, data center or secure home Wi-Fi and an unsecured public network that needs VPN connectivity (Friendly Net Detection).
It also helps the organization to avoid relying on non-IT staff to switch manually between settings every time they are in a public place. Conversely, they should not have to submit to VPN latency if they are working in a perfectly secure environment.
Instead, rules and policies governing appropriate security for each type of network are determined by the IT department.
Turn Public Logons into Private Ones
A public Wi-Fi network typically asks the user to open a browser window, fill out a form and agree to the provider’s terms and conditions.
Properly configured personal firewalls can detect an unsecure network and automatically open a restricted browser window that establishes a VPN connection before any interlopers can intervene.
If the hotpot requires the user to logon via a browser the client firewall restricts user access to a single specific browser. It establishes a VPN connection and blocks all other network traffic.
Perform Security Checks
The underlying security of the mobile client operating system should be checked and scanned for viruses before network access is permitted.
If the scan finds anything unusual the client will restrict VPN access. If, for example, the anti-virus needs updating the client should first establish a secure connection with the anti-virus update server to download the update before proceeding with anything else.
In the event of malware or some other threat being detected, the mobile client immediately disables the VPN connection, thereby stopping the infection spreading from the device to other parts of the corporate network.
Clear Any Obstacles to Native VPN
Some Wi-Fi hotspots try to block ports such as IPSec and L2TP used by native VPN protocols in an attempt to force browsers onto the public network.
This can be corrected by using a VPN that detects this and automatically switches to HTTPS emulation in order to set up an encrypted tunnel to the corporate network.
It basically implements the organization’s security policy by automatically establishing an encrypted end-to-end IPSec tunnel. No end user involvement is required.
In summary, it’s only natural that organizations should want their employees to be able to make the most of the flexibility and efficiency mobile technology gives them to carry on working while in public spaces.
At the same time, it’s important they fully understand the risks of public Wi-Fi networks before they try using them connect to the corporate network.
They should know to check the network name and access steps before logging in to a hotpot and make sure their personal firewall is actively preventing hotspot access over anything other than a VPN connection.
Above all, their VPN client software should make logging in to a hotspot easy and secure, provide robust endpoint protection, and automatically switch to HTTPS emulation if the hotspot tries to block native VPN protocols.