Safety on the Open Web
We recently highlighted an interesting article, Online Traveler: Safe Surfing While on the Road by Fritz Faerber. He shares some security tips for surfing the Internet while on vacation. I wanted to add some additional thoughts from a VPN viewpoint.
Accessing the Internet via hotspots is convenient for the casual surfer and the remote worker. Unfortunately, current security technologies integrated into wireless LAN (WLAN) products offer insufficient protection and network administrators must be wary when allowing remote workers on the company network through them. VPN security mechanisms, data encryption, strong authentication and personal firewalls are extremely effective. Optimal protection can be achieved by dynamically integrating each of these technologies.
Risks Posed by WLAN Access
The biggest risk comes from establishing a connection between the individual’s device and the hotspot. All the damage is done right here. The user turns on the device, clicks ‘find network’ and finds the hotspot’s IP address by recognizing the SSID (Service Set Identifier). This handshake is done unprotected (outside a VPN). Since the handshake is actually data passing between the device and the hotspot, there is room for attack (your classic man-in-the-middle). The acquisition and accounting of time online serves solely so the provider can get paid for use of its hotspot. All this takes place before a VPN can be established.
Doesn’t the Firewall Protect the Network?
No and yes (the latter we’ll get to in a minute). For independent personal firewalls (those that sit on the user’s laptop or PDA or smart phone and do not integrate with the VPN client), the ports for http/https data traffic must be activated during hotspot registration. This can take place in three different ways:
- The firewall rules for http/https are firmly preconfigured in order to guarantee the functionality with the desired hotspots
- The configuration allows that the ports are opened for http/https as needed for a certain time window (e.g. two minutes)
- The user has administration rights and independently changes the firewall rules
In all three cases, there is a risk that the user ends up outside of the secure VPN tunnel and encounters destructive software such as viruses, worms or Trojans. Temporarily opening the firewall creates danger. If the personal firewall does not communicate with the VPN client, then the user has to know the corresponding firewall rules.
Integrating the Personal Firewall with the VPN Client
By integrating the personal firewall with the VPN client, each solution can talk to each other and allow established policy to be enforced, avoiding user tampering with either. Network administrators can pre-configure all remote user devices to only connect to known networks, unknown networks or through the VPN tunnel.
Automatic recognition of the network takes place by validating different network factors. In friendly networks, permissive firewall rules apply as they do in public environments like the hotspot. The integrated personal firewall must work with intelligent mechanism that guarantee a secure activation of network access via the web browser, as well as a secure registration on the hotspot.
By integrating these technologies, the handshake becomes one sided, meaning the hotspot must authenticate itself to the user’s device. This means no data is ever sent to the device unless a secure VPN tunnel has been established.
A prerequisite for secure remote access in WLANs is end-to-end security, with dynamic interlocking security technology. The use of a VPN client with an integrated personal firewall and strong user authentication is necessary in this situation. The firewall rules must automatically adapt to registering on and logging off the hotspot. They must be inspected within the framework of an integrated endpoint security system with each connection. Only in this way, can administrators and users be sure they are securely sealing off terminal devices and data.