TechRepublic Resource Guide

Transcription

1 TechRepublic Resource Guide Wi-Fi Security for Road Warriors Contents 10 Wi-Fi security tips for road warriors.2 Road warriors have to be creative. Besides their normal work, they are asked to maintain an almost continuous electronic presence while away from their office or home -- and that can mean dealing with unknown and possibly hostile Wi-Fi networks. Michael Kassner offers some simple tips to help mobile workers secure their computers and information no matter where they go. Wi-Fi security for the road warrior; revisited...4 Learn about the differences between perceived and real security issues surrounding the use of puclic Wi-Fi. Wi-Fi security for road warriors: AirDefense style.6 Discover how to effectively monitor applications to ensure security while using public Wi-Fi. Sponsored by: Page 1 of 7

2 10 Wi-Fi security tips for road warriors Road warriors have to be creative. Besides their normal work, they are asked to maintain an almost continuous electronic presence while away from their office or home -- and that can mean dealing with unknown and possibly hostile Wi-Fi networks. Michael Kassner offers some simple tips to help mobile workers secure their computers and information no matter where they go. Wi-Fi security is a popular topic these days, and the "best approach" is being vigorously debated on many forums, including TechRepublic's. One fact I discerned from reading the various forum posts is that there are many opinions as to what's required to securely associate with unknown and possibly hostile Wi-Fi networks. With this in mind, I'd like to look at Wi-Fi security concerns from the viewpoint of the road warrior. Since road warriors deal with unknown and usually wide-open Wi-Fi environments, a solution that works for them will offer some benefit to everyone. Here are 10 security tips that should allow the road warrior to have a secure encounter of the best kind with unknown Wi-Fi networks. 1. Turn off the Wi-Fi client adapter when you're not using it The reasons for this are twofold. First, it conserves battery life always a concern for road warriors. Second, it's the simplest way to prevent penetration attacks using a procedure named "Microsoft Windows silent ad hoc network advertisement." Basically, the attack takes advantage of the fact that Microsoft Windows Zero Configuration is set by default to allow anonymous ad hoc connections. For more details, check out my blog post "How to prevent automatic association with ad hoc networks." 2. Verify that the SSID actually represents the provider's Wi-Fi network Verifying the SSID will help prevent associating with an evil twin. Evil twin is patterned after the man-in-the-middle attack where a hacker sets up equipment to falsely represent the facility's Wi- Fi network. In elegant simplicity, the user unknowingly associates with the fake network, allowing the hacker to obtain every byte of traffic that is sent or received. 3. Make sure a software firewall is running on your notebook Microsoft Windows XP and Vista already incorporate a firewall, but in both cases, it's inadequate. There are many good freeware firewall applications that are more competent, providing the additional protection a road warrior needs. I use Online-Armor, a somewhat new application that's been getting good reviews. 4. Disable Window's file and printer sharing By default, file and printer sharing is disabled, but many users enable this feature to share printers or files while on a work or home network. Having this feature enabled while on the road is just asking for trouble. It allows unauthorized access to your files by anyone who happens to be on that particular Wi-Fi network. The Microsoft Knowledge Base article "Disable File and Printer Sharing for Additional Security" explains how to determine whether file and printer sharing is enabled and outlines the required steps to disable the feature. 5. Avoid sensitive online transactions when using open Wi-Fi networks This is self-evident, but I felt it important enough to mention. 6. Keep your notebook's operating system up to date Along with your OS, make sure your antivirus, firewall, Web browser, and Wi-Fi client applications are current as well. By doing so, you'll eliminate many attack venues caused by application vulnerabilities. Page 2 of 7

3 7. Secure any personal, banking, or credit card details Allowing the Web browser to remember personal information is another avenue hackers can use to easily retrieve sensitive material if the notebook is lost or stolen. I've been using Bruce Schneier's Password Safe for many years. It requires you to remember only one access password, which is useful even if you are not a road warrior. 8. Use secure and anonymous Web surfing techniques This is very important if a VPN service is not available or the VPN will not set up correctly. There are various Web services that provide SSL VPN solutions by creating an encrypted tunnel from the notebook to their secure server. This eliminates a whole slew of possible issues. Some of the more preeminent services are Megaproxy and TOR. I use a slightly different approach based on USB flash drive technology. IronKey is a secure USB flash drive with FireFox and TOR technology pre-installed. If Internet access is available, the device automatically configures an SSL tunnel to secure IronKey servers. See "IronKey: Simple, safe, and secure surfing over Wi-Fi" for more details. 9. If required, use VPN technology The problem with the previous tip is that it applies only to Web-based applications. What about e- mail applications, like Outlook? This is where the full-blown VPN comes into play. Most business road warriors use this approach exclusively. The VPN tunnel allows the road warrior to remotely become part of the home or office network. Then, all the normal business applications, file sharing, and Internet access are handled by the company's network. There are many hardware and software VPN applications to choose from. My choice would be OpenVPN. 10. Use remote access applications for security Not having any sensitive data travel over questionable networks to your notebook is a unique solution. This is possible by using a service like LogMeIn, which allows the road warrior to remotely control a home or office computer through an SSL tunnel. Web surfing, , and other applications are active only on the remote computer. So no data is being transmitted to the road warrior's notebook, unless so desired. Final thoughts Road warriors have to be creative. Besides their normal work, they are asked to maintain an almost continuous electronic presence while away from their office or home. These simple tips can help secure their computers and resident information no matter where they go. Page 3 of 7

4 Wi-Fi security for the road warrior; revisited Learn about the differences between perceived and real security issues surrounding the use of puclic Wi-Fi. I recently penned a 10 thing post called 10 Wi-Fi security tips for the road warrior and TechRepublic member DonnaKline responded with an excellent observation: The point of varying the level of security required by location might have been stressed more, especially for those of us who are less sophisticated about tech issues. For example, there may be more risk using the wifi in an airport lounge than in an upscale business traveler hotel, which hopefully will be more careful about security issues. I appreciate DonnaKline s candor in pointing out certain ambiguities surrounding perceived versus real security when using public Wi-Fi networks. Let s see if we can clear some of them up. Defining public Wi-Fi To make sure we re all on the same page, let s first define public Wi-Fi networks as those that allow unrestricted access. That s a simplistic definition, but what s typically available at venues like airports, hotels, and hotspots. Since unrestricted access eliminates the ability to encrypt Wi-Fi traffic, it also means there s no real security. Is there more risk at airports? So, is there more risk to using public Wi-Fi access at an airport lounge when compared to an upscale hotel? I would say yes, but not for technical reasons. People who steal information and identities want to do so using the least amount of effort. That means airports, simply because there are more targets of opportunity. I certainly see this whenever I m traveling. At any given airport, it s very easy to capture copious amounts of unencrypted digital traffic. I hope that explanation made sense, but I m concerned that many people share DonnaKline s viewpoint. With that in mind I would like to discuss some high level Wi-Fi security concepts. Theoretically, achieving information security and lowering risk is simple. If the information is undecipherable to everyone except the intended viewer, it s secure. In real life information security is anything but simple. That s why an informed Wi-Fi user is the most powerful security tool available. Three distinct security zones I find it helps to divide the path that digital traffic travels along into distinct security zones. By doing so, attention is focused on the entire connection, not just the initial Wi-Fi portion. To keep it simple, I use the three following zones: Wi-Fi security zone: This zone is the one most people are aware of, as it is first step to gain access to the Internet. Wired security zone: This zone is the in house infrastructure that acts as a go between for the Wi-Fi network and the Internet. Internet security zone: This zone is the conglomeration of linked networks that can traverse significant geographical areas. OK, I should just say the Internet. To many, realizing that all three zones are important for secure transmission of their information is a new concept. The following example clearly points this out. My financial adviser, who is near and dear to me, argues that Internet access at her favorite coffee shop is secure since she has to Page 4 of 7

5 enter a new WPA passcode each time she visits. Using my security zone concept, we can see that the Wi-Fi security zone is covered, but how secure is my advisor s information as it traverses the wired and Internet security zones? To explain, that particular coffee shop could be capturing customer s personal information as it passes through the wired security zone. I m not saying that it s being done, but it could be. It s also possible for people who steal information and identities to setup capture equipment in the coffee shop without the owner s permission. Now that my financial adviser understands that there are different security zones, it s easier for her to make an informed decision about what security measures to use. Proper tool for the job Good news for road warriors is the availability of security tools that will protect information traveling across all three security zones or any combination thereof. From a security expert s viewpoint, utopia would be everyone using an IPsec VPN (pdf) at all times. Nice, but let s get back to the real world. Security does not come free and it s the user that carries the additional burden created by increased security. Let s continue using my financial adviser in the two following examples, which depict situations where both security and convenience are considered: Highly sensitive traffic: My adviser needs to access the office database from the coffee shop. Since the data is very sensitive, the security tool used should produce the maximum amount of security. That would be some sort of VPN application. So she enables the computer s VPN client, creating a digital tunnel that traverses all three security zones connecting to the VPN server at the office. Once the VPN tunnel is setup, digital traffic is encrypted and sent through the tunnel. If any of this traffic was captured by an attacker it would be complete gibberish and virtually impossible to decipher. That s about as good as it gets and most security experts would be happy. Anonymity and local security: Next, my adviser wants to surf the Internet. Checking out some vacations spots, now that April 15 has past. She d rather not use the VPN, since it s piped through the office s Internet access and may create an unnecessary bottleneck. Only thing, there s this rather odd looking guy using a notebook with a strange antenna attached to it sitting in the next booth. What if he s snooping? Does he know the encryption pass-code? Wait a minute, I convinced her to get an IronKey for safe portable file storage. Luckily, it s configured to connect to a SSL proxy server. Using that to access the Internet, my adviser has the Wi-Fi, wired, and a portion of the Internet security zones covered. No worries about that guy snooping and it s simpler than a VPN connection to use. Final thoughts The two examples are only meant to show what s possible, not to advocate specific devices or methodology. That s unrealistic, since each encountered situation is unique. It is my goal to help enlighten and make it easier for road warriors to determine the best security option for a given situation. I hope that this post and the information in 10 Wi-Fi security tips for the road warrior will be good additions to the road warrior s security tool kit. Page 5 of 7

6 Wi-Fi security for road warriors: AirDefense style Discover how to effectively monitor applications to ensure security while using public Wi-Fi. For the past few months, I ve been working on an informal series about the trials and tribulations of using public Wi-Fi networks. From the positive responses, it appears that the security tips have been helpful. With TechRepublic road warriors now savvy about Wi-Fi security, I should be happy. Well almost, there s one essential element left to take care of. Everything in the series thus far has been concerned about implementing security. What s still needed is a very alert monitoring application that sits in the background making sure everything is working properly. Road warriors have enough to deal with, so let s put this particular concern in the very capable hands of AirDefense and their free application called AirDefense Personal Lite. How does it work? AirDefense Personal Lite runs on Wi-Fi enabled computers, monitoring for malevolent activity (hacker pen tests), inadvertent wireless activity (ad hoc association), and Wi-Fi device and application misconfiguration (security lapses or noncorporate policies). If Personal Lite detects an anomaly, it immediately notifies the user that something is amiss. The following image depicts an alert notifying the user that encryption is disabled. The application can also be configured to automatically disable the Wi-Fi connection if a certain predefined condition is encountered. This really helps mitigate user-invoked security problems and, even more importantly, attack vectors being explored by hackers. The following image depicts some of the many configuration settings that are available. Page 6 of 7

7 The myriad of configurable parameters available is not what I would consider normal for freeware but is to be expected from AirDefense. AirDefense Enterprise AirDefense also has an enterprise version that allows integration and is controlled by AirDefense s Personal Central Manager. By using the enterprise version, several additional benefits become apparent: Extends the wireless security perimeter to mobile users: 24 7 protection inside the enterprise and on the road. Ability to define and enforce wireless security policy (corporate or regulatory) on laptops. Detection and enforcement of Windows Zero Configuration Client settings. Final thoughts I use Personal Lite on all my notebooks and recommend it to anyone who uses Wi-Fi. Being able to detect erroneous configurations, malicious threats, and effectively stopping them gives a certain peace of mind that road warriors will appreciate. Page 7 of 7