Security and Public Access Points

Increasingly, I find that when I travel, my internet access is wireless.
Such access is a new thing for me, and it has me concerned about security.

At home, I have a small wired network behind a firewall (a LinkSys
BEFSR41). The machines on the network run antiviral software, but no
software firewall. I don't offer any open ports, and I'm very careful
about opening email attachments, etc. Behind the hardware firewall, I
don't worry.

When I travel and connect wirelessly to networks at hotels and convention
centers, etc., I worry about two things. The first is the security of the
data that flows from my laptop to the wireless access point. It's my
understanding that if I'm using a secure connection to a web site, my
browser encrypts the data it sends, so I'm covered there, but when I
connect to my ISP to get my mail from its POP server, I'm sending my
password as plainttext. This can't be good. Since it appears that only
the access point can enable WEP (and my very limited experience is that
public access points don't seem to), and since WEP isn't really very
secure, anyway, that doesn't offer much protection. I work with computer
professionals, so if I'm at, say, a convention, it is highly likely that
I'm surrounded by people with the skills to sniff our passwords and other
private data as it floats by. Is there some way for me to secure the
transmission between me and the public access point? It seems like a VPN
might be relevant here, but I don't really know much about them, and at any
rate my ISP doesn't have a VPN server. (I asked.)

My second concern is people attempting to get into my computer when I'm
wireless, because at that point, I'm no longer behind my hardware firewall.
What I currently do is visit grc.com and run ShieldsUp when I wirelessly
connect at a new site. If ShieldsUp shows that I'm behind a firewall, I
relax. If ShieldsUp shows that I'm not behind a firewall, I basically keep
my online sessions as short as possible. The proper solution here is
probably to run a software firewall, but I'm reluctant to do that given the
bad experience I had with one a few months ago. (The one I tried--Norton
Internet Security or some such--slowed my machine way down and led to other
problems, so I uninstalled it.) Should I bite the bullet and run one
anyway? For the record, my OS is Windows 2000 (SP 4).

Thanks for your insights and advice as I tiptoe into this brave new world.

Scott

Scott Meyers wrote:

> Increasingly, I find that when I travel, my internet access is wireless.
> Such access is a new thing for me, and it has me concerned about security.
>
> At home, I have a small wired network behind a firewall (a LinkSys
> BEFSR41). The machines on the network run antiviral software, but no
> software firewall. I don't offer any open ports, and I'm very careful
> about opening email attachments, etc. Behind the hardware firewall, I
> don't worry.
>
> When I travel and connect wirelessly to networks at hotels and convention
> centers, etc., I worry about two things. The first is the security of the
> data that flows from my laptop to the wireless access point. It's my
> understanding that if I'm using a secure connection to a web site, my
> browser encrypts the data it sends, so I'm covered there, but when I
> connect to my ISP to get my mail from its POP server, I'm sending my
> password as plainttext. This can't be good. Since it appears that only
> the access point can enable WEP (and my very limited experience is that
> public access points don't seem to), and since WEP isn't really very
> secure, anyway, that doesn't offer much protection. I work with computer
> professionals, so if I'm at, say, a convention, it is highly likely that
> I'm surrounded by people with the skills to sniff our passwords and other
> private data as it floats by. Is there some way for me to secure the
> transmission between me and the public access point? It seems like a VPN
> might be relevant here, but I don't really know much about them, and at any
> rate my ISP doesn't have a VPN server. (I asked.)
>
> My second concern is people attempting to get into my computer when I'm
> wireless, because at that point, I'm no longer behind my hardware firewall.
> What I currently do is visit grc.com and run ShieldsUp when I wirelessly
> connect at a new site. If ShieldsUp shows that I'm behind a firewall, I
> relax. If ShieldsUp shows that I'm not behind a firewall, I basically keep
> my online sessions as short as possible. The proper solution here is
> probably to run a software firewall, but I'm reluctant to do that given the
> bad experience I had with one a few months ago. (The one I tried--Norton
> Internet Security or some such--slowed my machine way down and led to other
> problems, so I uninstalled it.) Should I bite the bullet and run one
> anyway? For the record, my OS is Windows 2000 (SP 4).
>
> Thanks for your insights and advice as I tiptoe into this brave new world.
>
> Scott
I wouldn't feel too good at being behind a firewall (even if you really
are). At a public access point, there may be many others behind the
firewall with you.

I don't leave any shares enabled when I travel. Think that helps.

A software firewall would probably be a good addition, but after having
ZoneAlarm destroy the TCP/IP subsystems of two systems at my work, I'm
somwhat afraid of software firewalls ...

I run XP and it has a built in software firewall, but I trust
Microsoft's firewall technology about as much as I trust its security
efforts with anything else it does -- that is to say, not at all.

If you use ad-hoc networks while traveling, it certainly won't hurt to use
WEP. You can make up a new key for each session, and that really should be
adequate protection. You should be able to share files and so on without
worrying about firewalls. Ad-hoc networks don't live too long, and if you
change the key each time the risk is minimal.

If you need to use the Internet, then of course you're connected to an AP in
infrastructure mode. As you noticed, they don't enable WEP or WPA at
conventions, because they'd have to distribute the shared key, which would
defeat the purpose. They *could* use VPN, and probably will do so more and
more often, but it's not that common. If it's available, use it.

A convention of nerds is a more dangerous place to use an open hotspot,
because a higher concentration of technically savvy people also means a
higher concentration of technically savvy thieves. I would avoid
transmitting userid/password data in the clear - if it's on an https secure
page, okay, but otherwise no. I'd check my email over a wired Ethernet
connection if possible.

I would also disable shares. There are wifi firewalls. I have PC-cillin on
my XP home edition notebook system, with the wifi firewall enabled at all
times. I have never had any problems whatsoever with the firewall, except
that it needs to be disabled to do certain things, such as running tracert.
YMMV, and I have been unable to find out exactly how the wifi firewall
differs from the Ethernet firewall (if at all), but I feel better knowing
it's there. Maybe just a placebo effect :-).

"Scott Meyers" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Increasingly, I find that when I travel, my internet access is wireless.
> Such access is a new thing for me, and it has me concerned about security.
>
> At home, I have a small wired network behind a firewall (a LinkSys
> BEFSR41). The machines on the network run antiviral software, but no
> software firewall. I don't offer any open ports, and I'm very careful
> about opening email attachments, etc. Behind the hardware firewall, I
> don't worry.
>
> When I travel and connect wirelessly to networks at hotels and convention
> centers, etc., I worry about two things. The first is the security of the
> data that flows from my laptop to the wireless access point. It's my
> understanding that if I'm using a secure connection to a web site, my
> browser encrypts the data it sends, so I'm covered there, but when I
> connect to my ISP to get my mail from its POP server, I'm sending my
> password as plainttext. This can't be good. Since it appears that only
> the access point can enable WEP (and my very limited experience is that
> public access points don't seem to), and since WEP isn't really very
> secure, anyway, that doesn't offer much protection. I work with computer
> professionals, so if I'm at, say, a convention, it is highly likely that
> I'm surrounded by people with the skills to sniff our passwords and other
> private data as it floats by. Is there some way for me to secure the
> transmission between me and the public access point? It seems like a VPN
> might be relevant here, but I don't really know much about them, and at
any
> rate my ISP doesn't have a VPN server. (I asked.)
>
> My second concern is people attempting to get into my computer when I'm
> wireless, because at that point, I'm no longer behind my hardware
firewall.
> What I currently do is visit grc.com and run ShieldsUp when I wirelessly
> connect at a new site. If ShieldsUp shows that I'm behind a firewall, I
> relax. If ShieldsUp shows that I'm not behind a firewall, I basically
keep
> my online sessions as short as possible. The proper solution here is
> probably to run a software firewall, but I'm reluctant to do that given
the
> bad experience I had with one a few months ago. (The one I tried--Norton
> Internet Security or some such--slowed my machine way down and led to
other
> problems, so I uninstalled it.) Should I bite the bullet and run one
> anyway? For the record, my OS is Windows 2000 (SP 4).
>
> Thanks for your insights and advice as I tiptoe into this brave new world.
>
> Scott

Jerry Park <(E-Mail Removed)> wrote:
> I wouldn't feel too good at being behind a firewall (even if you really
> are). At a public access point, there may be many others behind the
> firewall with you.

> A software firewall would probably be a good addition, but after having
> ZoneAlarm destroy the TCP/IP subsystems of two systems at my work, I'm
> somwhat afraid of software firewalls ...

I run ZoneLabs Integrity Client, the "paid" version of ZoneAlarm, but I
have had no system troubles with either ZoneAlarm or ZoneLabs on several
systems, running Win2000, WinME, and WinXP. The biggest trouble is that
things don't work because they are being blocked, and that takes a while to
sort out, and still pops up for applications I thought I had fixed.

I thought Norton Personal Firewall was easier to configure, but our
corporate license is for ZoneLabs now.

Connecting to the network (wired or wireless) at Embassy Suites in Denver,
I was offered "firewall" or "open". With a warning that VPN wouldn't work
with their firewall. I chose open. My VPN worked just fine, and I had a
constant log of all sorts of probes from the internet.

I always use either VPN, ssh, or https when connecting to the internet
except for pop3 from home, which does expose the traffic. I don't pop3 on
public access points. On the road, I use an https-based mail reader that
is offered by my ISP.

Boingo.com and sonic.net both offer VPN back to their servers from
hotspots. I don't know if those can be used while connected via other
hotspots or not. And of course that's only VPN back to that point, where
you go from there is a different story.

--
---
Clarence A Dold - Hidden Valley (Lake County) CA USA 38.8-122.5

Can you setup a VPN back to your office? There are alos a few wireless VPN
services out there that cost $5-8 per month.

Frank

--
-----------------------------
Pasadena Networks, LLC http://www.pasadena.net
Wireless News and Hotspot Search: http://www.pasadena.net/wifi/



"Scott Meyers" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

>Thanks for the info. Alas, my ISP offers no encrypted mail access.



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.614 / Virus Database: 393 - Release Date: 3/5/2004