Unusual VPN requirement

Hi

I can set up a VPN from a laptop connected over 802.11 wireless, to my
office.

What I would like is a way to be able to walk into an internet cafe
(many of which don't offer 802.11 wireless), plus a CD into a CD drive
in one of their PCs, and software on the CD will set up the VPN. So
even if there was a keylogger on the PC in the cafe, they wouldn't get
the login details because I would not be typing anything in.
Everything would run off the CD, leaving nothing in the PC (except
some stuff in RAM and possibly the swapfile but those are easy enough
to superficially clean-up, with a reboot etc).

Is there such a product? It or something it ought to exist because
otherwise anyone using a public wireless access point to access their
business email is taking a risk.

Obviously it would have to avoid using the windows' VPN function.

On Thu, 14 Apr 2005 16:55:13 +0100, (E-Mail Removed) wrote:

>Hi
>
>I can set up a VPN from a laptop connected over 802.11 wireless, to my
>office.
>
>What I would like is a way to be able to walk into an internet cafe
>(many of which don't offer 802.11 wireless), plus a CD into a CD drive
>in one of their PCs, and software on the CD will set up the VPN. So
>even if there was a keylogger on the PC in the cafe, they wouldn't get
>the login details because I would not be typing anything in.
>Everything would run off the CD, leaving nothing in the PC (except
>some stuff in RAM and possibly the swapfile but those are easy enough
>to superficially clean-up, with a reboot etc).
>
>Is there such a product? It or something it ought to exist because
>otherwise anyone using a public wireless access point to access their
>business email is taking a risk.
>
>Obviously it would have to avoid using the windows' VPN function.

I'm sure there is such a product available, but I'm also sure you
won't find any significant number of internet cafes willing to allow
you to put external CDs into their PCs.

You have a much better chance of getting an internet cafe to allow you
to connect your own laptop, whether by ethernet or wireless.

--
Alex Heney, Global Villager
I'm not dead. I'm electroencephelographically challenged.

To reply by email, my address is alexATheneyDOTplusDOTcom

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi
>
> I can set up a VPN from a laptop connected over 802.11 wireless, to my
> office.
>
> What I would like is a way to be able to walk into an internet cafe
> (many of which don't offer 802.11 wireless), plus a CD into a CD drive
> in one of their PCs, and software on the CD will set up the VPN. So
> even if there was a keylogger on the PC in the cafe, they wouldn't get
> the login details because I would not be typing anything in.
> Everything would run off the CD, leaving nothing in the PC (except
> some stuff in RAM and possibly the swapfile but those are easy enough
> to superficially clean-up, with a reboot etc).
>
> Is there such a product? It or something it ought to exist because
> otherwise anyone using a public wireless access point to access their
> business email is taking a risk.
>
> Obviously it would have to avoid using the windows' VPN function.
>
What needs to happen is that your company IT dept introduce a decent securty
system, One that uses dynamic passwords via a fob or the like.

Ian

(E-Mail Removed) wrote:

> Hi
>
> I can set up a VPN from a laptop connected over 802.11 wireless, to my
> office.
>
> What I would like is a way to be able to walk into an internet cafe
> (many of which don't offer 802.11 wireless), plus a CD into a CD drive
> in one of their PCs, and software on the CD will set up the VPN. So
> even if there was a keylogger on the PC in the cafe, they wouldn't get
> the login details because I would not be typing anything in.
> Everything would run off the CD, leaving nothing in the PC (except
> some stuff in RAM and possibly the swapfile but those are easy enough
> to superficially clean-up, with a reboot etc).
>
> Is there such a product? It or something it ought to exist because
> otherwise anyone using a public wireless access point to access their
> business email is taking a risk.
>
> Obviously it would have to avoid using the windows' VPN function.

Implement HTTPS web mail with a key fob for a password if you must use
windows .

There are a few linux distro that run directly from a CD Knopix Suse and
mandrake to name but three

What about gsm or gprs and a ipsec vpn client like cisco's for instance?
--
Output certified Microsoft free
Checked with Suse 9.2

(E-Mail Removed) wrote:
> Is there such a product? It or something it ought to exist because
> otherwise anyone using a public wireless access point to access their
> business email is taking a risk.

Using only a username and password is very insecure. If your company was
security conscious they would implement a two-factor system, for example
using a smart card or rsa securid. The next best thing would be to ask
your company to issue you with a certificate.

Thank you all for good suggestions

ian <(E-Mail Removed)> wrote:

>Implement HTTPS web mail with a key fob for a password if you must use
>windows .

Where would one insert the key fob, or some other token? I know about
USB ones or the "smartdisk" concept that was around a few years ago (a
secure 3.5"-disk-sized device).

>There are a few linux distro that run directly from a CD Knopix Suse and
>mandrake to name but three
>
>What about gsm or gprs and a ipsec vpn client like cisco's for instance?

Well here we go...

Apart from normal stuff like pop/smtp email ops, I run pc/anywhere
over this link.

The VPN isn't an issue; I already run IPSEC over a VPN.

GPRS is a great solution. I have this too, and I can run the VPN over
that. And yes a decent VPN over GPRS should be "totally" secure. The
problem is that with PC Anywhere, each screenful costs a couple of
quid in GPRS costs! I know one can get cheap GPRS (hundreds of MB
free, plus 50p/MB after that) if one pays 50-100 quid/month on a
contract but this is for sporadic usage only and contracts are a right
rip-off for that. Also its painfully slow. Also GPRS is very sensitive
to dropouts caused by less than great reception; this is OK most of
the time but not OK on a secure protocol which just immediately drops
out.

Thats why I was looking for a reasonably secure way of using an
internet cafe. Similar issues arise with a public wireless access
point, but at least there one has control over the machine used for
the access so a VPN alone ought to do.

My travelling is a very long way from London and other places with
wifi in cafes

On Fri, 15 Apr 2005 11:01:51 +0100, (E-Mail Removed) wrote:

>Thank you all for good suggestions
>
> ian <(E-Mail Removed)> wrote:
>
>>Implement HTTPS web mail with a key fob for a password if you must use
>>windows .
>
>Where would one insert the key fob, or some other token? I know about
>USB ones or the "smartdisk" concept that was around a few years ago (a
>secure 3.5"-disk-sized device).

You don't insert it anywhere.

The fob has a number (usually 8-10 digits) displayed in a small
window, that changes every 60 seconds (I think it is possible to get
them with different periods, but all the ones I have used have been 60
seconds).

When you attempt to log in, as well as your own username and password,
you have to enter the number *currently* showing in that window.

The server will have a record of which fob you have (they all show
different numbers), and will have an algorithm that generates the same
set of numbers, based on a "seed" that is different for each fob.


--
Alex Heney, Global Villager
Put on your seatbelt. I'm gonna try something new.

To reply by email, my address is alexATheneyDOTplusDOTcom

On Fri, 15 Apr 2005 11:01:51 +0100, (E-Mail Removed)
<(E-Mail Removed)> wrote:

> The VPN isn't an issue; I already run IPSEC over a VPN.

Why? If the VPN is secure, what do you gain by running IPsec over
it? If the VPN is not secure, then its not really a VPN, it's just
a tunnel ;-)

> Thats why I was looking for a reasonably secure way of using an
> internet cafe.

VPNs work on the foundation that both sides of the connection are
trusted. Public clients, e.g. Internet Cafe computers, are, by
definition, untrusted. Therefore any communications you setup
from an Internet Cafe computer will not be secure - period.

By setting up such a connection to your office, you will, almost
certainly, compromise the security of your office system as well
(since your office system presumably trusts your login details to
some extent).

> Similar issues arise with a public wireless access
> point, but at least there one has control over the machine used for
> the access so a VPN alone ought to do.

Actually the issues that arise with a public WLAN are not at all
similar. As you say, in this case you control the client machine,
and since you presumably trust that machine, the situation is very
different. In fact it's more or less a complete opposite, i.e. in
the case of the cafe, it is not possible to establish secure
communications with your office, in the case of the public WLAN,
it is.

Nob wrote:

>> Where would one insert the key fob, or some other
>> token? I know about USB ones or the "smartdisk"
>> concept that was around a few years ago (a
>> secure 3.5"-disk-sized device).

Alex responded:

> You don't insert it anywhere.
>
> The fob has a number (usually 8-10 digits) displayed
> in a small window, that changes every 60 seconds (I
> think it is possible to get them with different
> periods, but all the ones I have used have been 60
> seconds).

RSA's SecurID is obviously the key "fob" you are referring to, since it
is still the only one-time password (OTP) token which is time-based.
For more info, look to: <http://tinyurl.com/apdyf>.

The SecurID has been around for almost 20 years, so a lot of folks
think of it as the classic OTP token: a sealed, hand-held, personal
authentication devices -- for which the user at the keyboard is the
only network interface. The OTP "output" is constantly changing, and
the whole system is designed to produce an OTP that is both
unpredictable and resistant to replay.

The SecurID security paradigm is, of course, two-factor authentication
(2FA): the token-code is evidence of "something held;" a memorized
password or PIN is evidence of "something known." RSA's SecurID uses
(AES) crypto to mash binary mark for Current Time, a 128-bit token-
specific secret "seed" or key, and a couple of other numbers, to
continuously generate and display a series of 6-8 character OTP
token-codes which change every 50 seconds.

(The newest SecurID design, btw, has both a LCD display and a
retractable USB plug -- so indeed, it _can_ be inserted somewhere. It
can be used as either a stand-alone OTP token or a PKI-enabled
smartcard -- depending on local options and the security services
required.)

I've been a consultant to RSA for many years, but I've been a traveller
much longer. My experience, like Alex's, is that most Internet cafes
will not permit a visitor to plug anything into their local
workstation. YMMV, depending on your personal charm, the money you
flash, the trusting nature of the cafe manager, and how far off the
beaten path you venture. (You might have more luck plugging in a USB
pen drive, perhaps with an SSH client.)

You don't say anything about what sort of host you are trying to reach
back to contact at home, but I presume it's an ISP. If it is an ISP,
there may be some additional security measures (SSH?)that you can draw
upon by pre-arrangment, if bring an SSH client with you. It might be
hard to find an ISP that offers 2FA, however, since strong
authentication is more often used in access controls for corporate
enterprise systems.

(Having an OTP token alone is useless. OTP tokens are part of an 2FA
system that requires a specialized authentication server, agents, and
probably integration into a web server, firewall, mail server, or other
apps. (In the US, for a small monthly fee, AOL offers SecurIDs for
account access: <http://tinyurl.com/8uxk6>. AOL-UK -- to judge by its
-- doesn't seem to have this option available yet, but you'll probably
see OTP tokens offered by more big ISPs later this year. Anyone know of
one in the UK now?)

More likely the best you can manage may be an SSL connection between
your cafe PC and your home mail server. Whatever arrangements you
manage, you should be modest in your security assumptions. As Killa
warned: with one end of the connection presumptively untrustworthy,
all claims of security must be relative and conditional. Key-loggers
are the only risk if you are relying on a PC that could be controlled
by a hostile party.

Have a great trip;-)

Suerte,
_Vin