Staying safe in Wi-Fi hot spots

According to a recent In-Stat survey, half of US business professionals now use Wi-Fi hot spots in hotels, airports, and other public venues -- one fourth at least once a week. Many hot spot users are concerned about security, and for good reason. Hot spots are an ideal venue for eavesdropping, sharing viruses, or simply taking advantage of those whose defenses are weak.

On the flip side, Wi-Fi hot spots can make business travel far more productive. It's never been easier for travelers to stay in touch with the office and home. Occasional travelers can pay as they go, using hourly or day passes, generally under $10. Frequent travelers can open all-you-can eat hot spot accounts, starting at $20 per month (e.g., Boingo). Those who prefer free services can search JWire or Wi-Fi free hot spot, although some travel may be required to reach even the closest free hot spot.

Getting started
Fortunately, you don't need to avoid hot spots to avoid wireless intruders. Start by taking just a few simple steps to harden your station's defenses.

1. Disable Sharing: File and printer sharing may be common in business and home networks, but should be avoided in public networks where strangers can easily browse, read, and perhaps even write to exposed shares. To prevent this on Windows hosts, open your wireless connection's Properties panel and make sure that "Client for Microsoft Networks" and "File and Printer Sharing for Microsoft Networks" are both unchecked.

2. Firewall Your Laptop: By default, Windows hosts listen to many TCP and UDP ports, and each open port represents a potential attack vector. If you're a Windows XP user, close those holes by enabling the firewall built into Service Pack 2, making sure that no exceptions are defined for your wireless connection. If you run another operating system, install a third-party personal firewall. Individuals can download free firewall programs from ZoneAlarm, Comodo, or Kerio. Larger companies should consider centrally-managed desktop firewalls like Symantec Sygate Enterprise Protection or InfoExpress CyberArmor Personal Firewall.

3. Control Your Connection: Many wireless client programs -- including the XP Wireless Zero Config service -- automatically connect to any available wireless Access Point (AP) or Ad Hoc peer. This can be handy at the office, but it is simply bad practice in public networks. To regain control, configure your wireless client to associate ONLY at your request. For example, use the XP Wireless Networks panel Advanced button to uncheck "Automatically connect to non-preferred networks" and check "Access point (infrastructure) networks only." If using SP2, configure every "Preferred Network" to disable auto-connection. Finally, disable those connections when not in use!

In mid-January, the Nomad Mobile Research Centre warned that many XP devices are accidentally associating with Ad Hoc peers using common Service Set Identifiers (SSIDs). In one field test, of 56 clients lured into connecting this way, 11 were vulnerable to remote file access or compromise. The three steps outline above are basic and simple, but would have been enough to completely elude this attack.

Going further
These simple steps are a good start, but more is required to prevent eavesdropping on wireless data and man-in-the-middle attacks.

1. Secure Your Login: Many commercial hot spots use SSL to encrypt the subscriber login process: entering a username/password, passcode, or credit card number on a web page. But when was the last time that you checked to see whether your login was really encrypted? At minimum, use your browser to verify that SSL is enabled before you log in. Never log into a hot spot portal that presents an invalid certificate, or asks for a login without encryption. Larger companies may want to consider securing authentication end-to-end using a roaming client like iPass or Fiberlink.

2. Secure Your Data: Operators usually encrypt logins, but encrypting data is an entirely different matter. T-Mobile and iBAHN support WPA data encryption in US hot spots. Everywhere else, you're on your own to prevent eavesdropping. Corporate users running IPsec or SSL VPN clients should create "connection manager" rules that ensure the VPN is up whenever wireless is active. Those who use secure applications like web mail should be careful about leaking other data. If you don't have a VPN, consider using a SOHO encryption service like Witopia Personal VPN, JWire SpotLock, or Citrix Online GoToMyPC.

3. Avoid Evil Twins: Look-alike "Evil Twin" APs can trick hot spot users into connecting with them instead of legitimate APs. They can then launch man-in-the-middle attacks like presenting phony web pages or intercepting SSL or SSH sessions. Using a WPA-capable hot spot can help you avoid connecting to an Evil Twin by letting you verify the 802.1X Authentication Server's certificate. T-Mobile's Connection Manager checks that certificate automatically. When using another client, be sure to enable certificate verification.

4. Monitor Your Connection: Wireless clients usually indicate connection status, but don't provide detailed connection logging, alert you to improper or suspicious wireless activity, or take preventative action when such events occur. To keep a closer eye on your wireless connection, run a host-resident wireless IDS agent like AirDefense Personal, AirTight SpectraGuard SAFE, or Network Chemistry RFprotect Endpoint. Individuals can use host WIDS to become more aware of unsafe conditions -- for example, bridging between wired and wireless connections. Larger companies can use host WIDS as part of a broader endpoint security initiative, enforcing policies that keep remote workers safe, no matter how they connect to the Internet.

These four steps do require at least some on-going security awareness and effort. But everyone concerned with hot spot security should give them a try. Whether you're an individual, a small business, or a large enterprise, security measures like these can help you to more safely reap the benefits of Wi-Fi hot spots.

About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Wireless Networks IEEE 802.11w protects wireless LAN management frames Measure wireless network performance using testing tool iPerf 802.11s mesh networks How to prioritize wireless traffic Wireless security protocols -- How WPA and WPA2 work Wireless security -- How WEP encryption works Prevent IP address conflicts on your wireless network by managing DHCP scopes Understanding 802.11n wireless antennas Voice over wireless LAN deployment requires constant maintenance Wireless WAN technologies -- an overview for network pros Wireless Network Security Best practices for securing your wireless LAN Controlling network access by MAC address restriction on wired networks Which wireless network transmits business-sensitive data reliably? IEEE 802.11w protects wireless LAN management frames Securing Wireless Systems -- 'Build Your Own Security Lab: A Field Guide for Network Testing,' Chapter 9 Why wireless network cards show activity when no one uses the computer What are recent security developments for MIPv6? Wireless LANs -- 'CCNA Official Exam Certification Library, Third Edition,' Chapter 11 Book of Wireless author on wireless advantages and issues Buying your own WAPs vs. Internet service provider's wireless routers Wireless security strategies Access on the road: Putting hotspot security to the test Five steps to stamp out unsafe Wi-Fi use Getting from here to there: WPA2 migration Using VLANs to compartmentalize WLAN traffic Controlling WLAN access on a tight budget Who goes there: Securing wireless access Can you help me understand the differences between WPA2 and Cisco's LEAP security? Is one better or easier or more secure than the other? Hacking Wireless Networks For Dummies How to (ethically) hack wireless networks Secure WLAN best practices and topology RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.