Securing your Wi-Fi Connection on the Road

By Steven J. Vaughan-Nichols

November 07, 2003

You think your data is safe when you're sitting at that hotspot? Think again. There's a myriad of steps you should take to be secure, from using personal firewalls to VPNs -- even if your company doesn't offer them.

One of the great delights of being a Wi-Fi user on the road is that no matter where you are there's a decent chance that you can get a high-speed Internet connection. If you're lucky, you can even get a free connection. What's not to like? Well, for one thing, at most public hotspots you have minimal, if any, security.

Doesn't sound like a big deal? Think again. Anyone with a sniffer can look over your virtual shoulder at your mail, your passwords, and your work. This isn't a paranoid worry. No one may be out to get you in particular but with sniffers being almost as common as Wi-Fi cards, there is a real chance that on any given trip your passwords or credit-card numbers will appear on someone else's screen.

So what can you do? Well, you should always try to use your standard security measures such as Wi-Fi Protected Access (WPA) and that old stand-by wired equivalent privacy (WEP) to protect yourself. But, when you're a Wi-Fi road warrior, you may not be able to use even WEP.

You see, your hotspot provider needs to give you the settings for any degree of Wi-Fi protection, and many don't. Indeed, most public Wi-Fi providers, as I found in recent business trips to Wi-Fi equipped convention centers and hotels in Washington DC and Boston, haven't the faintest idea of how to turn on security in the first place. For them, usually in the person of a clerk, Wi-Fi is a service that they provide and they can no more help you deploy even WEP than they can repair your cable TV when it goes on the fritz.

So what can you do? Well, for starters, install a personal firewall. Zone Labs' basic ZoneAlarm is free and works well, but McAfee's Personal Firewall Plus and Norton Personal Firewall 2004 also do a good job and you can buy them in packages with other useful programs such as spam and virus killers for a complete protection suite.

What these programs will do though is stop the vast majority of common network attacks. None, however, will help your outgoing traffic from being watched like goldfish in a fish bowl by a hungry cat.

In my experience, you can expect about an attack every five minutes on most public hotspots. Many of the assaults won't be from any near-by users, but an attack is an attack. Once you've done doing what you can to prevent your machine itself from being raided, then you're ready to start protecting your traffic.

If you haven't already, you should turn off your Wi-Fi's card's ad-hoc, aka peer-to-peer, mode. If you don't, it's possible for someone to piggyback off your net connection to the Internet. That's fine, if that's what you wanted, but usually it's not.

The closest thing you can do as a universal way of protecting all your traffic, instead of just using say PGP or S/MIME for your e-mail and going only to sites that are protected by Secure Sockets Layer (SSL) is to use a virtual private network (VPN) .

If you work for a business that uses a VPN, the first thing you should do is use your VPN client to hook into the corporate network. This way the secure tunnel, even if it's not going to your company, protects your traffic, as it goes from your laptop to the corporate VPN gateway and from there to the Internet at large.

But, what if you don't have a business VPN? Well, you can get one from many ISPs. This used to be a very uncommon service, but it's becoming a standard for business-grade ISPs. For the most complete listing, I know of see Web Host Industry Review's FindVPN site.

Unfortunately, most of the listed Internet providers are interested in corporate work, not a lone user or a few small company employees on the road. A few ISPs, notably Earthlink, offer VPN services for individual users. However, you can't use its VPN when running Earthlink Accelerator, a data compression program that speeds up Internet connectivity. The same would be true of any other ISP's accelerator programs. VPNs and accelerators don't mix. Some Wi-Fi hotspot providers, such as Boingo, also offer a VPN client as part of their services.

If your ISP or W/ISP doesn't provide a VPN service, don't give up hope. WiFiConsulting's HotSpotVPN service may be what you need. With this service, which costs $8.88 a month after a free week's trial, you can run on a Wi-Fi net in the security of a VPN tunnel.

HotSpotVPN will work on many operating systems including Apple MAC OS X, Microsoft Windows XP, W2K, and NT, Pocket PC, Linux and the BSDs. I tested it on XP and W2K and I found it to work flawlessly.

Like any VPN, there was a bit of a performance hit, about 5 to 10% of normal traffic speed, but it was nothing that anyone will notice except on the slowest of 802.11b connections. Frankly, I'd take the security over the speed any day of the week.

Installing the program is mindlessly simple for XP and Windows users. The Web site walks you through the procedure. It's more complex for Linux and BSD users, but there's nothing here that will stop an experienced Linux or BSD user.

Follow these steps, and your hotspot Wi-Fi use will be as safe as when you're back home in the office. Of course, make sure no one is looking over your shoulder when you type in passwords and that you don't leave your laptop on the table when you go to the restroom. Properly used technology goes a long way to protecting you, but good old human stupidity will still trump it every time.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.