Securely internet access on an online network options

[Solid Knight]

My new job often has me staying in hotels for extended periods of time and requires me to send in sensitive information over the hotel's network. What would my options to improve security be? VPN tunnel to my home network?

Edit: I should have proof read the title...

[+BudMan MVC]

Doesn't your company provide vpn access?

And this info your sending over the net is in clear text? I would have to hope your using a SSL/TLS connection to send this info?

[Solid Knight]

Doesn't your company provide vpn access?

And this info your sending over the net is in clear text? I would have to hope your using a SSL/TLS connection to send this info?

I work on short-term projects with various companies for short durations (two to six weeks). Nobody provides secure methods of doing anything. On top of that, I still have to do all my personal stuff online over completely open hotel networks. So far, I've just been having my wife take care of it all. Most of what I'm protecting is my personal information. I'd like to be able to do this all in a more secure setting than completely-wide-open-hotel-network.

[Detection]

Would a 3/4G dongle not be an option ?

[+BudMan MVC]

Again how are you sending this info?

Email, ftp, posting on neowin over http? Twitter?

I highly doubt your accessing your bank via just http for example.

Yes in "theory" it would be possible on the same wifi network to sniff your traffic. But I find it unlikely in this day an age that your sending personal info over a non secured connection like http?

So why yes it might be possible for them to sniff your dns traffic, and that your surfing neowin, etc. I am not clear on what personal info your concerned is in the open?

Are you worried about them running a man in the middle attack on you and presenting your box with invalid SSL certs so that they can view your traffic in the clear?

[Solid Knight]

Would a 3/4G dongle not be an option ?

If I ever upgrade from a dumb-phone (but I need batterly life more than I need internet access on my phone).

Again how are you sending this info?

Email, ftp, posting on neowin over http? Twitter?

I highly doubt your accessing your bank via just http for example.

A lot is done by e-mail.

[Detection]

If I ever upgrade from a dumb-phone (but I need batterly life more than I need internet access on my phone).

I was meaning a separate USB dongle to plug into the laptop rather than your phone, not sure if you have pre-pay 3/4G dongles over there

Or are you using wifi on your phone?

[+BudMan MVC]

"A lot is done by e-mail."

And your sending email over just HTTP? You sending directly to some box using smtp? Not inside a TLS connection?

Who do you use for email? Google provides https for your email, etc.

Even if you run a vpn to your home.. Where is the email server.. That traffic is going to be in the clear from your home network or where ever the vpn end point is to the email server. And then when that email gets sent to dest, its going to be in the clear as it gets sent to the recv server.

Email is sent all over the internet in clear.. Not sure why you would be worried about the traffic between you and the server, when from that server to where you sending is open ;) You could always encrypt your email if you worried about the security of email. But a vpn does not really solve that issue in general.

To correctly secure what your worried about, we need to understand what it is your worried about. Sure a vpn would hide the traffic from the local network your on to where the vpn endpoint is. But what are you moving over the local network that would be of concern.. Most anything that would be of concern should already be inside a endpoint to endpoint encryption method. HTTPS for example. This secures your traffic from your client to the endpoint. So a VPN does not really provide any more security for that sort of connection.

[trek]

What I do when I have to use an open hotel network is:

- I have a Cisco PIX 515 that was picked up for cheap, running the latest software and it supports IPSec VPN clients

- I tunnel into my home network via the Pix and since I do not enable split-tunneling, all vpn internet traffic is hair-pined back out the outside interface of the PIX. Thus it's like i'm surfing from home.

Alternatively, you can setup an RDP server at your home, with SSL and NLAuthentication that you surf/send your email with at your home network. I know how you feel surfing on a public wifi network... Even the neowin login page is not encrypted...

[+BudMan MVC]

"Even the neowin login page is not encrypted..."

Very valid point!! But then again its not encrypted when you log int from your house either ;) So anyone between your house and neowin could in theory see that traffic. Which is an issue I will be posting about in a few minutes to be sure.

If that sort of thing is his concern, then yes a vpn would keep people on that local wifi network from sniffing his traffic and seeing his neowin login. Last I checked neowin wasn't a bank ;) Is someone going to login as you and make some bad posts? All kidding a side that is a valid example.

But you don't need a pix at home to secure his traffic from local wifi - simple ssh tunnel to something outside, home, vps, etc.. would secure such traffic.

[Kelxin]

Ways to secure your communication without a ton of effort.

If you have a home machine that is on all the time, setup either RDP (if its a XP Pro / Win7 Pro / Win8 Pro or higher machine) or setup a VPN or SSH tunnel.

If all you're doing is e-mail, setup SSL or some other encryption that your e-mail server has for your in-bound and outbound servers.

[trek]

But you don't need a pix at home to secure his traffic from local wifi - simple ssh tunnel to something outside, home, vps, etc.. would secure such traffic.

of course not, it's a convenient leftover from my ccnp heh. The thing I am concerned with is not once you leave the local net but packet sniffers on the same snet sharing the free open wifi at the hotel... There if you surf to and log in to sites like neowin is where passwords get compromised

[+BudMan MVC]

I hear you - and just posted about the login being in the clear on the site issue section. That needs to be corrected!!! That is BAD PRACTICE for something like that to be in the clear.

You would hope most sites would not be setup as such - but you make a valid point! And yes the way to secure such things from the local wifi sniffers (guy next room maybe) Or at an airport would be with a vpn or tunnel to something outside that location.

Problem is that solution does not actually fix the root of the problem - that the username and password would be sent in the clear is the root of the problem. And I am hoping that is just a oversite on neowins part. Most sites should not have such info in the clear -- does not mean they can not intercept your cookies if that is not encrypted as well and get logged in as you, etc..

So again you make a valid point -- what I was fishing for was the OP to state such concerns. As I stated before you have to understand what your worried about or the details of the security problem to make sure you secure it correctly.

[Kelxin]

Oh, oh oh! I just thought of another secure system while out and about ... Dial up! ... lol sorry, couldn't resist. I think AOL still has some dialup ... somewhere ... haha.

[trek]

Oh, oh oh! I just thought of another secure system while out and about ... Dial up! ... lol sorry, couldn't resist. I think AOL still has some dialup ... somewhere ... haha.

Long distance phone charges on the hotel bill! :wacko:

[goretsky Supervisor]

Hello,

As a slight modification of the suggestion to use a 3G/4G USB dongle, I would suggest a 3G/4G "Mi-Fi" personal hotspot. These are little (about the size of a couple of business card case holders stacked together) battery-powered routers which bridge an 802.11b/g/n connection to a 3G/4G radio. Advantage of using a hotspot over a USB dongle is that multiple devices (typically up to five) can connection at once (tablet, smartphone, laptop) which is useful if you are traveling with with co-workers, a spouse and so forth. There are a few pay-as-you-go ones, as well as with services from the normal carriers. I have used devices from Novatel Wireless and Samsung on AT&T and Verizon and found that on 4G they typically outperform hotel and coffeeshop wireless connections. Disadvantage is, of course, that it requires the purchase of additional hardware plus a monthly recurring cost for billing, but as a business expense you would at least be able to deduct it.

Regards,

Aryeh Goretsky

[+BudMan MVC]

I don't really see the reason to bring your own connection to the party? Sure if the OP has issues with getting a connection than that is one option, and would be more secure than open wifi from the standpoint of other users of the wifi sniffing his traffic for stuff in the clear.

So to clarify the issue - is other open wifi users sniffing traffic and gleaning information from stuff sent in the clear. Be it a misconfigured website that does not https the login (sad to say like neowin). Or snagging the cookies and highjacking a logged in session, etc.

So to mitigate this specific problem, then yes a vpn to a location off the wifi network would be simple easy solution. This could be as simple as ssh session to a location outside the hotel and tunneling your browser traffic through that session. This takes 2 seconds to setup with putty and any ssh connection you might have. School, webhost serverver, vps, home, etc.

Or you could run actual vpn. Be it your home router supports it or you run a server on your network for it, etc. Now my router is pfsense - which has multiple vpn solutions built in. So I run openvpn on 443 tcp and the standard 1194 udp port.. You never know where you might not get udp ports outbound, this is why I like the 443 option. If you have internet access, its pretty good shot that 443 is open. The suggested ipsec vpn to a pix while that is a great solution - not all locations are going to allow a ipsec vpn which requires protocols 50 and 51 and some ports outbound that are not really standard - quite often you need static source port nat on the udp 500 port for passthrough, etc. I have been to some hotels where you have to ask for a special connection to be able to use that sort of vpn.

Where as a ssl based vpn normally can bounce off a proxy even.. So it a more robust option in my opinion.

If you don't have a location you can run your own vpn connection - then sure you could sign up for a service. Not a real fan, because now your routing all your traffic through a 3rd party that may or may not be reputable. Then is also Tor as an option - it is free, and would protect you from local wifi sniffing, etc.

If you can not run the vpn/ssh connection at home - or if you want a safety net for if your home connection is down. I would suggest you find a lowend sever for such duty. I have one that cost only $15 year - now it only allows for 500GB of traffic a month. But hey my home comcast is suppose to have a 250GB cap, so doesn't seem like an issue. Works out great as a vpn/ssh endpoint - I mostly use it for testing and you just can not beat the price.

http://www.lowendbox.com/

http://lowendstock.com/

etc..

BTW for those tablet users - openvpn has released official client for ios

https://itunes.apple...ect/id590379981

There have been options for openvpn for android for quite some time, but it was nice to see finally offer something for ios that did not require jailbreak/root access. And here is the official android openvpn client https://play.google....openvpn.openvpn

Openvpn server can be as simple to setup as launching a VM for your fav vm host, be it virtualbox, vmware, hyper-v, etc. If you router does not support it.

[trek]

Now Budman has me wanting to upgrade my PIX to an ASA for the Cisco AnyConnect SSL VPN :p

[goretsky Supervisor]

Hello,

I still use a VPN connection to get into work (actually several, but that's another story), but I was thinking in terms of getting off of the hotel's network (wireless or wired) in its entirety. It really depends on what your needs are and, of course, your budget. One nice thing about providing your own hotspot is the ability to use it in places where you have cellular coverage, but no or poor network connectivity.

Regards,

Aryeh Goretsky