Muni Wi-Fi security – Part IV
Back to municipal Wi-Fi security again (I'll get onto other topics as soon as I get all of this out, I swear). There are two important things left to cover though: transmission security and device security. If you're new to this topic of muni Wi-Fi security, please have a look at some of my previous posts first, in order to catch up (Part I, Part II, and Part III).
I'll start with transmission security, which generally gets a lot of discussion. Transmission security really covers everything that you send or receive over the wireless network after you're "connected". Now, remember that because Wi-Fi is a broadcast radio signal, anyone can receive it. This means anyone who wants to can see whatever you're sending or receiving. If you don't want them to do that, your transmissions need to be encrypted in some way. With Wi-Fi encryption you basically have two choices. Either you can use one of the Wi-Fi encryption technologies, or you can use a virtual private network (VPN). Using something like WEP requires that the network support it. Since most municipal networks won't support this, it's not really an option. Also, some of the standards used in WEP are fairly weak and easily broken.
A second choice is to use some type of VPN service. Many companies provide VPN services for their roaming employees and there are some open/free services for consumers. Unfortunately, I think most of these services are pretty hard for the average consumer to use and install. I have seen a couple of examples of municipal networks where they suggest downloading a VPN-like tool. The ones I've tried have been simplified for consumer use, but I still don't think they are easy enough to use. As a matter of fact, I talked with one muni Wi-Fi user who thought that by clicking the link to download the tool, they were then "secure". The user honestly didn't realize that they had to install and run the tool for it to protect them. This example demonstrates that we should be concerned about the security skill level of users in the muni Wi-Fi environments.
So, what can you do? Well, if you're able to do it and you understand the technology, using a VPN is the best solution. If that's too much, then your best bet is simply to not send or receive any sensitive information. If you must give out a password or something similar, make sure you're connected to a secure (SSL-enabled) Web site. While it’s not often that an entire Web site will be encrypted, if you can at least avoid sending the password “in the clear”, it's an improvement.
Lastly, we come to device security. This receives almost no coverage, but in my opinion, it is really critical. People don't seem to get that when you are on a public network, anyone else on that network can see you (well, your laptop). You're not behind your home or office firewall anymore. A bad guy scanning the network can pretty easily see your laptop, scan it for vulnerabilities, and attempt to attack it (by installing malware, back doors, stealing data, etc.) Fortunately, this risk is easily remedied. Anyone using a public wireless network should make sure they have a local (resident on the laptop, I mean) security package that provides things like a firewall and intrusion prevention. If you don't have these, please make the effort to tighten down whatever firewall is built into your operating system. While many of them support firewall functionality, the default policy is often not very secure.
So, where does that leave us? We've talked about a number of different risks and some ways to mitigate them. Some of these don't have great solutions yet, but with some care and a little effort, you should be able to make the most of these municipal Wi-Fi networks. Overall, I think these networks are promising and potentially pretty useful. It's going to be interesting to watch as the networks go live and we’ll see just how much security factors into the picture. Maybe I'll check back in a few months and comment on how things are going.