Muni Wi-Fi Tunneling
As municipal Wi-Fi networks begin to roll out, I've begun to notice a trend that isn't surprising, but is still a bit worrisome. Business users are beginning to use the muni Wi-Fi in the office. While the signal doesn't often penetrate too deeply into buildings, conference rooms and window offices seem to get a sufficient signal in many cases. The problem is that I see people using the muni Wi-Fi signal instead of the office IT-supported network. Sometimes they just use it because it's more convenient. The office IT network is "secure" and requires extra work, such as entering keys or using a VPN. Sometimes they do it because they explicitly want to avoid the local IT policy controls (access to restricted sites, use of restricted applications, etc.)
So, why is this a problem? First, it exposes the user’s computer to the Internet without the normal protection of the office IT security safeguards (like a firewall). While it's quite possible to secure the computer sufficiently on its own, it's all too common for such computers to be lightly secured and then just rely on the network infrastructure. Now, when that computer is exposed on its own, it's at risk of being targeted by remote attackers, malware, etc. At a minimum the exposed computer can be compromised. Worse, it can carry something malicious back into the business network when the user reconnects locally. A second type of risk is present if the user is simultaneously connected to both the muni Wi-Fi and the local wired network. Depending on how the networks are configured, it is possible for them to be "bridged" (connected). This could allow a remote attacker to enter the local office network through the unsecured wireless interface and gain access to the internal network resources. While gaining such access through the "front door" might normally be very hard for an attacker, using such a "back door" is likely to be much easier.
So, what to do? First, IT departments should develop and implement a clear policy about using “Mu-Fi” networks (preferably banning their use outright). Ideally, they could enforce this ban, but that's fairly difficult. Most operating systems don't include such a capability though there are some third-party applications available that can provide it. Second, the IT departments should secure all of their computers (laptops, desktops, servers, etc.) so that they can be sufficiently "secure," even when outside the network. The use of local firewalls, antivirus, and intrusion prevention is good practice because laptops may roam on other networks when outside the office. Finally, there should always be policies governing (banning) the circumvention of network controls and bridging.