Swen Baumann
Swen Baumann

According to a report from the Wireless Broadband Alliance and analyst firm Informa Telecoms & Media, the number of public Wi-Fi hotspots globally is exploding. The 1.3 million currently available is expected to increase to 5.8 million by 2015 — and this figure doesn't even account for community hotspots, or the sharing of Wi-Fi access points by users.

Unfortunately, with the number of public Wi-Fi hotspots growing more than fourfold over the next couple of years, so will the security risks for end-users and enterprises.

For instance, via public hotspots, it's relatively easy to listen in on and read data traffic and communication, as data transfer typically occurs over unprotected, unencrypted networks. As such, companies tend to only allow their employees to access the company network via encrypted VPNs, and prevent them from using their eeb browsers to directly connect to the internet.

But, even despite setting corporate guidelines, many scenarios can leave end-users and enterprises vulnerable. One example is user complacency. The Wi-Fi Alliance and Wakefield Research found that although users know what measures they should take to ensure public Wi-Fi hotspot security, a mere few are actually putting these into practice. Only 18 percent of users who connect to public hotspots are using VPN software, the study found.

Another example involves both the technical know-how of network administrators and user awareness. Take an employee that, in order to login to a public hotspot, has to register via a web browser outside the secured area of their VPN connection. For the network administrator, this means either setting the firewall rules for HTTP or HTTPS so that this feature is available at any hotspot, or configuring the firewall so that HTTP or HTTPS ports are only opened when required.

In the latter case, the employee is allowed to open the ports for a certain time span (e.g. two minutes); however, this poses a security risk because in both cases, the employee can surf the web without the protection of a VPN tunnel. At this point, malicious code may install itself on the employee's device. If the firewall is opened temporarily, the employee can exploit this feature by triggering the time span several times in a row, or they might be able to change the firewall rules. This can cause misconfigurations and leave the device and corporate network open to attack. So, the employee has to know exactly which security changes have to be made, and where.

To ensure that public Wi-Fi hotspot security doesn't get the best of employees and enterprises like this, the following is recommended.

First, initiate hotspot logon from within the VPN client, provided it has an integrated personal firewall. This will allow the administrator to define the standard web browser or any downgraded web browser for VPN logon. So, when the user selects "hotspot logon" at the VPN client, the integrated firewall is temporarily opened for the duration of the procedure, and the hotspot logon website will still be displayed.

Depending on the hotspot provider, it might be necessary to display several websites during the logon procedure. For this reason, the firewall of a VPN client should only allow a certain, pre-defined number of target IP addresses for each hotspot logon. This restriction is in place to keep users from unprotected surfing after successfully connecting. Likewise, it is important to restrict the time span for opening the firewall during hotspot logon to, for example, 60 seconds.

Another way to secure hotspot logon is the integration of the Wireless Internet Service Provider Roaming (WISPr) protocol into the VPN client. This will eliminate the need for a web browser altogether. Logon is carried out directly from within the VPN client via the XML data stream and based on saved logon data. The user only starts the connection setup at the client and is then able to securely access the company network and exchange data.

It is also important to ensure that the VPN client contains security mechanisms that can detect whether the user is in a secure network, versus an insecure one. As soon as the VPN client detects a secure network, the integrated firewall should activate the rules that have been configured.

Administrators usually define stricter firewall rules for unknown or insecure networks. When doing so, the VPN client should not only recognize IP address ranges or IP addresses of certain server services but also that the VPN client uses certificate-based authentication for identifying secure networks. In contrast to the described IP address range detection, the latter process of "friendly network detection" eliminates the possibility of IP address range manipulation.

For users who cannot access the corporate network via a standard IPsec connection in unfamiliar public Wi-Fi hotspots, like those in hotels, look for VPN technologies that can recognize that their VPN gateways cannot be reached. The VPN client software should be able to automatically switch to a modified IPsec protocol mode and emulate HTTPS in order to set up as a secure VPN tunnel.

If users are considering SSL to connect to the internet, think again. IPsec connections put little load on the resources of VPN gateways, and all IPsec security mechanisms, such as the concurrent use of certificates, are still available in this modified mode.

Public Wi-Fi hotspot security doesn't have to be a cause for concern. If enterprises can ensure that gaps during the logon and connection set-up processes are closed, and if they strictly enforce firewall rules and user awareness, and go with the right encrypted VPN technology, connecting via an airport, hotel or coffee shop network can be just as safe as doing so via their own LANs.