Wireless Security with VPNThe danger of using public 802.11b wireless Ethernet hotspots is that other people can listen in on your networking traffic. When you check your mail or have instant-message chats with your Aunt Gretchen, everybody else in the coffee shop can listen to your network packets and see what you're up to. Sniffing packets is a common hacking practice to grab people's passwords, credit card numbers, and emails. You can protect yourself by using a Virtual Private Network. VPNs are a connection from you to someplace secure, like your home or office. When you request something from the Internet (like www.hal-pc.org), the request is encrypted and sent to your secure location, and the returned results are also sent back to you encrypted. When people listen in on your network packets in the coffee shop, all they see is encrypted data, so they can't hear you telling Aunt Gretchen how much you miss her PB&J sandwiches. VPNs require a specialized VPN server to do all the encrypting. For years, telecommuters and branch-office staff have used VPNs to connect up to their main office - the VPN server would be placed at their office, so they could call into the server from anywhere and access their file servers and printer servers. Now, wireless Ethernet users are starting to pick up on VPNs, because the traffic between you and the VPN server is encrypted. You can sit in the coffee shop, surf the 'Net, check your email, and all of your Internet traffic is encrypted. Wireless users don't really care to access a specific location - they just want all of their traffic encrypted so that fellow wireless users can't listen in. For years, VPNs have been expensive, complex systems that took a lot of knowledge to set up. Over the past few months, I've been testing three systems that take away the expense - but unfortunately, the complexity remains. The Pay-By-The-Month Solution: HotSpotVPN.comHotSpotVPN.com runs publicly accessible virtual private networks that you can use for $8.88 per month. Setup is fast and easy: computers running Windows 2000 and Windows XP don't have to install a single thing, because HotSpotVPN uses the Windows PPTP VPN client. In theory, in a matter of five minutes you can be up and running without a single bit of VPN knowledge. As they say - in theory, in theory and in practice are the same. But in practice, they're different. HotSpotVPN.com was among the worst customer experiences I've had. It took four tries and three emails before they would send my username and password - and this was after they'd charged my credit card twice. Their web site does not have a way of retrieving your username and password, checking your account status, or checking their system status. They don't even have a forum for users to discuss problems. When I finally got my login information, I hit the next roadblock: I got ridiculously slow bandwidth. While connected to HotSpotVPN, I found that I was actually getting slower download speeds than the people next to me - who were using dialup modems. Disconnect from HotSpotVPN, and my download speeds would skyrocket to full T1 speeds again. I spoke with company staff on several occasions, and they were more harmful than helpful: they expected their users to know intimate details of TCP/IP settings, manually changing Windows registry settings, and more. I wanted to recommend HotSpotVPN.com as the easy way for networking novices to get a secure wireless connection, but with the bad service, slow turnaround, and weak web site, I simply can't recommend it to anyone. The Hardware Solution: Your Own VPN RouterIf you have broadband at home, you can set up your own VPN router. No, wait; don't run away - it's actually a lot easier than you think. You can protect your wireless traffic, get access to your home network from anywhere, and protect your home PCs as well, all for under $250. You don't even have to have a static IP address at home: today's routers have built-in support for Dynamic DNS, so they'll always be accessible via the same IP address. The major drawback of using your own VPN router is that when you're in the coffee shop, your Internet traffic is going from the coffee shop, home to the router through your broadband connection, and then back out through your broadband connection. For those of us with high-speed 1.5mbps links, that's not an issue, but if you've got the basic level of DSL or RoadRunner, you may find the speed a little restricting. First, I started with the Linksys BEFVP41 VPN router, an IPsec solution that also requires an IPsec VPN client on your laptop. (It won't work with the PPTP VPN client included with Microsoft Windows 2000 and XP.) The router goes for around $150, but the software client will run another $100. I used SSH Sentinel from www.ssh.com because they have configuration information specifically for the Linksys router: www.ssh.com/documents/31/ssh_sentinel_14_linksys.pdf The Linksys was a mild success: I was able to successfully set up a VPN connection from coffee shops, have a secured wireless Internet connection, and access my home computers from wherever. However, the setup is far from straightforward, and the prospect of spending $100 per VPN client adds up quick. Plus, the Linksys BEFVP41 isn't a wireless router: if you're using it at home, you'll still probably want a separate wireless access point so you can use your laptop all over the house. Enter the SMC Barricade SMC7004WFW. This $230 device functions as both a wireless router and a VPN end point, so this is an all-in-one solution that protects your home network, allows you to use your laptop anywhere in the house, and even allows you to secure your wireless connections at the coffee shop! Even better, it works with PPTP VPNs, meaning you don't have to add any software on Windows 2000 and XP. The Barricade easily won my approval - especially after hassling with the above two "solutions" first. The Next Step: Connecting OfficesIf you have a small office at work (2-20 people), you might well consider using the SMC Barricade SMC7004WFW as your tool to share the Internet connection among all of your PCs. For one low price, it allows your employees to work remotely, over secured connections - from home, from the coffee shop, or from branch offices. If you have several people that need to work from home, you can put one of these SMC Barricades at each house, and all of the users will be on the same network for a much lower cost than conventional VPN products. One thing to keep in mind is that each of the networks will need a unique set of IP addresses. If two of the houses are set up as 192.168.1.x, for example, they'll have IP address conflict problems. In summary, setting up VPNs is still no easy task, but it's getting easier and certainly less expensive. You can get a quality solution for under $250, and with help from sites like www.PracticallyNetworked.com and fellow HAL-PC members, you can get up and running with a secure network in a matter of minutes |
2003 Brent Ozar is a HAL-PC member, web developer and network admin. He lives with his girlfriend, two turtles, and the sad knowledge that he will never kick his coffee habit. He can be contacted at brento@brentozar.com.
|