Securing my PC at a Wireless Hotspot?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Securing my PC at a Wireless Hotspot?

Panarchy
Hello

You've probably been to a café before that offered WiFi via a Wireless
Hotspot. Or maybe you've been to an airport that had some hotspots?
Well whatever the case, I'm sure you've seen a Public Wireless
Hotspot. Or, at the very least, heard of them.

So my question to you is, NOT on how to secure the Wireless Hotspot,
but rather on how to secure the connection on my end, to the Hotspot.

So, how do I secure my PC at a Wireless Hotspot?

Would there be a way to have 256-bit AES or 256-bit Camellia
encryption on all outgoing traffic?

Or would you recommend a different method?

If this is of any use, I will be using the following laptop: Dell
Inspiron 700m.

Can I please have some recommendations on what I need in order to
secure my connection to the
Wireless Hotspot?

Thanks in advance,

Chip D. Panarchy


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing my PC at a Wireless Hotspot?

Dmitry Nedospasov
You could use a VPN after connecting. This is one way you can have  
encrypted traffic at an open hotspot.

D.

On Feb 8, 2009, at 09:56 , Chip Panarchy wrote:

> Hello
>
> You've probably been to a café before that offered WiFi via a Wireless
> Hotspot. Or maybe you've been to an airport that had some hotspots?
> Well whatever the case, I'm sure you've seen a Public Wireless
> Hotspot. Or, at the very least, heard of them.
>
> So my question to you is, NOT on how to secure the Wireless Hotspot,
> but rather on how to secure the connection on my end, to the Hotspot.
>
> So, how do I secure my PC at a Wireless Hotspot?
>
> Would there be a way to have 256-bit AES or 256-bit Camellia
> encryption on all outgoing traffic?
>
> Or would you recommend a different method?
>
> If this is of any use, I will be using the following laptop: Dell
> Inspiron 700m.
>
> Can I please have some recommendations on what I need in order to
> secure my connection to the
> Wireless Hotspot?
>
> Thanks in advance,
>
> Chip D. Panarchy
>
>
> --
> To UNSUBSCRIBE, email to [hidden email]
> with a subject of "unsubscribe". Trouble? Contact [hidden email]
>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing my PC at a Wireless Hotspot?

John Keimel
In reply to this post by Panarchy
On Sun, Feb 8, 2009 at 3:56 AM, Chip Panarchy <[hidden email]> wrote:

> So, how do I secure my PC at a Wireless Hotspot?
>

This is on the borderline of debian-user and debian-security. People
will argue both ways on that.

Use a VPN or an SSH tunnel to a trusted source.

I use one of my servers, either a VPS I rent for about $10/mo or a
server I own and maintain that's on the Internet in a data center.

My trust level of those servers is much higher than any other method.

I know that my traffic is secure from my point to my server, then off
the to the internet.

As far as securing my own laptop while on the hotspot, I will make
sure I do not have unnecessary ports open.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing my PC at a Wireless Hotspot?

Bernd Eckenfels
In article <[hidden email]> you wrote:
> Use a VPN or an SSH tunnel to a trusted source.

A very neat trick is using dynamic port forwarding of SSH (-D 1080). You only need to
login to any SSH Server and enable the auto forwarding. Then you can enter
the SSH client as a SOCKS proxy server and you are done (for surfing).

Gruss
Bernd


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing my PC at a Wireless Hotspot?

Johan Marklund
Bernd Eckenfels skrev:

> In article <[hidden email]> you wrote:
>  
>> Use a VPN or an SSH tunnel to a trusted source.
>>    
>
> A very neat trick is using dynamic port forwarding of SSH (-D 1080). You only need to
> login to any SSH Server and enable the auto forwarding. Then you can enter
> the SSH client as a SOCKS proxy server and you are done (for surfing).
>
> Gruss
> Bernd
>
>
>  
You could use the -w option in newer ssh server versions to tunnel
through virtual tun devices =)

ssh -w 0:1 [hidden email]

0 is tun0 @ localhost
1 is tun1 @ example.com


and enable ip forwarding on th remote host

-- snip from ssh manpage --

     -w local_tun[:remote_tun]
             Requests tunnel device forwarding with the specified tun(4) devices
             between the client (local_tun) and the server (remote_tun).

             The devices may be specified by numerical ID or the keyword “any”,
             which uses the next available tunnel device.  If remote_tun is not
             specified, it defaults to “any”.  See also the Tunnel and TunnelDevice
             directives in ssh_config(5).  If the Tunnel directive is unset, it is
             set to the default tunnel mode, which is “point-to-point”.


/yosh
(sorry for the lack of precision, I r tired)


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing my PC at a Wireless Hotspot?

Wade Richards-2
On Tue, Feb 10, 2009 at 11:50:05AM +0100, Johan 'yosh' Marklund wrote:

> Bernd Eckenfels skrev:
> > In article <[hidden email]> you wrote:
> >> Use a VPN or an SSH tunnel to a trusted source.
> >
> > A very neat trick is using dynamic port forwarding of SSH (-D 1080). You only need to
> > login to any SSH Server and enable the auto forwarding. Then you can enter
> > the SSH client as a SOCKS proxy server and you are done (for surfing).
> >
> You could use the -w option in newer ssh server versions to tunnel
> through virtual tun devices =)

One problem with tunnels is that you can accidently not use the tunnel.

E.g. I have eth0 which is connected to the insecure network, and
my encrypted tunnel to a secure network.

Although the tunnel is available, the unsecure eth0 is still also
available.  I need to correctly set up the SOCKS proxy or set up the
routing tables, or do something to be sure that all my network traffic
is going through the tunnel and not just directly to the unsecure eth0.
There's no easy way to tell if you're doing it right, either, since the
web looks basically the same from the unsecure network as from the secure
one.

The Cisco VPN I use on my employer's Windows machine has an interesting
feature: it completely hides the unencrypted network.  Once I create the
VPN tunnel, my machine releases it's local IP address and there is no
way for any network connections (other than the tunnel, of course) to go
over the unencrypted device.  It is as if that device is disabled.

This makes it idiotproof, which is an important but often overlooked
aspect of security.

So, is is possible to do that sort of thing with a Linux laptop?

    --- Wade


--
  ___   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 /   \  Plain text e-mail   | Wade Richards --- [hidden email]
| RIP |    c1970 ~ c2000    | You can never tell which way the train went
|ASCII|  Killed by HTML/RTF | by looking at the tracks.
|     |  in e-mail          |


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing my PC at a Wireless Hotspot?

Vladislav Kurz
On Tuesday 10 of February 2009, Wade Richards wrote:
> On Tue, Feb 10, 2009 at 11:50:05AM +0100, Johan 'yosh' Marklund wrote:
> > Bernd Eckenfels skrev:
> > > In article <[hidden email]>
you wrote:

> > >> Use a VPN or an SSH tunnel to a trusted source.
> > >
> > > A very neat trick is using dynamic port forwarding of SSH (-D 1080).
> > > You only need to login to any SSH Server and enable the auto
> > > forwarding. Then you can enter the SSH client as a SOCKS proxy server
> > > and you are done (for surfing).
> >
> > You could use the -w option in newer ssh server versions to tunnel
> > through virtual tun devices =)
>
> One problem with tunnels is that you can accidently not use the tunnel.
>
> E.g. I have eth0 which is connected to the insecure network, and
> my encrypted tunnel to a secure network.
>
> Although the tunnel is available, the unsecure eth0 is still also
> available.  I need to correctly set up the SOCKS proxy or set up the
> routing tables, or do something to be sure that all my network traffic
> is going through the tunnel and not just directly to the unsecure eth0.
> There's no easy way to tell if you're doing it right, either, since the
> web looks basically the same from the unsecure network as from the secure
> one.

You can tell by checking routing tables, or visiting a web page that shows
your IP. And you should know the IP of your tunnel server

> The Cisco VPN I use on my employer's Windows machine has an interesting
> feature: it completely hides the unencrypted network.  Once I create the
> VPN tunnel, my machine releases it's local IP address and there is no
> way for any network connections (other than the tunnel, of course) to go
> over the unencrypted device.  It is as if that device is disabled.
>
> This makes it idiotproof, which is an important but often overlooked
> aspect of security.
>
> So, is is possible to do that sort of thing with a Linux laptop?

OpenVPN can do that as well - look for option --redirect-gateway

--
regards
        Vladislav Kurz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing my PC at a Wireless Hotspot?

celejar
In reply to this post by Wade Richards-2
On Tue, 10 Feb 2009 10:51:16 -0800
Wade Richards <[hidden email]> wrote:

...

> This makes it idiotproof, which is an important but often
overlooked
> aspect of security.

As Tom Eastep, the Shorewall dev, notes in this email signature

"Nothing is foolproof to a sufficiently talented fool"

http://www.shorewall.net/shoreline.htm

:)

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing my PC at a Wireless Hotspot?

Michael Pobega
In reply to this post by Panarchy
On Sun, Feb 08, 2009 at 07:56:10PM +1100, Chip Panarchy wrote:

> Hello
>
> You've probably been to a café before that offered WiFi via a Wireless
> Hotspot. Or maybe you've been to an airport that had some hotspots?
> Well whatever the case, I'm sure you've seen a Public Wireless
> Hotspot. Or, at the very least, heard of them.
>
> So my question to you is, NOT on how to secure the Wireless Hotspot,
> but rather on how to secure the connection on my end, to the Hotspot.
>
> So, how do I secure my PC at a Wireless Hotspot?
>
> Would there be a way to have 256-bit AES or 256-bit Camellia
> encryption on all outgoing traffic?
>
> Or would you recommend a different method?
>
> If this is of any use, I will be using the following laptop: Dell
> Inspiron 700m.
>
> Can I please have some recommendations on what I need in order to
> secure my connection to the
> Wireless Hotspot?
>
> Thanks in advance,
>
> Chip D. Panarchy
>
If you have a secure server to SSH into, you can just use tsocks to
forward and SSL-encrypt your traffic.

http://pobega.wordpress.com/2009/02/01/tunneling-a-connection-through-ssh/

--
                  http://pobega.wordpress.com
                    http://identica/pobega

signature.asc (204 bytes) Download Attachment