20 Comments

Summary:

I spent several hours during yesterday’s NewTeeVee Live conference at San Francisco’s Mission Bay Conference Center sitting at the press table with tech writers from various publications who were connecting to the open Wi-Fi network. Before I connected to the center’s hotspot, I loaded a VPN […]

I spent several hours during yesterday’s NewTeeVee Live conference at San Francisco’s Mission Bay Conference Center sitting at the press table with tech writers from various publications who were connecting to the open Wi-Fi network. Before I connected to the center’s hotspot, I loaded a VPN (virtual private network) application, which provides a secure, encrypted tunnel within which I use public Wi-Fi. The one I use happens to be custom and proprietary, and takes about 15 seconds to establish a connection that will keep me completely secure on an open network.

I noticed, though, that while some of the writers at the conference were probably using firewalls, hardly any of them used VPNs to keep their Wi-Fi sessions completely secure. And these were tech writers. That’s a shame, because there are a lot of good, completely free VPN applications available.

One of the best choices out there is OpenVPN, an open-source, cross-platform VPN solution. The freeware world, too, includes many VPN applications that users swear by, such as iPig from iOpus and the free version of LogMeIn’s Hamachi. Cisco’s cross-platform VPN client is also widely used, although note that it’s incompatible with some firewalls. Hotspot Shield is also well-liked by many Windows and Mac users.

Windows 7 actually comes with a built-in Agile VPN client, but it’s not said to be as easy as many of the free, time-tested clients. Snow Leopard Server also offers VPN functionality, and previous versions of the Mac OS have included it. For many users, though, especially ones who don’t have access to help from an IT department, simple, free downloadable VPN solutions–which usually have intuitive interfaces–are great choices.

VPN applications couldn’t be easier to use. Once installed, you simply sign in to them, and your online communications are routed through encrypted tunnels. Problems with particular VPN clients are typically the result of firewall-related conflicts, but you can easily find an app that works for you.

As is always true with security software solutions, user apathy is the biggest problem of all. So the next time you use public Wi-Fi, make sure you hop into a secure VPN tunnel first.

Do you use a VPN application that you like?

You’re subscribed! If you like, you can update your settings

  1. Excellent observation about VPNs being a great way to keep secure on public networks. The problem is that you missed the other half of the equation. You should have a VPN server to connect to once you have one of the widely-used VPN applications. I set my router up with custom firmware to do it for me, which is fantastic; however, I don’t think everyone would have the savvy to do that. Thanks for mentioning Hamachi, as it is a great way to do it for free, and simply.

  2. Charles Godfrey Friday, November 13, 2009

    I have to say OpenVPN is one of the slickest VPN solutions to come along yet. It is very well engineered. Clients are available for Windows (http://openvpn.se/), Mac (http://www.macupdate.com/info.php/id/16969), and Linux. http://www.openvpn.net/index.php/open-source.html

    One of the easiest implementations of an OpenVPN server I have seen is from ClearOS (www.clearfoundation.com). Two factor authenticated OpenVPN with a slick interface so your users can get their own keys and configuration files.

  3. Sebastian Rupley Friday, November 13, 2009

    @A.J.–Good points, and I too use a custom VPN setup. However, you don’t have to implement the server of your own to connect with (although you can, especially with tools like OpenVPN). Here’s a blurb from Hotspot Shield’s home page, for example:

    “Hotspot Shield creates a virtual private network (VPN) between your laptop or iPhone and our Internet gateway. ”

    With many of the apps out there, you can create your connection with a remote server that you don’t manage.

    Best,
    Sebastian

    1. VPNs can be a good thing, though one that I rarely use. My computer spends most of its day on an open network (with a public IP address no less). I use SSL encryption for my email and HTTPS/SSL for most websites that I will be posting/reading non-public information. Strongish passwords, up-to-date OS and reasonable firewall settings round out the package. I’d recommend these steps even with a VPN.

      In the end, I don’t think that a solution like the Hotspot Shield offers me much extra protection.

    2. @Sebatian,

      Using a the HotSpot Shield may protect you from other Wi-Fi users in that hotspot, but it does not protect your data the rest of the way across the Internet.

      Nortel also provides easy to use VPN clients and gateways, for both IPSec and SSL VPNs, that will secure your data end-to-end.

      Regards,
      Jon

      1. Jon – problem with Nortel product is that the company went chapter 11, so getting it and supporting it will be a problem going forward unless it is purchased and rebranded.

  4. anybody could use a vpn if it is well explained and easy to use. how much would someone pay for having it set up for him or for the generated traffic?

  5. While the recommendation is good, if fails to ignore some basic critical elements.
    Where do you connect back to ? Is it hub and spoke topology ? route all ?

    1. VPN is using cryptography, so certified , vendor based products have strong advantage.

    2. There is abig difference between SSL based VPNS and IPSEC based VPNs,
    Unfortunately the differences are not that trivial for regular users.

    3. Firewall traversal, NAT Traversal and “office mode” IP’s are important features that have been around foe years. If your VPN client works in one place, it does nor mean it will work in any place.
    Moreover, you’ll be surprised when things strat working when you have overlapping IP’s without office private address space.

    4. Unfortunately, most big vendors ( cisco,Check Point,Juniper, Microsoft ) have stopped investing development efforts in this area 5 years ago.It seems people don’t really care about encryption and SSL is “good enough” in most cases.

  6. Sebastian, you don’t need to use any third party software at all to make a VPN connection. Every computer sold today comes with the ability to use PPTP (Point-to-Point Tunneling Protocol), which is secure so long as one uses a strong password. There’s no need for a “certified” product or one that uses a proprietary protocol. And most operating systems (though not Windows) also come with an SSH client, which allows extremely secure tunneling of e-mail. (Free third party SSH clients are readily available for Windows, though.)

    In most cases, you’ll have the option of doing “split tunneling” (in which only certain traffic goes through the VPN) or complete tunneling (in which everything, even your browsing, goes through the VPN). The latter is a bit more secure, but so inefficient and slow that it probably isn’t worth it. (If you do anything on the Net that requires security, you will likely be using SSL/HTTPS anyway.)

    The only problem you’ll find with VPNs is that some cellular providers (Alltel in particular) limit the lengths of all TCP sessions and will cut off a VPN connection after a certain amount of time. Thus, they can be awkward to use with datacards. But this does not tend to be an issue on public Wi-Fi networks.

  7. Sebastian Rupley Sunday, November 15, 2009

    @ Brett– excellent input, thanks Brett. Yep, the methods you describe work and there is increased OS support for VPNs. For lots of people, though, I think some of the third-party tools have easy GUIs and make the process simple. One thing I notice from the comments thread here is that some potential VPN users are still under the impression that one needs to be managing some remote server that is being pinged by the VPN client–not so. That’s how it worked years ago, but definitely not now.

    Best,
    Sebastian

    1. Yes, some third party products make the setup process simple. But the “network setup wizard” in Windows is just as simple. Just tell it that you want to connect to the network at your workplace, and it will set up PPTP in a few clicks.

      I wish I could say the same for the Mac. The Mac used to have a utility called “Internet Connect” which likewise set up a VPN connection in a few clicks. But now you have to go through the main Network Preferences control panel, whose strange interface (unique even to the Mac) is very complex and confusing and has gotten more so in “Snow Leopard.” (It’s a shame to see that the Mac is going backwards on ease of use and ease of learning.) I regularly help customers to set up Mac VPNs over the phone, though.

  8. Pardon my rookie question–> I’ve heard that if I log-in on an https:// website (like for my bank, gmail, etc.) on public wi-fi, that I don’t need a VPN. Is this true?

    1. Hi, HTTPS is safe, however Man in the Middle attacks are still possible, there is also a new vulnerability in SSL, however this vulnerability applies mostly to self signed certificates. Most e-banks have trusted certificates from authorities like verisign etc. The best way to avoid all problems is to use VPN!

      1. Man-in-the-Middle attacks aren’t and issue if you pay attention to the certificate that comes with the HTTPS web page. If it is signed from a public source (Verisign, etc) and the server name, company name, etc matches the site you are visiting, you are good to go. Most modern browsers will give you a warning when the info doesn’t match.

        I argue that a well managed machine, use of HTTPS/SSL and common sense offer as much or more protection than many of the VPN solutions being discussed here. Don’t get me wrong, VPN can be a great thing, but often people assume that because they are using a VPN that they don’t need to worry about the other stuff.

  9. HI, This is great advice and a subject that is often over looked. I agree with the comment regarding the only true security is to port through a secure server – effectively creating a secure tunnel. Ipig does this, but from no techie point, all we want is a simple download and run service with nothing to setup and ongoing server costs! the blog http://securif.wordpress.com has more Q&As relating to this!

  10. I agree with the well put points Dave, however, the majority of users out there still are getting to grips with email – let alone well managed machines ;-) Certainly some of my colleagues struggle with the concept of, don’t leave your machine in the pub!! As with most security issues, its about reducing the risk. Anti virus, firewall etc. VPN software just falls in to the mix.

Comments have been disabled for this post