There is no doubt that, as a user of a hotspot, you are vulnerable to many types of attack. At minimum, your data can be intercepted and read. In the worst scenario, people can get into your computer and copy, delete, or modify files or even plant a virus. The wireless traffic in a hotspot is generally not encrypted. However, even if it were, the link between the access point and the hotspot controller is unprotected and then the data is probably going on to the public Internet anyway. Given that the data is going over the Internet, you may accept that it is not private; however, the prospect of someone accessing your computer should be taken very seriously.
The biggest danger comes from shared file systems. Many popular operating systems allow your files to appear as a shared directory to other computers on the network. This is the most popular method of networking for small businesses and home users. However, if you have a shared directory and forget to "unshare" it before entering the hotspot, there is a real danger that it will be noticed by a stranger and investigated. A level of protection can be gained by always using a password for shared directories. All but the most motivated attackers will probably give up and move on.
A second danger comes from Trojan viruses. Like the mythical Trojan horse, a Trojan virus is carried into your computer on an infected executable file. Once there, it quietly sends out messages while connected to the network, notifying an enemy where you are and opening a portal for them to connect to your computer. Good virus protection should always be used to avoid such viruses, and personal firewall software, covered in the next section, usually blocks the port that Trojan viruses use.
Personal Firewall Software
If you need real protection, you are advised to install personal firewall software. This will not provide privacy for your data but will also protect against attacks on your computer. Such software is available from a number of companies and is now built into some operating systems. The software monitors all data going in or out of your computer. It blocks any suspicious attempts to access your computer and generally provides a single simple software switch that blocks all network sharing in one go.
When you are operating in a hotspot, you should allow only TCP/IP packets to come in and go out of your computer. This protocol is all that is needed for Internet access. Other protocols are sometimes used for computer-to-computer communication on a local network, which is just what you want to prevent. The firewall can block all non TCP/IP traffic. Most TCP/IP data is connection oriented. For example, when you want to access a Web site or an e-mail server, your computer establishes a connection to the server and then sends and receives data. Once the connection is established, data can pass both ways. You want the firewall to allow connections that you initiate but to reject connections coming in from somewhere else. This stops other people from connecting to your computer.
Unfortunately, if you block all incoming connections, some functions won't work. For example, an FTP file transfer may require that the sending server is able to make a connection to your computer. Good firewall software has the ability to allow certain incoming connections based on knowledge of what you are trying to do. Some applications do not use connection-oriented TCP but use an IP datagram service (UDP). The use of such applications will be limited if firewall protections are in place. However, such applications videoconferencing or voice-over IP, for example are usually quite specialized. If you are using such applications, you may want to consider the further protection of a virtual private network (VPN).
Virtual Private Network (VPN)
VPN is a much used and often misunderstood term. It tends to be used to describe some sort of general security system operating at the TCP/IP layer. The concept of VPN is to superimpose a private network on top of a public network so you can get the advantages of a dedicated network and the low cost of a shared network. Security is a key component of implementing a VPN. Most VPNs create point-to-point connections between two users or a user and a server. If two people want to talk to each other across a crowded room, they know that anyone in the middle can hear their conversation. In the days before telephones, people used devices called speaking tubes: By putting their ears to one end, they could hear the person speaking into the other end. These were used to communicate between the bridge of a ship and the engine room, for example. In a similar way, a VPN creates a tunnel through the shared network medium so only the two parties at each end of the tunnel can read messages sent at the other end. Various security techniques are used to wrap the data being sent across the network so it is quite impenetrable to anyone in the middle. These tunnels are like independent virtual connections, hence the name VPN.
A typical use for a VPN tunnel is to connect an employee to their company's intranet. This type of connection is particularly useful when the employee is out of the office and using the Internet. One end of the tunnel resides on the employee's laptop computer and the other end in a server at the company's premises. Once such a connection is established, the employee's communication is as secure as if she were in the office, regardless of the fact that the tunnel passes over the Internet or Wi-Fi LANs or any other type of insecure network.
The concept of the tunnel is both a strength and a weakness. It is ideal if you want to communicate to only one other destination. However, it is a problem if you want to communicate with several locations at once. If you want to communicate with two or three servers, you would have to have multiple tunnels in operation. And if you want to browse Web sites, you need to turn VPN off because public Web sites do not support VPN attachment. Some companies solve this problem by requiring that all communications from a company laptop go to the company VPN server. If you want to browse the Internet, your data must first go to the company VPN server, then to the company intranet, and finally back out onto the Internet via the company firewall. This requirement ensures ultimate control and security, but it can hardly be considered efficient. Typically, it is available only to larger corporate users.
The technical details of VPN are extensive and books that focus on VPN are available. Here we just mention a few points. VPN operates at quite a high level in the protocol stack, well above the layers where RSN security operates. You need to install special client software onto your computer before you can operate a VPN. In the future, client software will probably be built into the operating system, thus simplifying management. The most popular VPN system is based on IPsec, which is defined by the IETF. There are other approaches, including some that are proprietary; but it seems likely that IPsec will eventually become universal for use with TCP/IP based systems.
IPsec provides for two parties to negotiate and authenticate the information needed to encrypt data into a tunnel. The original IP frames are encrypted and encapsulated inside new IP frames that are then sent to the other end of the pipe. This can create problems if the original IP address is not valid at the destination network, such as when address translation is being used along the route because the encapsulated (and hidden) addresses will not be translated. This was a major problem in the early days, although many servers now have the ability to correct for the problem.
The computational overhead of encryption usually falls on the processor in the PC rather than on special hardware. This overhead can limit transfer rates, although the high speed of modern processors greatly reduces the effect of this overhead.
Regardless of the security offered by the hotspot, VPN is the most secure way to operate in a wireless hotspot. VPN eliminates all the problems of security that have been mentioned, including the weakness of the wiring plant connecting APs and the danger of network sharing with other users in the area.
If you do not have access to a VPN server, you should certainly consider the installation of a personal firewall. There are also "anonymity services" that can provide a VPN-like function for a monthly fee. These services act as a sort of forwarding device. All your Web accesses get sent to a server on the Internet and then are forwarded on to the Internet again by the server. Typically, the data between your computer and the server can be encrypted; it is decrypted by the server and then forwarded on to the Internet. This is ideal for use in a hotspot because it means that your data sent over the wireless link is encrypted. If you are interested in such services, type "anonymity" into a Web search engines and you will find various links to companies that can do this. For example, www.anonymizer.com.