Which FW solution for a WiFi protection ?

Hi there,

I'm still searching for a good firewall that would fit my needs

As I'm going to use a Laptop and be very mobile, I'll only connect through wireless connection. I've already heard about VPN tunnels, but still, adding up a software firewall can't be bad idea

I didn't really check profoundly, but I know that Outpost provides a good wireless protection, at least, according to their website. I didn't read anything about Wifi on Comodo's website, Sygate (might be too outdated), and I'd rather avoid using ZA, which was a really bad experience for me in the past !

I also know that KIS could be a good pick, especially because I'm already using KAV, and I'm ready to extend my licence to the full security suite.

Anyways I need your opinions !

Thanks!

 

WiFi or wired...no difference as far as hiding your machine. Windows firewall all locked down, or something like Comodo.

 

No, not really ...
Wifi exploits are being undiscovered more and more each days ...

A well known example here : http://news.com.com/8301-10784_3-9754204-7.html

It is also "easy", or should I say, not impossible, to hack your WEP/WPA2 key using packet sniffer, and steal all your datas ...

 

For WEP I agree. Have you some proof for WPA2 ?

 

The poster is talking about being "mobile" though...the typical "road warrior" use of the laptop. That would mean, connecting to open "hot spots"..such as coffee shops, libraries, business hotels or airports, etc etc. Those would be open, unsecured networks....so WEP/WPA/WPA2 are irrelevant...locking down his home router/access point isn't the issue here.

The issue isn't securing a network..it's keeping his PC secure when using open networks. Solutions involved *Securing the PC, and *Securing his traffic. Securing the PC is easy enough, don't leave the Administrator password blank. Many of us know it's easy enough to tank a machine if we know the Admin password is left blank...though hitting it with the old \\ip address\C$ avenue. Also having a firewall that blocks incoming from the outside world, so shutting down F&P exceptions would be smart, not allowing your laptop to respond to ICMP would be another.

Securing your traffic when at a public hot spot is also easy...simply VPN to another source..using it as your remote gateway, all your traffic is encrypted in the tunnel. If you don't have access to your own VPN setup, there are MANY services that road warriors use for this..such as AnchorFree.

Many business grade wireless setups even utilize VPN security for their wireless setups. Such as Sonicwall, with their SonicPoint access points that utilize "WiFiSec". The Sonicpoint is setup wide open, effectively in another "zone", or subnet, of the main network. Sort of like an "orange zone" for those familiar with linux router distros. You connect to the Sonicpoint...it can be left wide open if you like...but you can't get anywhere until you use their IPSec Global VPN client to connect to the central router...then..and only then..are you granted access to their network.

 

That's not an exploit, its just collecting packets and viewing the contents. If you are using any shared connection that multiple people can connect to, it is more then likely that they will be able to sniff all the data coming from your computer to the router/gateway. This means that anything sent in the clear is able to be read, such as myspace or even your wilders password. However, if it is a site securing transmissions with ssl, then you don't have to worry since all of the information is encrypted between your computer and the website.

WEP would be very easy if you are well educated in the matter (should take at max 15 minutes to discover the key), but for WPA/WPA2, it currently is only vulnerable to brute force attacks which would take several (and I mean hundreds) of years to decrypt as long as you use a sufficiently long passphrase. Again, the only proper protection is ensuring that all of the data is encrypted so others can't read it, and the best way is to establish a vpn/ssh connection to a trusted place (like your home), and then channel all connections through it.

As for firewalls, as long as it works filtering inbound and is properly setup, you will have sufficient protection from the firewall area. For an example, the windows firewall set to no exceptions is sufficient.

Cheers,

Alphalutra1

 

Thank you both for your very deep & complete answers.

As I said, I already thought about VPN tunnels, but what about the price ? Is it difficult to set up ?

And to remain on-topic, I'm currently hesitating between those software fws : KIS / Comodo / Outpost / Online Armor / ZA.
In your point of view, which would fit my needs ?

 

Would Linux users have the same issues to consider when connecting to an open WiFi network?

 

would it be enough to have kis7.0 firewall set on low secuirty mode with the wireless card set to internet with stealth mode on?
low secuirty mode so there isnt any prompts.
lodore

 

PPTP VPN is free..built into Windows, it's a matter of is you want to take the time to set it up and use it. Rather easy to do, works with dynamic IPs even.

Hamachi is another free, and easier to use, VPN package.

As for AnchorFree....if you don't have the resources at home or the office to setup your own VPN, check out their website.
http://anchorfree.com/hotspot-shield/

 

Thanks YeOldeStonecat, I'll take a look at this

I hope this thread will keep going alive, as some questions are still unanswered

 

Which questions? Software firewall? If XP, the inbound protection for part time connections is just fine. If Vista..even more robust. For a freebie..Comodo is great...not many good free ones out there left which are still updated...an important consideration in my opinion. Since you're already using Kaspersky..I'd say stick with that..it's an excellent product.

 

Well I'm using KAV, not KIS
At this time I'm not using any firewall (just some hardware firewall at home).
But I'm gonna get my laptop soon, and want to be secure on Wifi hotspots (& wifi at home), that's why I definitely need something more advanced than Windows Firewall.
For example, windows firewall doesn't prevent ARP spoofing attacks !
That's why I need some suggestion. I've read some thread on wilders lately, some folks were saying Outbound provides the best 'ouf of the box' protection for Wifi networks, what's your point of view ?

 

Yes of course, why wouldn't they?

The firewall issue may not be as big of a deal as long as no vulnerable daemons are running, but besides that, you still have to worry about traffic being intercepted and such.

Cheers,

Alphalutra1

 

hello,
can people in the UK use hotpoint shield?
is it fast?
how do i set up a vpn at home?
i think hotpoint shield will be a better option since my be home hub router is very very unreliable.
lodore

 

Good day to all.

Interesting thread.

Regarding the issue of securing internet traffic when at an open hotspot, I seem to understand that the main possibilities are:

- Establishing a VPN (or ssh) connection with a safe location (ex: home), and direct your encrypted traffic through that safe location.
The software which does this must be installed on both ends of the tunnel, i.e, your laptop at the hotpspot and your PC at home.
Also, one must be sure that the internet connection at home (or whatever end of the VPN defined) is on when one goes out with the laptop planning to use this feature.
Hamachi and OpenVPN are known options to do this, with Hamachi sometimes reported as easier to setup.
Does anyone know of more alternatives to these two ? Open-source preferably ?

- Using something like Hotspot Shield from anchorfree.com.
This has the advantage of not having to configure a VPN connection on multiple PCs. The shield is something that you simply install on the laptop.
Being free, it´s bound to have ads (ok, web-blocking software, adblockplus extension for firefox and so on can take care of it) and possibly call home. I have read rumors on other forums about this, but I have no proof as I do not use the software. Does anyone have any evidence about this ?
YeOldeStonecat mentioned that there are alternatives to this hotspot shield.
Can anyone name a few ? Open-source?

- Using anonymizing networks such as Tor or JAP. One would of course have to worry about who is operating the nodes, but to which extent is this really a concern ?
On this line of thought there are also things like XB browser and so on.
The VPN connection may not take care of the anonimization part (I guess it would depend if your PC at home has some kind of connection to Tor, JAP etc... Am I right ?) , so this solution has that added advantage.

- Subscribing to a paid service that, when you are at an open hotspot and access this service´s webpage (SSL of course), offers the possibility of directing (encrypted) your traffic through them.
This is my mind cooking, so I´m not really sure such services exist. Can anyone name a few examples ?

And some more questions. Does any firewall exist that offers some plugin/mechanism with a function comparable to anchorfree´s Hotspot Shield ? Is it even possible to do such thing with a firewall ?

Are there any alternatives to the methods above ?

Sorry for the long and probably confusing post. I´m trying to get the big picture on this data interception security thing. Seems using your laptop at a public hotspot is no trivial matter...

Wishing all a good thursday,

Jomsviking

 

PPTP VPN is built right into Windows...
Also there are many business grade routers out there which have built in PPTP VPN servers. (Linksys/Cisco RV0 series for example) And...many linux distro routers that have VPN servers built into them. Run of of those at home, even if on a dynamic IP, they work fine with dynamic dns services such as dyndns.

 

For the VPN issue, I just installed openvpn on my netbsd box and it has been amazingly easy. Before, I had just used sshd, but since that didn't tunnel all of my data, I wanted to try something a bit more complicated

Setup using the static key mini-howto which allows for a server at home and one client to connect to was a breeze. They also tell you how to force the client to move all the traffic through the tunnel in the main howto. Don't be afraid of config files just because they are text only, and dive right in. It is really very easy.

Cheers,

Alphalutra1

 

If your using Tor or JAP your traffic will be encrypted so you dont really need to VPN, however your network speed will be slower using this method. Supposedly, Xerobank would speed this up but I'am not a user.

There are many personal VPN services available, such as hotspotVPN, witopia, publicVPN, etc... they can work using PPTP, SSL, etc

 

And to remain on topic ... about the firewall.. does it matter to pick an advanced fw like those I've mentioned above, or is windows fw good enough ?

Outpost definitely seems to be my choice, with the Wifi protection it automatically provides but I may be wrong !

 

Windows FW set to not allow exceptions is all you need. It is actually quite advanced since it uses SPI. I am not aware as to how good the SPI is in regards to weird packets and such, but it is sufficient for a workstation. (I love pf's scrub for getting rid of all those weird packets )

Cheers,

Alphalutra1

 

Wow, I didn't know that windows fw featured SPI, thanks !

But still, it wouldn't protect me from ARP spoofing (which most of the advanced firewalls do), is it a problem ?

 

YeOldeStonecat, Alphalutra1 and acknsyn, many thanks for your ideas, I will look further into them.

Good day,

Jomsviking

 

Is it worth losing sleep over the possibility of ARP spoofing, if you're using a VPN tunnel at a hotspot anyways?

 

Of course, but let's say I don't/can't use a VPN tunnel ..