I will be visiting a large hotel complex soon, and taking a Netbook (small laptop) computer just to stay in touch with everything. I will be using it to remotely administer some computers and read/write email, so I will have to transmit sensitive login info.
What precautions should I take to avoid revealing this info to the wrong people? I’m not worried about viruses, worms, etc., as I won’t be visiting any sites that I don’t already know. And I’ll have the software firewall turned on. But what about sending login info – I can’t encrypt it if the recipient isn’t expecting that. Can someone with a sniffer pick out critical components of packets as cleartext?
And if file & print sharing are turned off, no one can read or write data in my computer, right?
FYI, it’s a 10" Asus Netbook running Win 7 Starter, nothing fancy, just minimal configuration and WiFi connections to the Internet thru the hotel’s system.
VPN is the easiest and most reliable way to accomplish this. If the computers you’re administering are on your employer’s network, you should be able to set up a VPN connection. That gives you an encrypted tunnel to your employer’s network, so somebody sniffing packets at the hotel won’t be able to get any useful information. It should be as simple as going to your IT department and installing a VPN client.
You can also set up a VPN host on your home network, if that’s what you’re trying to connect to. I’ve never done this, but it shouldn’t be too hard, especially for someone that’s already remotely administering a few computers.
The question isn’t how to administer stuff remotely (I do that all the time), but how to be sure that existing administration is not compromised by going thru a public connection.
I can’t set up VPN on a specialty server or an email server for shared accounts, anyway.
If you don’t have a VPN server to connect to, but you do have an SSH server, then there’s also a pretty cool way you can set up a SOCKS proxy that causes all of your browser’s traffic to be encrypted between your PC and your SSH server, and then it goes unencrypted to the internet from there. This is perfect for an untrusted local network if you don’t want to go full-blown VPN, which is a lot more work to set up. The ‘PuTTY’ SSH client has this functionality on Windows.
If you have access to an SSH server and want to try setting this up, let me know and I’ll post more info.
I think you misunderstand the suggestion. He’s not suggesting you use the VPN to connect directly to the server you want to administer, he’s suggesting you use VPN to connect to a network you trust, and then remotely administer the email/whatever server the normal way, as if you were physically sitting on the trusted network (e.g. the network back at the office). You’d use all the same potentially-unencrypted protocols, but the traffic is first sent to the trusted network over an encrypted tunnel, then from there to the server, it’s regular unencrypted traffic.
Well, I get what you are saying, but that seems like an extra layer of complexity and data forwarding to slow things down. Surely that’s not what everyone does just to connect to email while traveling?
No, most people probably just do it insecurely. The VPN is the right solution, and in my experience, the lousy speed on hotel networks is a much bigger hindrance than the overhead of VPN.
You won’t see a noticeable performance hit with a VPN connection. It uses a bit of processor time, and adds a bit of data overhead, but it’s a pretty trivial difference. I often use a VPN on this very computer, a not-very-powerful netbook like yours, and I never notice a performance hit. The bottleneck will be your internet connection, even if it’s a really fast connection.
In my case, I often VPN from one academic institution’s network to my “home” academic network, so that I can transfer large files from my lab’s file server as if I was on the same LAN. Both institutions are connected via the amazingly fast Internet2 network, so the bottleneck is the 100mbit ethernet connection on this computer. Even at that speed, the VPN doesn’t cause a big performance hit.
If your employer can give you a client, setting it up is really easy. They should simply give you a VPN client to install. Then, when you want to connect to the VPN, you just run the client and give sign-in information. Presto, all the data moving between you and your employer’s network is now secure. You can now do anything that you’d be willing to do with a wired connection to your employer’s network.
We use an SSH connection for email, and VPN for anything else, such as browsing our intranet or getting to files. My new company has a web based mail also, but I have to VPN to get to that. If you are only as secure as Yahoo you are asking for trouble - remember Sarah Palin.
You can also use a tool like GoToMyPC, which sets up a secure connection to your desktop. This link is encrypted and otherwise protected, so it doesn’t compromise your network, and all that travels over the connection are screen images, keystrokes, and mouse movements.
Basically, it is secure remote control of your workstation. Works like a charm for me.
I have one question. In order to set up a VPN connection to my host, I have to enter a UID and password. Can these be intercepted? Also, the host claims (or used to) that the number of simultaneous VPN connections they can host is limited and want us to limit our usage. Is this an outdated problem?
I suspect that is exactly how most most business travelers get their business email while on travel. It is how things are done at my company and a lot of others.
It doesn’t really sound like the author of that article knows what he’s talking about. Some of the solutions he mention are VPN services you need to subscribe to, and he mentions OpenVPN, which is free and allows you to set up the server end of the VPN yourself (I have done this – it’s not for the faint of heart), but some of the things he mentions don’t make any sense. There’s no way plugging an IronKey USB drive into your computer magically encrypts all your network traffic unless there’s a corresponding service you’re connecting to, as you mentioned.
Hari, a secure channel will be negotiated before your username and password are sent, so that is safe. Otherwise the whole system would fail to work. And regarding the number of connections, it’s possible that’s just a software licensing issue, like the VPN server software they bought only allows them a certain number of connections at once and they have to pay for more, so they only want you using it when necessary.
It sure looks like those VPNs in the article allow you to connect to that companies computer securely then they send encrypted traffic to your PC. One is ad supported the others have a monthly or yearly fee.
The token card is for authentication not encryption. Encryption is set up with some sort of public key exchange. A VPN that sends passwords in the clear is so poorly implemented that most right thinking people would consider the software as basically fraudulent if it sends anything in the clear after the public key exchange.
If they’re doing real work then they should be using a VPN. My company’s security policy says that even if I just want to do some casual browsing I’m required to vpn into the corporate network to do so.