« Back

VPN info for travellers and users of wireless networks

In computer networks, the data is divided in smaller packets so the information can be transported. From these packets, it is possible to indicate where the packet is coming from and where it is going to. Information is very often available in plain language, and anyone along the transfer will be able to see the data as it is. Sometimes the information in the packages is in encrypted form, but  in some cases, the encryption is possible to break. Especially when the user does not believe the warnings from the browser or other software about incorrect identification information, but will continue with the connection despite the warnings.

In particular, wireless local area networks (Wifi) users are pretty easy targets for tapping. If your wireless network does not use any encryption (encryptions are for example WEP, nowadays WPA1/2), all packets transferred in the vicinity of a wireless access point is possible to capture. The potential eavesdropper can also be behind the fixed network or wireless access point may also be a so-called “Rogue access point”, when the base station is erected without authorization. In this case, the eavesdropper has installed either credible or on the same base station network name (BSSID) of your unauthorized base station to fool the users.

Fully unencrypted Wi-Fi networks are very common in Finland and abroad. For example, PanOulu is unencrypted wireless network.

The idea of VPN connection is to encrypt all transportable packages and include that encrypted traffic for transport inside of the other package. Packages will be sent to the VPN server, which is able to decrypt and then forward traffic.

VPN allows:

  • Remote access to the organization’s information systems as identified and safely
  • Can use their own devices in unknown network connections rather safely
  • To improve the protection of privacy

Different ways of how (remote) users who are using unprotected connections is being cheated:

  1. You are travelling in Finland by train and it seems that train is offering free internet access. The base station may be VR’s installed base as “VR” etc., or any other passenger is keeping the same “official name” as a base to attract more passengers to use the internet connection. Now users who use that unauthorized base station are at risk because the information passing through is stored.
  2. Your are enjoying a cool beer in a summer at the marketplace and you are using PanOulu network. At the patio nearby someone collects plaintext traffic between your phone and the base station PanOulu.
  3. You are using PanOulu network in your office with a laptop or the phone. In a classroom near by one student has build unauthorized base station with the same name and you laptop/phone is associated with that (false) base station as a user.
  4. You are visiting London and you are using Heathrow airports free Wi-Fi network. In the same departure lounge there is cyber criminals who collect all plaintext traffic for later use.
  5. You are visiting in French partner university, and sign up for their highly secure WPA2 wireless local area network. You are using username of the person hosting the event. Behind the wireless local area network in the fixed network there is a security breach or some other third party who sees the base stations traffic unencrypted.
  6. Same as number 5. but you are at hotel/bed & breakfast accommodation and the traffic behind the wireless network is recorded.

Eavesdropping and capturing network traffic is virtually always automatically implemented, and does not require real-time human guidance.

Maximum protection of wireless access point does not necessarily reflect to safety of connection, because there is no certainty of the base station owner, and the user does not typically know what is happening at the back of the base station network. Effective VPN connection will encrypt all transmitted traffic, and there is no significant damage even if a foreign entity would saw those encrypted packets. Note that you can use VPN connections to mobile and local area network communication.

How to create a VPN connection

IT Services has drafted guidelines for the formation of VPN connections, see: VPN instructions for students and VPN instructions for staff. In wireless networks, a guest user must first put VPN connection on and after that use other network services.


 

Please note that in OUAS in all relevant services, all telecommunication is protected. For example, OUAS e-mail, intranets and Moodle are using a secure communications (TLS, for example. HTTPS). The browser notifies you if you are not using established certificate: In this case, the user must select if continue to service or not, being aware that it is possible that one of the intervening party provides a false certificate scam in mind. In such circumstances, you can make sure from helpdesk whether the service is safe to go or not, for example if a certificate has just expired, and its renewal is still pending. The problem may also affect the VPN service. Furthermore, must take into account the fact that older versions than TLS 1.2 are vulnerable to a pair of attack, which at least the “Beast” -attack and its variants are pretty well-known methods of attack proven to work.
Most of the typically used services currently uses secure connections, so VPN is to be seen mainly as a good additional protection in addition to other security methods. VPN works against the internet name service forgery. Part of the system software does not use at all encrypted connections to audit or retrieve updates. More information about this can be found for example using search for “evilgrade”.


 

(This post is written by OUAS Security Officer and I have translated it to it.oamk.fi page. J.K.)

« Back

This article was published in these categories: for staff, OUAS, Bulletins & Guidelines, for students, BULLETIN, datacommuncationsand tagged , , , , .Add a permalink to your favourites. Follow comments to this post with a RSS feed. Post a comment or leave a trackback: Trackback URL.
Log in to comment this article