Automatic Hotspot Logon

Transcription

1 WHITE PAPER: for VPN Setup Features of the integrated, dynamic NCP Personal Firewall Solution

2 Table of Contents 1. Insecure mobile computing via Wi-Fi networks (hotspots) Basic hotspot functionality Risks and problems Alternative approaches with residual risks The NCP solution automatic hotspot logon Dynamic adaption of firewall rules for hotspot logon Operating the automatic hotspot logon Additional information about the NCP Personal Firewall Outline - all features of the integrated NCP Personal Firewall Scenarios and comparison dedicated Personal Firewall and the integrated universal NCP solution...8

3 1. Insecure mobile computing via Wi-Fi networks (hotspots) Today mobile business is an established working method in modern enterprises. The use of notebooks and handhelds increases the productivity and flexibility of mobile employees and this contributes to the success of the business. Particularly public networks (GSM, 3G) and broadband wireless networks like wireless LANs (Wi-Fi networks) are used in addition to communication mediums like ISDN, the analog telephone network and xdsl. Hotspots, i.e. Wi-Fi networks that are installed in public places, like railway stations, airports, trade show facilities and hotels, provide access to the Internet. Like all wireless networks, Wi-Fi networks particularly threaten security, since the air interface provides an easy target. For this reason, mobile teleworkers find themselves in an extremely insecure environment where they have to deal with security issues on their own. The teleworker does not only have to protect an existing data connection to the corporate network, but also prevent security gaps before and during connection set-up. 1.1 Basic hotspot functionality Providers operate hotspots, i.e. Wi-Fi networks, make them available to the general public and charge a fee for the use of this network. Public Wi-Fi networks serve as broadband access networks to the Internet or to the corporate network. If a mobile employee wants to establish a connection to the corporate network, he has to logon to the hotspot, first. This is usually done via a web browser where the user enters his user ID. Based on this ID, the user gains access to the network. Furthermore, payment is made or invoicing arrangements are specified on the basis of this ID. 1.2 Risks and problems Basically any user with an appropriately configured PC can access public Wi-Fi networks. In order to do so, he usually gets an IP address, provided he knows the SSID (Service Set Identifier) of the Wi-Fi network. Data security or a safeguard protecting the end device against attacks is not provided for by the Wi-Fi operator, i.e. every user has to take care of security measures himself. Specifically the following security issues are involved: 1. Safeguarding confidentiality Sensitive information should not be accessible to third parties during transmission. 2. Safeguarding the PC at the hotspot At all times, the PC workstation has to be shielded against attacks from within the Wi-Fi network, (i.e. other Wi-Fi participants) and against attacks from the Internet. 1

4 Proven security mechanisms protect confidentiality: VPN tunneling and data encryption. In addition, the PC is protected by a personal firewall with Stateful Packet Inspection. If this function is not available, the user should refrain from mobile computing. The actual security risk is due to the fact that logon at the hotspot operator has to be executed via browser outside of the protected area of a VPN. This means: During logon, the end device is not protected. Normally this does not comply with the corporate policy, which usually forbids direct surfing on the Internet and only allows certain protocols. For this reason, a firewall solution on the end device that really offers comprehensive protection has to secure the critical phases during logon and logoff at the hotspot. 1.3 Alternative approaches with residual risks In order to ensure full functionality at any hotspot, firewall rules for http or https are set by the administrator. Alternatively a rule can be configured in a way that opens the ports for http or https for only a certain time window (e.g. 2 minutes). In both cases, the security risk is due to the fact that the user surfs the Internet without the protection of a VPN tunnel and the end device might become infected. During the temporary opening of the firewall there is danger of intentional misuse on behalf of the user, who could trigger the time window several times. In another scenario, the user changes the firewall rules himself. This need-dependent opening of the personal firewall, however, carries the risk of incorrect configurations. In this case, the user has to know precisely which changes have to be made at the respective location. This means that the quality of the applied security level is only determined by two factors: the security consciousness of the user and his technical expertise. 2. The NCP solution automatic hotspot logon NCP has integrated the personal firewall into the Secure Client software, in order to protect the remote client against any kinds of attack in all phases of the connection set-up in Wi-Fi networks and hotspots. Throughout the whole process of connection set-up, the user does not need to interfere. Intelligent automated processes provide secure hotspot logon. Administrators and users can rely on the security of their end devices and data at all times. There are two approaches: Dynamic adaption of firewall rules for hotspot logon Script-based hotspot logon 2

5 Only the first approach is outlined in this document. The second approach, the script-based hotspot logon is explained in the NCP Secure Client s manual. 2.1 Dynamic adaption of firewall rules for hotspot logon If a user is within receiving range of a public Wi-Fi, he selects the menu option Hotspot logon. The NCP Secure Client then automatically searches for the hotspot and opens the website for the logon procedure in the standard browser. If the standard browser has a set proxy server, the user has to deactivate it in some cases. The following alternative, however, is recommended: For protection against manipulation an alternative browser and its HASH value can be defined in the Secure Client s hotspot settings (Figure 1). Additional measures (operating system file rights) further increase security. Figure 1: Hotspot configuration This browser can be modified to suit the requirements of a hotspot; e.g. no proxy server, no address bar, as well as Java and Java Script being deactivated so that hotspot logon is the only possibility. Figure 3 shows such a modified browser, which in this case is based on Firefox portable. After successfully entering the access data and activation by the operator, the VPN connection to the corporate headquarters for example can be established, and the user can communicate with the same security he has at an office workstation. To keep the PC invulnerable at all times, the firewall dynamically releases the ports for http or https for hotspot logon or logoff. 3

6 Invulnerability is secured since an HTTP request is initiated to a specified home page. Depending on the necessary communication, the required firewall rules are created dynamically. This is true for the first eight addresses that are addressed by the hotspot logon application within the first 60 seconds. This is necessary because hotspot logon servers frequently download graphic files from various other servers. The dynamic rejects data packets that have not been requested. In this manner the system guarantees that a public Wi-Fi network is only used for the VPN connection to the central data network and that there is no direct Internet access. Automatic firewall rules in detail After clicking the menu item Hotspot Logon, the monitor dynamically generates the following rules for IP addresses. These rules remain in effect until the user either clicks hotspot logon once more or the system is restarted (necessary for logoff). At hotspots with redirect support: IP address of the NCP web server or the URL that has been entered at the hotspot logon menu item (necessary for the Internet online test) (source port: ; destination port: ) Server IP address from the redirect (source port: ; destination port: ) The first 8 IP addresses that are addressed within the first 60 seconds of the application (source port ; destination port: ) At hotspots without redirect support: IP address of the NCP web server or the URL that has been entered at the hotspot logon menu item (necessary for the Internet online test) (source port: ; destination port: ) The first 8 IP addresses that are addressed within the first 60 seconds of the application (source port: ; destination port: ) Configuration of the home page Example: If no website has been entered the default setting is for German and for English. If you wish to configure a home page, the following automatism is applied: 4

7 Configured home page modified home page for autom. http request no modification 2.2 Operating the automatic hotspot logon If the user is within range of a hotspot, he opens the menu option Hotspot Logon in the Connection menu of the NCP Secure Client Monitor and starts hotspot logon by clicking the left mouse button (Figure 2). Then the system automatically calls the configured browser and opens the logon page of the hotspot operator (Figure 3). Figure 3: Browser with the logo page of the hotspot operator Figure 2: Select hotspot logon For public access with web logon, it is a prerequisite that the accessing system uses a redirect to the logon site of the hotspot provider. This redirect emulates the logon site. Now the user can enter his access information and after a successful logon, he can establish a VPN connection to his corporate headquarters using the NCP Secure Client. Direct communication with the Internet, which means bypassing the VPN tunnel, is impossible due to the previously described dynamic firewall rules. As explained before, the integrated Personal Firewall of the NCP Secure Client defines the rules according to the specific situation. Please note that proxy settings that may have been entered have to be adapted or deactivated for logon via the standard browser at the hotspot. If hotspot logon has not been executed by the NCP Secure Client, a corresponding message is 5

8 displayed (Figure 4). In such a case, please determine whether there is a general problem with this hotspot operator and the mechanisms implemented. Please contact the NCP support (info-2@ncp.de) if necessary. Figure 4: Hotspot logon not possible 3. Additional information about the NCP Personal Firewall The personal firewall is a fixed component of the NCP Secure Client. All firewall mechanisms are optimized for Remote Access applications and are activated when the computer boots. This means that in contrast to VPN solutions with autonomous firewall the teleworkstation is already protected against attacks before the user actually accesses the VPN. The personal firewall also offers complete protection of the end device even if the client software is deactivated. All firewall rules can be centrally specified by the administrator and compliance with these rules can be forced. In this case, the prerequisite is the central NCP Secure Enterprise Management system, which is used to configure the Secure Enterprise Client. All configurations can be locked, which means the user cannot modify them. 3.1 Outline - all features of the integrated NCP Personal Firewall IP Network Address Translation (IP-NAT) IP-NAT hides the internal client address so that it is not vulnerable from outside. Stateful Packet Inspection Rules for data transfer are specified, i.e. all outgoing and incoming data packets have to correspond to filter rules that have been previously determined. Each incoming data packet is checked, based on the defined characteristics, and is rejected in the event of non-compliance. This means: The computer is shielded according to the rules that have been created and the set-up of undesired connections is prevented. Application-dependent filter rules It is possible to define filter rules that can only be used in connection with a certain application. A typical example is a filter rule that is only used by the Internet Explorer and only allows surfing via port 80. 6

9 Filter rules based on protocol, port and address As a default, filter rules are defined via ports and IP addresses. However, it is possible to set an additional filter for protocols. Friendly net detection Defined filter rules are automatically activated depending on the network environment, where the teleworker is located, e.g. LAN of the company or Wi-Fi at hotspots. Public, unfriendly networks call for different rules than friendly networks. The software automatically identifies the type of network by analyzing one or several of the following factors: Current network address IP address of the DHCP server MAC address of the DHCP server Automatically according to the FND server (see FND whitepaper) Automatic hotspot logon Automatic hotspot logon is an intelligent mechanism for secure activation of network access via the browser to public Wi-Fi networks. The system blocks any additional data transfer, i.e. the user protected in this phase of the connection set-up. Connection-dependent filter rules Extensive logging options e.g. Protocol on/off Rejected data traffic Permitted data traffic 7

10 4. Scenarios and comparison dedicated Personal Firewall and the integrated universal NCP solution Scenario 1 Scenario 2 Scenario 3 Scenario 4 VPN Client installed installed installed installed Personal Firewall not installed installed (only outgoing connections are permitted) installed (only communication in the VPN tunnel) integrated Competition Competition Competition NCP Secure Client Activities Hotspot logon yes yes no yes Surfing in the Internet yes yes no yes VPN connection to corporate headquarters Protection against attacks from within the Wi-Fi Protection against attacks from the Internet Protection from viruses, worms, external dialers Firewall rules adapt themselves dynamically to the target network yes yes no yes no yes yes yes no yes yes yes no no yes yes no no no yes Firewall is protected from user manipulation no no no yes even in spite of administrator rights users may have Firewall starts when booting Firewall remains active after deactivation of the VPN service no no no yes no no no yes NCP engineering GmbH Dombuehler Strasse Nuremberg Phone: Fax: NCP engineering, Inc. 444 Castro Street, Suite 711 Mountain View, CA Phone: +1 (650) Fax: +1 (650) Copyright 2010 NCP engineering, All rights reserved Copyright 2011 NCP February engineering 2011