Risks in the WLAN
Each user can access public WLANs with correspondingly equipped terminals. They automatically obtain an IP address in the sense that they recognize the SSID (service set identifier) of the WLAN, thus putting themselves within range of the access points, and able to access permission onto the WLAN. Data security or protection of participating devices from attacks is not guaranteed by the WLAN operator. Security is limited to monitoring authorized network access in order to eliminate misuse of the server administration. User identification serves solely for the acquisition and the accounting of time online. However, how does it look regarding the protection of sensitive information during data transmission? How can the PC optimally seal itself off from attacks from the WLAN and the Internet? Because the actual security risk on the hotspot originates from having to register with the operator outside the protected area of a VPN, as a rule it has to take place by means of the browser. During this timeframe, the terminal device is unprotected. This stands in opposition to the company’s security policy that prohibits direct surfing on the Internet and that only permits certain protocols.
Basically, VPN mechanisms and data encryption serve to protect confidentiality. The corresponding security standards are IPSec tunneling and AES encryption for data, and X.509 v3 for access protection. Additional security mechanisms, such as certificates in a PKI (public key infrastructure) or onetime password tokens complement/replace the usual user-ID and password. A personal firewall offers the required protective mechanisms against attacks from the Internet and from the public WLAN. Here, stateful packet inspection is critical. If this is not provided, it is not advised to use a hotspot for mobile computing.
VPN client and external personal firewall
For a VPN solution with a separately installed firewall, the ports for http/https data traffic to the personal firewall must be activated during hotspot registration. This can take place in three different ways:
1. The firewall rules for http/https are firmly preconfigured in order to guarantee the functionality with the desired hotspots.
2. The configuration allows that the ports are opened for http/https as needed for a certain time window (e.g. two minutes).
3. The user has administration rights and independently changes the firewall rules.