Personal VPN

As I left on vacation last week, I still wanted to surf safely while on the road.  Unencrypted wi-fi connections, such as those found at hotels and most coffeehouses are just not secure.   They don’t even have the same security in place that most people have at their homes.   Anyone within wireless distance could be trying to polish their hacking skills.   With the release of FireSheep, it is now even easier to steal sessions.

At first I thought about tethering the iPhone.   But that phone was provided by work, and they have drastically scaled back who can get the tethering “benefit”.   Next I thought about a mifi or an evo.   But who really wants to have one more device to charge and carry around.   I settled on Personal VPN from Witopia.

VPNs create encrypted tunnels between points.   My work VPN doesn’t use always tunnel by default.   Even if it did, who wants to VPN into work while you’ve sworn to not do work while on vacation.   At some companies that type of personal use would be against the rules.

There are a number of personal VPN providers.   I went with Witopia  because they have many methods of connecting.   They have SSL vpn support which is the preferred method.   PPTP is available for devices that cannot do SSL vpns such as some phones.   They have also added the Cisco IPSEC VPN.   That is the easiest way to connect with the iPhone.    They have multiple points of presence with choices of encryption strength and in some cases alternate ports.  

 I was referred to Witopia by people I trust, and the company looked decent from what I read in their blog.   I was a bit confused by the multiple websites, some of which don’t look professional.  (witopia.net redirected to personalvpn.com for the purchase.).   I also had issues because the store only supported SSL3.   I had configured my browser to only use TLS1.0 or later while performing some tests, and had forgotten to turn SSL3 back on.   Seems a bit weird for a SSL vpn company to not support the newer TLS.

using with the iphone

Because the iPhone had a 3G connection where I was, I didn’t find it necessary to use the public wifi all that much.  

The iPhone presents some issues when using the personal VPN.   The main issue is you must set the wireless connection not to reconnect automatically.   The default will reconnect.   So the phone autolocks.   The wireless is disconnected.   The VPN session dies.   You reopen the phone.   It auto-connects to wireless, and all your bits are flowing over the clear wifi network.    It would be nice if there were a way to say always start the VPN when brining up unencrypted wifi (or at least THIS wifi).   By setting this wireless network to not start automatically, the phone will stay on 3G which is much more secure.   You should always do this with untrusted unencrypted wifi connections on any device.

using with the laptop

I had issues using Witopia on my laptop.   We use Symantec Endpoint Protection’s Device Control capability to disable the wireless card when ethernet devices are present.   SEP saw both the SSL and PP2P connections as an additional ethernet connection and consequently disabled the wireless connection.    At that point, I was connected to nothing.   I tried to deal with this by using the Cisco VPN instead, but I found that configuration is only supported on the iPhone.   I would have thought I had enough information from the iPhone configuration instructions to make it work on windows.   But I couldn’t get it done.    For my trip I ended up using Norton Internet Security instead.    Most people wouldn’t have this issue.   But it was a big one for me.

The SSL vpn client is using OpenVPN.   Unfortunately you must be administrator to run OpenVPN.   This means that on Windows 7 you will need to elevate each time you start the vpn solution.   Not cool.   I’m guessing they would have to run as a service to alleviate this and they wanted to stay more lightweight and only run when needed.

At the hotel I did have issues with getting disconnected.    This did not occur at home on my own presumably more stable network, so I dont hold that against them.   To fix it, I had to open the VPN client and select reconnect.   When it failed, rather than failing back to an insecure connection, I had no internet connection.    I dont know if they did that on purpose or not but it is more secure.   

The SSL VPN Client is built on the website and contains your individual authentication credentials.   You type anything in to authenticate the vpn.

What it isn’t for

Be aware that if you spend the money in order to bypass IP based content restrictions you may find yourself in an arms race.   I see in news articles that Hulu blocked Witopia because it was used to access content not available in the host country.   This could happen with any proxy or vpn provider.

It isn’t to get around restrictions at work.    Is it worth looking for a new job just to put one over on the man.

It isn’t for illegal things.   It isn’t an anonymizer.   While it does change the source IP, if you do something illegal, records are kept and will be given to law enforcement with a proper warrent.   Additionally you may give away your identity via pre-existing cookies or other traffic analysis.  

I see a personal vpn as protecting that first, most dangerous wireless hop.

Conclusion

I’m glad I had this on my trip.   I wouldn’t use any public connections without a personal vpn product. 

I’m not sure the SSL Client is the easiest thing to use.   The PPTP is familiar to anyone who has used dial-up networking.   These products aren’t transparent to the end-user, which makes me think this is for moderate to advanced users worried about session theft, password theft and other sniffing on the local unprotected network.

2 Comments

  1. Roger, I work on Symantec’s endpoint security team, and can try to help you avoid the unusual problem you experienced with SEP’s Device Control. The best way to do this in SEP is to use the firewall to block wireless access when the Ethernet is connected. However, for me to know for sure, I would need to see the policy from the client. If you would like to connect, just shoot me an email.

  2. Pingback: 10 Top Websites for Information Security

Comments are closed.