Surfing Securely on Campus Wireless

Primary Disclaimer: I am not in contact with IT services and I don't know how right or wrong I am about how things are managed. I assume some 3rd party is involved (Aruba Networks) and I have no idea how much credit/blame to give to them in the security choices made. --litui

Preface
The campus wireless network allows all students who have WiFi-capable devices to connect to the internet. It would seem, however, that there is no cryptographic standard employed on the network once past the login page.

This, unfortunately, opens up everything you do on the internet to anyone who knows a thing or two about the technology. Simply speaking, that means a third party with malicious intent can passively monitor everything you do. What's more, this requires no special hardware for them. All they need is the same kind of wireless device you're using and software which places their wireless devices into a promiscuous mode and displays the content of the messages flying through the air.

In this way, we are not only trusting IT Services with our information (who I'm not really very worried about), but anyone else physically on campus. It's important also to note that these random people intercepting your communications need not be students. The campus wireless login is only presented after one is already connected to the wireless network.

Unfortunately, it seems little effort has been made to make students aware of these issues or to solve these problems at the time of implementation. You may call me paranoid, but in all modesty about my own ability (I'm really fairly new to actual use of wireless), I know for a fact that people with less networking and IT experience than I have are capable of doing these things.

Unsecured wireless is not inherently a bad thing, but if the infrastructure is not secured, the user should take steps to secure his own use. That's what I hope for this document to be about.

Edit: I did notice that the signs in various places telling how to use the wireless network do warn of the lack of security in fairly small type.

Legalities
Disclaimer: I am not a lawyer.

Because only passive monitoring is required to intercept wireless transmissions, and because WiFi frequencies fall into ranges which are subject to interference by federal regulations, it's hard to say whether such monitoring can be considered illegal (I'm not aware of any precedent-setting legal rulings off the top of my head). In essence, when you transmit or request information from a server over a wireless network, you are broadcasting a radio signal over a frequency that is legally unprotected (WiFi cards are sometimes called wireless radios). Once it leaves your card, it's arguable that you have (wittingly or not) made your message public. It probably still remains your intellectual property, but I find it hard to imagine being able to seek legal recourse for someone's possession of information you have broadcast over open airwaves.

Add encryption to the mix, however, and you have made an active move to protect your transmission. For a third party to decrypt such a message would involve active effort and it is no longer simple interception of radio waves.

Edit: I know there are laws about unauthorized access to a network, but I'm not sure to what extent those apply when passively receiving packets. They certainly do if you actively poll the systems for any purpose or make use of any of the systems without authorization.

Options
So, now that you know what could very well be occurring, what can you do about it?

Wired-Only
An option that's not very favourable might be to avoid use of the campus wireless network. A switched wired network (which is what most if not all of the U of C labs and offices are making use of) is inherently more secure. A man-in-the-middle attack can still occur, but typically requires a specific hardware configuration and physical access to the cables linking computers to switches (boxes with many ports that intelligently route network traffic from computer to computer). This would be much more difficult to set up without knowledge of the IT staff. It also requires active effort to accomplish. Wired is not 100% secure, but a far more secure choice than completely unencrypted wireless.

Proxy via secure tunnel
This is an effective technique for encrypting your network access if you have access to a computer at home connected to broadband internet. It is not easy to set up and it requires some configuration every time you need to access the internet. There are many possibilities and many pieces of software that can accomplish the task, but the following is a run-down of what is required.


 * Effective proxy software. It needn't be big and it needn't cache files (though this is advantageous if speed is a concern).
 * The proxy will be configured on your home machine to only allow connections from localhost (127.0.0.1). The actual connection will be made using other software that encrypts the connection such as the following.
 * Stunnel: This software is run as a service on the home machine, configured to allow secure connections from an external port to the proxy port on your home machine. The client (your laptop?) then runs another copy of stunnel configured to receive connections on a port on localhost and forward them securely to the stunnel on your home machine.  With this method, it is a good idea to set up http authentication or some form of key-based authentication.
 * OpenSSH: This is secure remote terminal software (like telnet) that also allows secure port forwarding. If you are already running an SSH server on your home machine, it only requires one commandline parameter from the client machine to configure a local port on the client to connect to the remote proxy's port on your home machine.  All traffic sent via the ssh tunnel will be encrypted.  An additional plus is that ssh requires you to log in to the home machine so by default every connection is authenticated.

VPN
I won't detail the configuration process as there is a great deal of variation, but if you have access to a corporate VPN or knowledge of how to set up a VPN server on your home computer, a laptop can be configured to act as a VPN road warrior and routing can then be configured to allow the road warrior laptop to access the internet through the remote machine.

Safe unsecured browsing
So, you're unable to surf the net securely. What can you do about it?


 * 1) If you're ever sending personal information, do so only over encrypted connections. In a web browser, these will be prefaced by "https://" and not "http://".
 * 2) Delete your browser cookies before surfing, and try not to use websites that rely entirely on cookies to maintain logged-in status. These cookies are transmitted in plain text over wireless and are as easily copied as any other information.

Suggestions for Improvement of the Network Security
The below has not been submitted to IT Services. More, it serves as a work-in-progress formulation of ideas. Please feel free to add or modify. These are things that could be implemented by the school to assist in securing the campus wireless.

WEP/WPA
I'm sure this has been considered, and depends entirely on the hardware being used by both clients and access points. Scalability may be a concern. If someone knows any details on the decision not to use WEP or WPA, I invite you to add that info here.

Custom tunnel
This would require custom software for multiple platforms. The idea is similar to the stunnel method suggested above under Options, but would secure the connection from a user's laptop or other wireless device to a proxy (or scalable array of proxies) on the University's wired network. This would serve the same purpose and through branded client software, would allow ease of configuration for the end-user.

IPsec
Support for a layered cryptographic standard such as IPsec over wireless between client and router would serve the same purpose as WEP or WPA and could even be more effective.

Addendum / That Which Would Be A Conclusion
Sorry if this is over the head of many people. The problem with WiFi since its inception has been a quick acceptance by the consumer with little information on security provided by the manufacturers and retailers. This has had the benefit of widespread acceptance of WiFi, but in my opinion the technology was rushed to market before the security standards were fixed. WEP (Wired Equivalent Privacy) was cracked shortly after its release with the early generations of wireless cards, and was long to be replaced by WPA, a far better security standard. Most users weren't even bothering with WEP when it was considered secure because, quite simply, they had no idea how to use it.

Users should know how to secure their networks, but users are not usually pro-active about security. If the manufacturer, retailer, or tech guy does not enlighten them at the time of purchase or configuration, they will not typically be aware that there is a concern.

Then the question arises as to whether it should be the responsibility of the manufacturers or a case of 'buyer beware'? I'm divided. I don't think anyone should hold the user's hand, but the user should be made aware of the issues. If he still wants to be apathetic knowing open wireless is a running leap on the path to all sorts of nasty things (identity theft comes to mind) then it's in his hands.

Fortunately, this is improving slowly as time marches on. Companies are securing their wireless networks, and like the U of C, are passing (and enforcing) Wireless Usage Policies.

Request for Further Options
Please, anyone who has suggestions (multi-platform preferred) for how to secure your access while using U of C campus wireless or any other open WiFi networks, please edit this page and add them. My suggestions are by no means complete, and are only the result of my own decisions thus far.