[Originally published for searchSecurity.com .]
I remember the first time I walked into a hotel room and found an Ethernet drop. It was at TISC (tisc.corecom.com) Fall 1999 in Boston, at the Seaport Hotel. Now, it's almost commonplace to find high-speed access to the Internet. But does it present any new or different vulnerabilities? Perhaps. I'd like to take a look at the potential trouble spots and offer some suggestions for mitigating them.
I remember well the expectation with which I connected up to that Ethernet port. After I found that I could indeed access the Internet, my e-mail and so on, I had a thought. I clicked on "Network Neighborhood." I clicked on "Entire Network." And there I found names of workgroups. First on the list was my own, "Avolio." But there were also others. Among them, I remember "Workgroup" and "Raptor." Raptor was the name of one of our competitors in the firewall market. Can you imagine what I did next?
Nothing. But I could have...
These vulnerabilities are very much the same as for someone using a cable modem from home. The problem is, people are used to using telephone dial-ups from hotels, so even if they are careful at home (if they even have a broadband connection), the security-mindedness does not carry over. A dial-up connection in the hotel is not easily exploited. Hotel broadband is much different. For one thing, there's the "network neighborhood" problem I mentioned above. Windows boxes are constantly begging any device that will listen to talk SMB (server message block). If the road warrior's laptop is set up to normally work at home or in an office without password restrictions in the "shares," the information is vulnerable to theft. For another thing, a person is more likely to leave his computer connected all the time to such a connection (unlike on a telephone connection).
It's so convenient (there's a word that should send shivers up the spines of security folks). It's just like at home! Now, while asleep, the kid in the room next door (or the industrial spy -- it does happen, you know) has all night to find the PC and exploit any holes that might exist.
If the hotel broadband system is set up for "instant use" -- so the user may leave the PC configured with the same settings, as at home or the office -- the situation is only slightly better. The "network neighborhood" will probably not show any other computers, but the data communication is still vulnerable to packet sniffing. And the PC may still be vulnerable to connection-based attacks.
First, your security policy covering remote access should cover remote access from hotels with broadband Internet access. If you have a policy about connecting to and from other people's networks (from clients' sites, Internet cafe, etc.), you can expand it to include this.
Next, if you are going to allow such access (and, of course you are), the traveler needs to be equipped with extra protection. Antivirus software should go without saying. So I won't say any more on that. But consider the following defensive mechanisms to protect notebook PCs on hotel networks.
A personal firewall is an inexpensive first line of defense. It should keep the PC from inviting attack from "neighbors," as well as making sure no unauthorized services are running on the PC (really, there should be none). Many travelers would have already heard of and considered these in relation to their home broadband use. They not only make sure that only policy-sanctioned services are allowed to run on the PC and be accessible from outside, they also act as host intrusion-detection systems. It would be most useful if 1) your policy stated that the user may not tamper with the PC firewall configuration and 2) that the software detected the inevitable user tampering.
Encrypted connections will keep the traffic from being snooped. Grabbing packets off of the Internet backbone is a formidable task. Sniffing them off of a hotel network is easy. You can go the VPN route, encrypting everything between the remote PC and the enterprise network and remote PC. The VPN solution used should ensure that when the PC is connected to the enterprise, no connection to the rest of the Internet is allowed, so there is no chance of IP packets being forwarded between the Internet and the enterprise network.
If a VPN is not feasible, an SSL-encrypted Web-based connection to minimal services, such as e-mail, might be an acceptable next choice. In this case, a username and password is often used to authenticate access. Though the connection is encrypted, this is susceptible to a guessing attack. Though you will get pushback from the "bean counters," marrying this kind of access to strong user authentication -- via hardware- or software-based token, or browser-based certificates, for example -- is a security win.
One final thought: I have discussed broadband access from hotels. I hope it is obvious that similar concerns, and so safeguards, should be employed from home or Internet cafe
Lisa Phifer of Core Competence, Inc. (www.corecom.com) addressed the challenges of VPN access over broadband connections in hotels in the Feb. 8, 2001 issue of ISP-Planet. You can read it at: http://isp-planet.com/technology/remote_access_conundrum-3-1.html