Automatic Hotspot Logon

(1)

W H I T E P A P E R :

Automatic Hotspot Logon

Automatic Hotspot Logon for VPN Setup

Features of the integrated,

dynamic NCP Personal Firewall Solution

(2)

1. Insecure mobile computing via Wi-Fi networks (hotspots)

Today mobile business is an established working method in modern enterprises. The use of note- books and handhelds increases the productivity and fl exibility of mobile employees and this contrib- utes to the success of the business.

Particularly public networks (GSM, 3G) and broadband wireless networks like wireless LANs (Wi-Fi networks) are used in addition to communication mediums like ISDN, the analog telephone network and xDSL. Hotspots, i.e. Wi-Fi networks that are installed in public places, like railway stations, air- ports, trade show facilities and hotels, provide access to the Internet.

Like all wireless networks, Wi-Fi networks particularly threaten security, since the “air interface”

provides an easy target. For this reason, mobile teleworkers fi nd themselves in an extremely insecure environment where they have to deal with security issues on their own. The teleworker does not only have to protect an existing data connection to the corporate network, but also prevent security gaps before and during connection set-up.

1.1 Basic hotspot functionality

Providers operate hotspots, i.e. Wi-Fi networks, make them available to the general public and charge a fee for the use of this network. Public Wi-Fi networks serve as broadband access networks to the Internet or to the corporate network.

If a mobile employee wants to establish a connection to the corporate network, he has to logon to the hotspot, fi rst. This is usually done via a web browser where the user enters his user ID. Based on this ID, the user gains access to the network. Furthermore, payment is made or invoicing arrange- ments are specifi ed on the basis of this ID.

1.2 Risks and problems

Basically any user with an appropriately confi gured PC can access public Wi-Fi networks. In order to do so, he usually gets an IP address, provided he knows the SSID (Service Set Identifi er) of the Wi-Fi network. Data security or a safeguard protecting the end device against attacks is not provided for by the Wi-Fi operator, i.e. every user has to take care of security measures himself.

Specifi cally the following security issues are involved:

1. Safeguarding confi dentiality

Sensitive information should not be accessible to third parties during transmission.

2. Safeguarding the PC at the hotspot

At all times, the PC workstation has to be shielded against attacks from within the Wi-Fi network, (i.e. other Wi-Fi participants) and against attacks from the Internet.

1

(4)

Proven security mechanisms protect confi dentiality: VPN tunneling and data encryption. In addition, the PC is protected by a personal fi rewall with “Stateful Packet Inspection”. If this function is not available, the user should refrain from mobile computing.

The actual security risk is due to the fact that logon at the hotspot operator has to be executed via browser outside of the protected area of a VPN. This means: During logon, the end device is not protected.

Normally this does not comply with the corporate policy, which usually forbids direct surfi ng on the Internet and only allows certain protocols. For this reason, a fi rewall solution on the end device that really offers comprehensive protection has to secure the critical phases during logon and logoff at the hotspot.

1.3 Alternative approaches with residual risks

In order to ensure full functionality at any hotspot, fi rewall rules for http or https are set by the administrator. Alternatively a rule can be confi gured in a way that opens the ports for http or https for only a certain time window (e.g. 2 minutes).

In both cases, the security risk is due to the fact that the user surfs the Internet without the protection of a VPN tunnel and the end device might become infected. During the temporary opening of the fi rewall there is danger of intentional misuse on behalf of the user, who could trigger the time window several times.

In another scenario, the user changes the fi rewall rules himself. This need-dependent opening of the personal fi rewall, however, carries the risk of incorrect confi gurations. In this case, the user has to know precisely which changes have to be made at the respective location.

This means that the quality of the applied security level is only determined by two factors: the security consciousness of the user and his technical expertise.

2. The NCP solution – automatic hotspot logon

NCP has integrated the personal fi rewall into the Secure Client software, in order to protect the remote client against any kinds of attack in all phases of the connection set-up in Wi-Fi networks and hotspots. Throughout the whole process of connection set-up, the user does not need to interfere.

Intelligent automated processes provide secure hotspot logon. Administrators and users can rely on the security of their end devices and data at all times.

There are two approaches:

• Dynamic adaption of fi rewall rules for hotspot logon

• Script-based hotspot logon

(5)

Only the fi rst approach is outlined in this document. The second approach, the script-based hotspot logon is explained in the NCP Secure Client’s manual.

2.1 Dynamic adaption of fi rewall rules for hotspot logon

If a user is within receiving range of a public Wi-Fi, he selects the menu option “Hotspot logon”. The NCP Secure Client then automatically searches for the hotspot and opens the website for the logon procedure in the standard browser. If the standard browser has a set proxy server, the user has to deactivate it in some cases. The following alternative, however, is recommended:

For protection against manipulation an alternative browser and its HASH value can be defi ned in the Secure Client’s hotspot settings (Figure 1). Additional measures (operating system fi le rights) further increase security.

This browser can be modifi ed to suit the requirements of a hotspot; e.g. no proxy server, no address bar, as well as “Java” and “Java Script” being deactivated so that hotspot logon is the only possibility.

Figure 3 shows such a modifi ed browser, which in this case is based on Firefox portable.

After successfully entering the access data and activation by the operator, the VPN connection to the corporate headquarters for example can be established, and the user can communicate with the same security he has at an offi ce workstation.

To keep the PC invulnerable at all times, the fi rewall dynamically releases the ports for http or https for hotspot logon or logoff.

3 Figure 1: Hotspot confi guration

(6)

Invulnerability is secured since an HTTP request is initiated to a specifi ed home page. Depending on the necessary communication, the required fi rewall rules are created dynamically. This is true for the fi rst eight addresses that are addressed by the hotspot logon application within the fi rst 60 seconds.

This is necessary because hotspot logon servers frequently download graphic fi les from various other servers. The dynamic rejects data packets that have not been requested.

In this manner the system guarantees that a public Wi-Fi network is only used for the VPN connection to the central data network and that there is no direct Internet access.

Automatic fi rewall rules in detail

After clicking the menu item “Hotspot Logon”, the monitor dynamically generates the following rules for IP addresses. These rules remain in effect until the user either clicks “hotspot logon” once more or the system is restarted (necessary for logoff).

At hotspots with redirect support:

• IP address of the NCP web server or the URL that has been entered at the hotspot logon menu item (necessary for the Internet online test)

(source port: 1024-65535; destination port: 0-65535)

• Server IP address from the redirect

• The fi rst 8 IP addresses that are addressed within the fi rst 60 seconds of the application (source port1024-65535; destination port: 0-65535)

At hotspots without redirect support:

• IP address of the NCP web server or the URL that has been entered at the hotspot logon menu item (necessary for the Internet online test)

• The fi rst 8 IP addresses that are addressed within the fi rst 60 seconds of the application (source port: 1024-65535; destination port: 0-65535)

Confi guration of the home page Example:

If no website has been entered the default setting is

“http://www.ncp.de/hotspot/hotspot_de.html“ for German and

“http://www.ncp.de/hotspot/hotspot_en.html“ for English.

If you wish to confi gure a home page, the following automatism is applied:

(7)

Confi gured home page modifi ed home page for autom. http request

„http://www.ncp.de“ „http://www.ncp.de/hotspot_en.html“

„http://www.ncp.de/“ „http://www.ncp.de/hotspot_en.html“

„http://www.ncp.de/hotspot.de“ no modifi cation

2.2 Operating the automatic hotspot logon

If the user is within range of a hotspot, he opens the menu option “Hotspot Logon” in the “Connec- tion” menu of the NCP Secure Client Monitor and starts hotspot logon by clicking the left mouse but- ton (Figure 2). Then the system automatically calls the confi gured browser and opens the logon page of the hotspot operator (Figure 3).

For public access with web logon, it is a prerequisite that the accessing system uses a redirect to the logon site of the hotspot provider. This redirect emulates the logon site.

Now the user can enter his access information and after a successful logon, he can establish a VPN connection to his corporate headquarters using the NCP Secure Client. Direct communication with the Internet, which means bypassing the VPN tunnel, is impossible due to the previously described dynamic fi rewall rules. As explained before, the integrated Personal Firewall of the NCP Secure Client defi nes the rules according to the specifi c situation.

Please note that proxy settings that may have been entered have to be adapted or deactivated for logon via the standard browser at the hotspot.

If hotspot logon has not been executed by the NCP Secure Client, a corresponding message is

5 Figure 3: Browser with the logo page of the hotspot operator

Figure 2: Select “hotspot logon”

(8)

displayed (Figure 4). In such a case, please determine whether there is a general problem with this hotspot operator and the mechanisms implemented. Please contact the NCP support ([email protected]) if necessary.

3. Additional information about the NCP Personal Firewall

The personal fi rewall is a fi xed component of the NCP Secure Client. All fi rewall mechanisms are optimized for Remote Access applications and are activated when the computer boots. This means that in contrast to VPN solutions with autonomous fi rewall the teleworkstation is already protected against attacks before the user actually accesses the VPN. The personal fi rewall also offers complete protection of the end device even if the client software is deactivated. All fi rewall rules can be cen- trally specifi ed by the administrator and compliance with these rules can be forced. In this case, the prerequisite is the central NCP Secure Enterprise Management system, which is used to confi gure the Secure Enterprise Client. All confi gurations can be locked, which means the user cannot modify them.

3.1 Outline - all features of the integrated NCP Personal Firewall

IP Network Address Translation (IP-NAT)

IP-NAT hides the internal client address so that it is not vulnerable from outside.

Stateful Packet Inspection

Rules for data transfer are specifi ed, i.e. all outgoing and incoming data packets have to correspond to fi lter rules that have been previously determined. Each incoming data packet is checked, based on the defi ned characteristics, and is rejected in the event of non-compliance. This means: The computer is shielded according to the rules that have been created and the set-up of undesired connections is prevented.

Application-dependent fi lter rules

It is possible to defi ne fi lter rules that can only be used in connection with a certain application. A typical example is a fi lter rule that is only used by the Internet Explorer and only allows surfi ng via port 80.

Figure 4: Hotspot logon not possible

(9)

Filter rules based on protocol, port and address

As a default, fi lter rules are defi ned via ports and IP addresses. However, it is possible to set an additional fi lter for protocols.

Friendly net detection

Defi ned fi lter rules are automatically activated depending on the network environment, where the teleworker is located, e.g. LAN of the company or Wi-Fi at hotspots. Public, unfriendly networks call for different rules than friendly networks. The software automatically identifi es the type of network by analyzing one or several of the following factors:

• Current network address

• IP address of the DHCP server

• MAC address of the DHCP server

• Automatically according to the FND server (see FND whitepaper) Automatic hotspot logon

Automatic hotspot logon is an intelligent mechanism for secure activation of network access via the browser to public Wi-Fi networks. The system blocks any additional data transfer, i.e. the user protected in this phase of the connection set-up.

• Connection-dependent fi lter rules

• Extensive logging options e.g.

• Protocol on/off

• Rejected data traffi c

• Permitted data traffi c

7

(10)

4. Scenarios and comparison – dedicated Personal Firewall

and the integrated universal NCP solution

Scenario 1 Scenario 2 Scenario 3 Scenario 4

VPN Client installed installed installed installed

Personal Firewall not installed installed

(only outgoing connections are

permitted)

installed (only communication in

the VPN tunnel)

integrated

Competition Competition Competition NCP Secure Client

Activities

Hotspot logon yes yes no yes

Surfi ng in the Internet yes yes no yes

VPN connection to corpo-

rate headquarters yes yes no yes

Protection against attacks

from within the Wi-Fi no yes yes yes

Protection against attacks

from the Internet no yes yes yes

Protection from viruses,

worms, external dialers no no yes yes

Firewall rules adapt themselves dynamically to

the target network no no no yes

Firewall is protected from

user manipulation no no no

even in spite of yes administrator rights

users may have Firewall starts when

booting no no no yes

Firewall remains active after deactivation of the

VPN service no no no yes

NCP engineering GmbH Dombuehler Strasse 2 90449 Nuremberg Phone: +49 911 99 68-0 Fax: +49 911 99 68-299

NCP engineering, Inc.

444 Castro Street, Suite 711 Mountain View, CA 94041 Phone: +1 (650) 316-6273 Fax: +1 (650) 251-4155

Automatic Hotspot Logon

W H I T E P A P E R :