Untrusted, or “open”, Wi-Fi is available practically everywhere—cafes and coffee shops, libraries, pubs and bars, entertainment venues—name any place where people gather and one can likely find open, free Wi-Fi there.
Open Wi-Fi is generally defined as wireless networks that provide free, unencrypted access without the need to identify yourself, or for the Wi-Fi access point to identify itself (authentication). Providing open Wi-Fi is considered a value-added service or feature of many consumer-oriented businesses today. Combined with sometimes unacceptable cellular bandwidth or signal strength, and data plan limits, it is difficult to resist the lure of open, free Wi-Fi. But in life, cause and effect is a reality virtually everyone acknowledges. The convenience of open Wi-Fi (cause) introduces security threats (effect), and places the responsibility of safely utilizing these services on the end user (effect).
The principal threat impacting users of open Wi-Fi is traffic sniffing, or eavesdropping, whereby an attacker “listens” in on wireless traffic that is not encrypted, potentially providing access to sensitive data. Probably the best public display of the consequences surrounding the use of unencrypted, open Wi-Fi is the “Wall of Sheep”, a staple at the DefCon security conference in Las Vegas for more than fifteen years. The Wall of Sheep tracks people (sheep) at the conference that use open, unencrypted Wi-Fi to send email, login to websites, message their friends, etc. These sheeple (Riverside’s term, not ours) are publicly shamed by posting redacted login details for each of their infractions on the “wall of sheep”. In virtually every case, these conference attendees connected to either DefCon-Open, the purpose-built open Wi-Fi network hosted at DefCon for catching unsafe Internet users, or a researcher or attacker’s “rogue” open Wi-Fi. DefCon attendees can connect securely to the official, encrypted DefCon Wi-Fi network by downloading their certificate.
There are additional threats surrounding the use of open Wi-Fi, as well, such as the failure to authenticate users or access points. The latter is solved by the DefCon security conference by providing the required certificate ahead of the event, but it becomes “trusted” Wi-Fi at that point, not untrusted. Known or unknown vulnerabilities in hardware, typically wireless network cards or access points, is also a possible threat. The focus of this post, however, is regarding the protection of information users send over the wireless network.
Citrix has educated customers about wireless security since at least 2010. Today, customers have several options available to help secure end users’ Wi-Fi use when outside the office. One of the easiest and best-known solutions is utilizing NetScaler Gateway to provide network protection via Full VPN access to users. Configured properly, the solution routes all network traffic from a mobile device or laptop through the organization’s NetScaler, then on to the Internet. In addition to encrypting traffic from the remote device to the NetScaler, access profiles can be configured to forward (proxy) traffic to a content filtering system or other security infrastructure for inspection.
So, why not just use NetScaler Gateway as a proxy server for remote users and call it a day? Because there’s more to networking than HTTP and HTTPS (“HTTP/S”). In fact, some mobile applications don’t use HTTP/S at all. Since you’ll never know all of the apps a user has installed unless a full device management solution is deployed, encrypting all traffic with Full VPN is a more sensible choice.
XenMobile provides solutions that are specific to mobile phones and tablets. First, Citrix Secure Web provides secure access to internal and external sites over a dedicated VPN tunnel, and can be provisioned as an enterprise app or from public app stores. Per-app VPN, or microVPN, is also a supported option. XenMobile MDX apps can leverage per app VPN connectivity enabling organization administrators to allow access to internal systems without the threat of a potential eavesdropping on network traffic.
One of the newest solutions available to address the pitfall of information disclosure due to accessing applications over open Wi-Fi is the Citrix Cloud Secure Browser service. Users cannot visit any web pages that have not been explicitly published by a company administrator. Although the Secure Browser service is not necessarily the silver bullet for solving this use case, it is amazing at solving several others—have a look!
Finally, in the event the reader is a consumer, or not yet a Citrix customer, this author highly recommends a personal VPN service. Discussing these services can turn ugly quickly, so rather than offending someone by taking sides, suffice it to say there are plenty of reviews of these services available—take the time to research possible solutions, and try to use one that has been around a while. As a final note, I do, in fact, use a personal VPN service on all my devices. It is very affordable at about $50 USD per year, and the performance, security, and customer service has been exceptional for several years. Good luck!
