Thursday, July 19, 2012

Securing Your Public WiFi Usage with pfSense IPsec Tunnels

Coffee shops, airports, and other public areas are dangerous places, as far as using their wireless Internet hotspots is concerned. This article is a mixture of both telling you about some of the philosophy I apply toward using public wireless networks, and providing some actual technical references for setting up the particular solution that I have implemented to address it. Pick whichever pieces you are interested in and skip through the rest of it.

Most of us have heard at least a little bit about the potential for random folks being hooked into the same WiFi network as ourselves at the coffee shop, and intercepting our devices' communication with the rest of the world. If the network sessions established by the individual apps and web browser on my laptop or smart phone are not properly secured, they might be able to read my email, intercept the password my banking app sends to my online bank, or make me think that I'm talking to the server I intended to reach while it's really the attacker on the couch across the room that I am handing my personal information to.

A prominent example of this is Firesheep, which was created in order to demonstrate how easy it is for someone else connected to the same WiFi network to hijack unprotected HTTP sessions between your web browser and, say, Facebook. Granted, many of the larger service providers have addressed this problem by now, but as an end-user you don't really know that every app you use implements proper encryption (and server authentication) technology. In particular when we are talking about mobile devices like my iPhone. Unless you are geeky enough to hook up a network sniffer and know how to figure it out on a technical level, you are dependent on the app developer doing the right thing, which doesn't always happen.

This is less of a problem for my network at home, where I likely have the local loop between my Internet Service Provider and my wireless router to myself, making it harder (but of course not impossible) for somebody to get into the middle of things. It's easier to sit in a coffee shop and fish for random network connections of interest, rather than getting close to my home and hooking into a "properly secured" wireless network or my DSL wires.

My remedy? I have a separate firewall device sitting between my DSL router and my home network. For one, it allows for more control of the network traffic that's happening between my home network and the Internet. But in the context of this article, it also allows me to set up VPN connections from my mobile devices (phone, table, laptop, ...) to the firewall, and from there not just into my home network (if I wanted), but also back into the Internet. The trick is to configure my mobile devices in a fashion that ensures that all traffic originating from the device is routed through the encrypted VPN tunnel to my firewall, and from there enters the spheres of the Internet. All that the attacker sitting in the coffee shop then gets to see is an encrypted connection between my device and my firewall, with no opportunity to get into the middle of it.
Purple connection can be intercepted by the bad guy. The blue one is encrypted by an IPsec tunnel to my firewall, and then forwarded from there (without the IPsec encryption) to the App / Web Servers. The bad guy can't read it.
Technically, this works for me as follows: A while ago, I came across the open source firewall software pfSense, based on the FreeBSD operating system. In order to install it, you need dedicated computer hardware, not just your WiFi or cable/DSL/whatever router. Fortunately, there is an extremely slick solution to this, if you are willing to invest about $200. ALIX systems are micro boards with AMD CPUs designed in Switzerland to run network devices, like wireless routers. I ordered mine from Mini-Box.com, which also sells aluminum enclosures for the boards. All you then need is a CF card (remember, those big cards used in early digital cameras?) to store your operating system on, which you can get from Amazon or the like.

My ALIX box, housing my pfSense firewall. CD-ROM for scale.
I'll spare us all the basics of setting up a pfSense firewall. There is plenty information out there on the Internet, and I have to admit that you should have a basic idea of what it is that I am talking about before you commit to setting up your own firewall. The remaining question that I had to piece together was how to set up a VPN server on the pfSense box that would forward all the traffic from my mobile devices (which, shockingly, are all Apple devices - an iPhone and iPad, and a MacBook Pro) to the firewall and from there to the Internet, and how to configure VPN clients on said mobile devices.

I chose to look at IPsec, one of several VPN technologies that pfSense supports, because there seems to be wide-spread, built-in support with many client operating systems. In particular, it appears that pfSense will work with Cisco IPsec clients, and everything that emulates such clients. There is a great how-to on the pfSense website, which includes both instructions for setting up an IPsec server on your pfSense firewall, and configuring the client side of things. What it doesn't tell you is that when defining the Phase 2 of the IPsec tunnel, you need to select "none" for the local network in order to force the client to route all traffic through the VPN server, and that you need to disable the advertising of available networks to clients. (Otherwise, the client will connect to the VPN server on the firewall, but will only route traffic to it that is destined for the local home network, rather than all traffic that is originating from the client.) At least those were the configuration settings that I was initially missing for success.

Now, whenever I'm using a wireless network that I don't trust (which are most of them ;-)), I'll use the native iOS or OS X client to establish an IPsec connection to my firewall at home, and can care a little less about who else is connected to the same hotspot. (Somebody should comment here on how to set up clients on other operating systems, like Windows and Android...)

Other side effects? Circumventing filtering mechanisms of whoever is controlling the part of the Internet that I'm currently connected to. As long as I can establish the VPN tunnel to my home firewall, all traffic channeled through it is (only) subject to the filtering that my home network is exposed to. Which, in the US, is to date rightfully not much.

There are, of course, some unknowns remaining. If my mobile device isn't protected properly against active attacks from the network I'm connected to, establishing a VPN tunnel won't help me with that. A personal firewall (on full-fledged devices) or faith (in case of mobile devices) may. And attackers can still get to me in other ways. And of course, if somebody is motivated enough to actually infiltrate more central parts of the Internet in order to get to my networking sessions, this won't help either. My IPsec tunnels are just addressing one particular risk out of many.