Charming road warrior seeks smart and sassy net protection software for fulfilling relationship.
October 27, 2006 11:22 PM Subscribe
Help this desktop power user protect his new laptop from evil internet demons while using public Wifi hotspots.
I am utterly thrilled at the prospect of being able to surf the internet in locations other than my home, but there's one glaring problem to which I don't have a comprehensive solution. You see, my desktop Windows system has been fairly well taken of. Up-to-date antivirus and anti-malware packages and the presence of a hardware firewall have kept my system free of viruses, worms and spyware (yes, it is indeed possible!). I'd like to keep my laptop similarly free of such ailments.
Unfortunately, I can't rely on a hardware firewall when I use public hotspots. I may not know or trust the owners of the open hotspots, for one, and even if I do (thank goodness for the volunteer-based Wireless Toronto!) I can't necessarily trust other wireless users on the same hotspot. And I'm not fooling myself; I know a big reason why my desktop continues to have a clean bill of health is because of that hardware firewall, far more so than the antiviral and anti-malware software.
My experience with software firewalls have led me to believe they are clunky and annoying; an earlier AskMe question also indicates they are unreliable at best. So what should I do to protect my vulnerable laptop from the dangers that await it in the outside world? Are there any firewalls that are at least somewhat effective, and what can I do to patch the holes that remain in my security regimen?
(Please, no "get a Mac" snarks, I already weighed the pros and cons when I bought my laptop and I'm quite happy with my decision despite the superiority of the Mac with regards to internet security.)
I am utterly thrilled at the prospect of being able to surf the internet in locations other than my home, but there's one glaring problem to which I don't have a comprehensive solution. You see, my desktop Windows system has been fairly well taken of. Up-to-date antivirus and anti-malware packages and the presence of a hardware firewall have kept my system free of viruses, worms and spyware (yes, it is indeed possible!). I'd like to keep my laptop similarly free of such ailments.
Unfortunately, I can't rely on a hardware firewall when I use public hotspots. I may not know or trust the owners of the open hotspots, for one, and even if I do (thank goodness for the volunteer-based Wireless Toronto!) I can't necessarily trust other wireless users on the same hotspot. And I'm not fooling myself; I know a big reason why my desktop continues to have a clean bill of health is because of that hardware firewall, far more so than the antiviral and anti-malware software.
My experience with software firewalls have led me to believe they are clunky and annoying; an earlier AskMe question also indicates they are unreliable at best. So what should I do to protect my vulnerable laptop from the dangers that await it in the outside world? Are there any firewalls that are at least somewhat effective, and what can I do to patch the holes that remain in my security regimen?
(Please, no "get a Mac" snarks, I already weighed the pros and cons when I bought my laptop and I'm quite happy with my decision despite the superiority of the Mac with regards to internet security.)
Sorry....last line should read "...but it's NOT too large to keep a backup"
posted by Cog at 11:49 PM on October 27, 2006
posted by Cog at 11:49 PM on October 27, 2006
Best answer: Hmm. Seems a correctly configured software firewall should work fine. Once you're pwned, it will be easier for a malicious process to shut it down and open a listen port, but by then the ship has sailed.
Other than occasional remote 'sploits, I'd say a vast majority of malware is due to bad software on the end system (I'm looking at you, Internet Explorer,) or bad security practices on the part of the user.
Second the suggestion you have some way to quickly reimage/reinstall your laptop's world if things go south.
Other things I would worry about on a wireless network (which a firewall, hardware or otherwise, wouldn't help with) would be snooping and man-in-the-middle type attacks.
Dunno.. if I were doing a lot of promiscuous wireless internetery, and I were a super-paranoid person, I'd look into some kind of VPN secure tunnel-back-to-the-mothership kind of thing. This would also provide you a nice safe path back to your desktop files.
posted by blenderfish at 12:07 AM on October 28, 2006
Other than occasional remote 'sploits, I'd say a vast majority of malware is due to bad software on the end system (I'm looking at you, Internet Explorer,) or bad security practices on the part of the user.
Second the suggestion you have some way to quickly reimage/reinstall your laptop's world if things go south.
Other things I would worry about on a wireless network (which a firewall, hardware or otherwise, wouldn't help with) would be snooping and man-in-the-middle type attacks.
Dunno.. if I were doing a lot of promiscuous wireless internetery, and I were a super-paranoid person, I'd look into some kind of VPN secure tunnel-back-to-the-mothership kind of thing. This would also provide you a nice safe path back to your desktop files.
posted by blenderfish at 12:07 AM on October 28, 2006
"...Unfortunately, I can't rely on a hardware firewall when I use public hotspots. ..."
Why not, if you bring one you trust with you? Seriously, with a copy of OpenWRT installed on a $40 Linksys WiFi router, and a cable for connecting your laptop, you can have a fully featured, packet inspecting hardware router in front of your WinXP machine, and no exposure at all to other WiFi sources directly to your WinXP machine. It's quite portable, too.
Just configure your Wifi "router" as a repeater/bridge for the WiFi access point you want to use, plug your laptop into your trusted, firewalled router, and you're golden.
But I'd also question how paranoid you need to be, if you have WindowsXP SP2 firewall enabled, and don't do a lot of stupid things in user space to enable worms and trojans to infect your machine. Many hotspots now enable their access points to establish individual VLANs for each connection, which stops the majority of nearby user exploits, anyway, and you can check for the presence of this as you connect. Unless you're doing something for the NSA, I doubt you'll have problems Web surfing and doing basic email functions from IMAP servers with SSL encryption, or using SSH tunnels.
posted by paulsc at 12:17 AM on October 28, 2006
Why not, if you bring one you trust with you? Seriously, with a copy of OpenWRT installed on a $40 Linksys WiFi router, and a cable for connecting your laptop, you can have a fully featured, packet inspecting hardware router in front of your WinXP machine, and no exposure at all to other WiFi sources directly to your WinXP machine. It's quite portable, too.
Just configure your Wifi "router" as a repeater/bridge for the WiFi access point you want to use, plug your laptop into your trusted, firewalled router, and you're golden.
But I'd also question how paranoid you need to be, if you have WindowsXP SP2 firewall enabled, and don't do a lot of stupid things in user space to enable worms and trojans to infect your machine. Many hotspots now enable their access points to establish individual VLANs for each connection, which stops the majority of nearby user exploits, anyway, and you can check for the presence of this as you connect. Unless you're doing something for the NSA, I doubt you'll have problems Web surfing and doing basic email functions from IMAP servers with SSL encryption, or using SSH tunnels.
posted by paulsc at 12:17 AM on October 28, 2006
Best answer: Not sure what the fear is of software firewalls is for your situation. Hardware firewalls are typically a required feature only when you don't control everything that is put on your machine, or you have security deficient users on your network. In other words, hardware firewalls are mostly needed for corporate or school or an "I must endure idiots on my network" type of stuff.
The XP firewall by itself should be fine in conjunction with a decent anti-virus and nonstupid behavior when on a personal network, as sounds like your setup. It safely protects many a machine. Myself, I'm partial to using the "bought out by Symantec and discontinued but still available as a download on the Internet" Sygate personal firewall because with third-party firewalls you can catch vendor applications trying to phone home. That's not critical, but it can be a really nice feature to have. Sygate's firewall has always caused me the least amount of conflicts as a third-party firewall. I also use Sunbelt's Kerio free version, with just a couple reboot-to-fix conflicts the past year -- nothing terribly annoying. My wife use(d) TrendMicro's firewall on one of her machines, it's...okay. A few conflicts over time, and not the smallest footprint, but it did the job. I trashed all Symantec products out of here two or three years ago because they had become terrible resource pigs and frequently caused compatibility conflicts. Thumbs down on Symantec products.
Anyway, for several years, I've run two machines with static IPs that direct connect to the Internet with only a software firewall as protection. There has never been a successful intrusion via that path. Well, I take that back, I've had a successful intrusion when I had to bring up a new machine which didn't have suitable protection, but needed net access to get proper updates. Happened in less than five minutes, though the subsequent install cleared out the crap post-scan. I'd guess hack attempts are being made several times an hour here 24/7/365, which actually is strong evidence that software firewalls are effective on a personally-controlled network.
The two machines have also on occasion been connected wirelessly using software firewalls without problems. Frankly, were I you, in a public wireless access situation I would be far more concerned about having personal data sniffed and misused by a miscreant. As you have probably heard, wireless security is notoriously weak and only now getting better. Better firewalls are not your solution there -- better protocols are what's needed.
posted by mdevore at 12:37 AM on October 28, 2006
The XP firewall by itself should be fine in conjunction with a decent anti-virus and nonstupid behavior when on a personal network, as sounds like your setup. It safely protects many a machine. Myself, I'm partial to using the "bought out by Symantec and discontinued but still available as a download on the Internet" Sygate personal firewall because with third-party firewalls you can catch vendor applications trying to phone home. That's not critical, but it can be a really nice feature to have. Sygate's firewall has always caused me the least amount of conflicts as a third-party firewall. I also use Sunbelt's Kerio free version, with just a couple reboot-to-fix conflicts the past year -- nothing terribly annoying. My wife use(d) TrendMicro's firewall on one of her machines, it's...okay. A few conflicts over time, and not the smallest footprint, but it did the job. I trashed all Symantec products out of here two or three years ago because they had become terrible resource pigs and frequently caused compatibility conflicts. Thumbs down on Symantec products.
Anyway, for several years, I've run two machines with static IPs that direct connect to the Internet with only a software firewall as protection. There has never been a successful intrusion via that path. Well, I take that back, I've had a successful intrusion when I had to bring up a new machine which didn't have suitable protection, but needed net access to get proper updates. Happened in less than five minutes, though the subsequent install cleared out the crap post-scan. I'd guess hack attempts are being made several times an hour here 24/7/365, which actually is strong evidence that software firewalls are effective on a personally-controlled network.
The two machines have also on occasion been connected wirelessly using software firewalls without problems. Frankly, were I you, in a public wireless access situation I would be far more concerned about having personal data sniffed and misused by a miscreant. As you have probably heard, wireless security is notoriously weak and only now getting better. Better firewalls are not your solution there -- better protocols are what's needed.
posted by mdevore at 12:37 AM on October 28, 2006
Log on with an account that has no administrator rights, with a software firewall. I'm not sure if it will make a difference, I'm just supersticious.
posted by Tixylix at 2:33 AM on October 28, 2006
posted by Tixylix at 2:33 AM on October 28, 2006
Response by poster: About the portable hardware router idea: I'd actually considered this, but I'm not good enough with basic electronic hackery to put together a portable power supply, plus I would prefer to keep the number of gadgets in my bag to a minimum. Since I'm apparently being more paranoid than I need to be, I might skip it, but it's nice to have an idea of how the system would work (and perhaps this is an arena where some enterprising engineer could make a laptop-friendly solution...).
About the private data interception: don't need to tell me twice. I'm currently dealing with the fallout from having my credit card number pwned. I don't plan on doing anything more secretive than typing in my Metafilter password. Maybe my e-mail password (but probably not). VPN's a good idea if I can get one set up at home base.
About VLANs: how would I go about detecting that sort of thing? Along the same lines, are there general tools I should have to survey Wifi hotspots for similar stuff, take a look at what I'm connecting to?
About software firewalls: Good to know. I'll check out Kerio and Sygate post-haste, as I'm not too keen on the Windows firewall—I find it hard to trust anything with the words "Microsoft" and "security" in close proximity to one another.
About the virtual machine idea: this is why I love AskMe. I'd honestly never thought of that before.
Thanks for all the tips, guys! Keep 'em coming. I'll be back to do the "best answer" rounds later on.
posted by chrominance at 2:40 AM on October 28, 2006
About the private data interception: don't need to tell me twice. I'm currently dealing with the fallout from having my credit card number pwned. I don't plan on doing anything more secretive than typing in my Metafilter password. Maybe my e-mail password (but probably not). VPN's a good idea if I can get one set up at home base.
About VLANs: how would I go about detecting that sort of thing? Along the same lines, are there general tools I should have to survey Wifi hotspots for similar stuff, take a look at what I'm connecting to?
About software firewalls: Good to know. I'll check out Kerio and Sygate post-haste, as I'm not too keen on the Windows firewall—I find it hard to trust anything with the words "Microsoft" and "security" in close proximity to one another.
About the virtual machine idea: this is why I love AskMe. I'd honestly never thought of that before.
Thanks for all the tips, guys! Keep 'em coming. I'll be back to do the "best answer" rounds later on.
posted by chrominance at 2:40 AM on October 28, 2006
"... but I'm not good enough with basic electronic hackery to put together a portable power supply, plus I would prefer to keep the number of gadgets in my bag to a minimum. ..."
The "portable power supply" you fear to create is a common wall wart (common modular DC brick), shipped with every Linksys and DLink type router. You take an outlet strip with you, and plug in, like 90% of laptop users do anyway. Reading your responses, I have a feeling you're not as serious about security as you'd have us believe, from your original question. Just as well, as configuring everything you need to configure to "secure" a machine in a public setting for various tasks is inconvenient, and probably approaches overkill for casual surfers at public hotspots.
"...About VLANs: how would I go about detecting that sort of thing? Along the same lines, are there general tools I should have to survey Wifi hotspots for similar stuff, take a look at what I'm connecting to? ..."
Here's an overview of the process from a Windows perspective. Panera Bread and other commercial hotspot operators use something like this in providing access controlled hotspots at their store locations. You could look for the presence of temporary and persistent alternate SSID's in the hotspot zone. You could run a sniffer, and examine your traffic stream for alternate broadcast addresses. But, a couple of caveats, since it appears you're new to the game. You're free to log any traffic you sniff in a hot spot if you like, but if I caught you probing my machine in a WiFi hotspot setting, I'd play with you. Don't send invitations for a party in public, unless you plan to dance. It's not a great way for a n00b to learn about IP networking, and few mistakes that run afoul of trip wires on a monitored network hot spot can quickly have you answering questions you'd rather not. And if you're ever tempted to use something you sniff, don't. Just don't.
posted by paulsc at 7:59 AM on October 28, 2006
The "portable power supply" you fear to create is a common wall wart (common modular DC brick), shipped with every Linksys and DLink type router. You take an outlet strip with you, and plug in, like 90% of laptop users do anyway. Reading your responses, I have a feeling you're not as serious about security as you'd have us believe, from your original question. Just as well, as configuring everything you need to configure to "secure" a machine in a public setting for various tasks is inconvenient, and probably approaches overkill for casual surfers at public hotspots.
"...About VLANs: how would I go about detecting that sort of thing? Along the same lines, are there general tools I should have to survey Wifi hotspots for similar stuff, take a look at what I'm connecting to? ..."
Here's an overview of the process from a Windows perspective. Panera Bread and other commercial hotspot operators use something like this in providing access controlled hotspots at their store locations. You could look for the presence of temporary and persistent alternate SSID's in the hotspot zone. You could run a sniffer, and examine your traffic stream for alternate broadcast addresses. But, a couple of caveats, since it appears you're new to the game. You're free to log any traffic you sniff in a hot spot if you like, but if I caught you probing my machine in a WiFi hotspot setting, I'd play with you. Don't send invitations for a party in public, unless you plan to dance. It's not a great way for a n00b to learn about IP networking, and few mistakes that run afoul of trip wires on a monitored network hot spot can quickly have you answering questions you'd rather not. And if you're ever tempted to use something you sniff, don't. Just don't.
posted by paulsc at 7:59 AM on October 28, 2006
I would say that your biggest concern should be getting your traffic intercepted. Most Wifi hotspots you'll be using will be sending your traffic into the clear. You'll want to implement a VPN through your home computer network so that anything you send and receive will be encrypted.
posted by fcain at 8:13 AM on October 28, 2006
posted by fcain at 8:13 AM on October 28, 2006
I'd suggest getting Kerio Personal Firewall and using it. I wouldn't suggest getting Sygate, as I've had unreliable results with it, and their support completely failed to answer my questions when it stopped working. Anything else is probably overkill.
posted by limeonaire at 8:55 AM on October 28, 2006
posted by limeonaire at 8:55 AM on October 28, 2006
I just assume that my traffic in a public hotspot is possibly being seen by others, so I don't do much more than Google around, read the news, check email (I change my email password often). No banking, no eBay, no Amazon. You can also create a disposable profile in Firefox to firewall your cookies, though I don't usually do that. When you're done, run your anti-spyware programs to cleanse the laptop and stop worrying. Just how many hackers are out there lurking around in coffee shops trying to force their way into other people's machines? It just seems unlikely to me.
posted by _sirmissalot_ at 10:58 AM on October 28, 2006
posted by _sirmissalot_ at 10:58 AM on October 28, 2006
No banking, no eBay, no Amazon.
Wrong. Your sessions are encrypted between your browser and the server at the bank if you use an internet browser that supports SSL. Considering you can't access your account details from an non-SSL browser from any bank, eBay, Amazon or legit ecommerce engine, you're safe.
What would go in the clear is your email, IM, and other non-encrypted traffic like metafilter. Someone could commandeer your email and other accounts since they could see when you send the account/password. Of course, if you use SSL encryption on your email app [or use https:// webmail] the stuff will be encrypted. Without encryption, people could read your email and your IM conversations. Someone could see what you're posting as an anonymous Ask Metafilter question, etc.
Like fcain said, you can do a VPN to your home system or, more convenient, but at a price, you can use VPN like hotspot VPN which would make all of the traffic between your system and the VPN server secure.
I have a Mac so I'll defer to others on the best firewall for XP.
posted by birdherder at 11:38 AM on October 28, 2006
Wrong. Your sessions are encrypted between your browser and the server at the bank if you use an internet browser that supports SSL. Considering you can't access your account details from an non-SSL browser from any bank, eBay, Amazon or legit ecommerce engine, you're safe.
What would go in the clear is your email, IM, and other non-encrypted traffic like metafilter. Someone could commandeer your email and other accounts since they could see when you send the account/password. Of course, if you use SSL encryption on your email app [or use https:// webmail] the stuff will be encrypted. Without encryption, people could read your email and your IM conversations. Someone could see what you're posting as an anonymous Ask Metafilter question, etc.
Like fcain said, you can do a VPN to your home system or, more convenient, but at a price, you can use VPN like hotspot VPN which would make all of the traffic between your system and the VPN server secure.
I have a Mac so I'll defer to others on the best firewall for XP.
posted by birdherder at 11:38 AM on October 28, 2006
First off, theres no such thing as a hardware firewall. Are firewalls are software. A vulnerability in your routers firmware is exactly as dangerous as a vulnerability in Microsoft's firewall software. Dismissing software firewalls is this context isnt fair.
Wireless is surprisingly secure considering the risks. Usually a threat doesnt come from the outside via wireless but through your email or from your P2P application. As long as you are mindful about which wireless access points you connect to you'll be fine.
If you want to encrypt all your traffic on your laptop then some kind of VPN solution would work. You could setup ssh on windows on your desktop (google for it) and run putty on your laptop to create a socks5 tunnel that will encrypt all your web traffic using your home broadband desktop as a proxy.
posted by damn dirty ape at 12:18 PM on October 28, 2006
Wireless is surprisingly secure considering the risks. Usually a threat doesnt come from the outside via wireless but through your email or from your P2P application. As long as you are mindful about which wireless access points you connect to you'll be fine.
If you want to encrypt all your traffic on your laptop then some kind of VPN solution would work. You could setup ssh on windows on your desktop (google for it) and run putty on your laptop to create a socks5 tunnel that will encrypt all your web traffic using your home broadband desktop as a proxy.
posted by damn dirty ape at 12:18 PM on October 28, 2006
The firewall that comes with XP SP2 is just fine for your purposes and you should run it. Guess what though, you probably don't even need it! If your system is fully patched (Windows Updated) there *theoretically* is no way for someone to compromise the machine even if there is an open port. But new vulnerabilities are learned of everyday and everyone should be running behind a firewall nonetheless.
What you need to do is encrypt (through a VPN or SSH tunnel or both) all of your traffic from WiFi hotspots. You can pay for access to a VPN server or you can run a VPN server (or SSH server) on your own desktop for free and then connect remotely.
posted by dendrite at 12:19 PM on October 28, 2006
What you need to do is encrypt (through a VPN or SSH tunnel or both) all of your traffic from WiFi hotspots. You can pay for access to a VPN server or you can run a VPN server (or SSH server) on your own desktop for free and then connect remotely.
posted by dendrite at 12:19 PM on October 28, 2006
Firewalls are totally useless in this scenario. You're pulling down web pages in a hostile environment. IE and Firefox both expose enormous attack surface, thus you lose.
Use a VPN service. HotspotVPN comes to mind.
posted by effugas at 1:06 PM on October 28, 2006
Use a VPN service. HotspotVPN comes to mind.
posted by effugas at 1:06 PM on October 28, 2006
Log on with an account that has no administrator rights, with a software firewall. I'm not sure if it will make a difference, I'm just supersticious.
Random reinforcement breeds ritual. (It won't make a difference, BTW.)
posted by effugas at 1:07 PM on October 28, 2006
Random reinforcement breeds ritual. (It won't make a difference, BTW.)
posted by effugas at 1:07 PM on October 28, 2006
(It won't make a difference, BTW.)
Actually, running as an unprivileged user is about the best thing you can do to prevent the installation of things you don't want installed.
posted by me & my monkey at 6:27 AM on October 29, 2006
Actually, running as an unprivileged user is about the best thing you can do to prevent the installation of things you don't want installed.
posted by me & my monkey at 6:27 AM on October 29, 2006
The best thing you can do to prevent unwanted installations is to not blindly click OK whenever a dialog pops up. Running unprivileged would mitigate the damage though. I doubt any of this applies to the power though, he's a "desktop power user."
posted by dendrite at 8:43 AM on October 29, 2006
posted by dendrite at 8:43 AM on October 29, 2006
This thread is closed to new comments.
Sorry if I get the terminology wrong, but there shoudn't be a reason why you couldn't run a copy of XP inside another XP. If your virtual XP gets infected, you could always fix it by restoring a backup copy of the virtual drive. AFAIK, any infection within the virtual machine doesn't affect the main system. As to performance, I believe you lose about 5% in speed and maybe lose any kind of graphics acceleration.
On my laptop, the file for my virtual XP is 3.6GB. It's one big file, but it's too large to keep a backup.
posted by Cog at 11:47 PM on October 27, 2006