General Practice, Solo & Small Firm Division

A service of the ABA General Practice, Solo & Small Firm Division

Technology eReport

American Bar Association - Defending Liberty, Pursuing Justice

MARCH 2011

Vol. 10, No. 1

Features

 

Secure Surfing With Subscription VPN

Although Wireless Networking, commonly referred to as Wi-Fi, is practically ubiquitous, it isn’t universally secure. Several major 2010 news stories, both national and international, featured incidents of unsecure Wi-Fi. Google confessed to unauthorized collection of data transmitted by unsecured Wi-Fi networks in 30 countries as its Street View cars rode around neighborhoods throughout the world collecting data for Google Maps. A feud between a man and the family next door became a federal case when it was discovered that the angry man hacked his lawyer neighbor’s Wi-Fi connection and used it to send child porn to his law firm colleagues and a threatening email to Vice President Joe Biden. Finally, a number of media outlets reported on the Firefox web browser add-in Firesheep that identifies nearby users who are accessing the Internet on an unsecure Wi-Fi network and infiltrates their social media accounts.

Modern society has become ever more connected and consequently so has its lawyers. Lawyers are increasingly reliant on mobile technology and the ever present wireless networks that connect them in order to maintain office and client contact. The 2010 ABA Legal Technology Survey Report reveals that 71% percent of respondents work from a location other than their primary office. Seventy-nine percent of respondents from firms of 100 or more attorneys, 72% from firms of 10–49 attorneys as well as 70% from firms of 2–9 attorneys and 68% of solo respondents are also telecommuting. Although most survey respondents work from home (88%) when away from the office, a significant number are working in public places such as hotels (32%), libraries or courthouses (14%), and coffee shops/cafes (12%), locations most vulnerable to exploitation.

I Only Use Paid Wi-Fi Services
Just because you paid a fee for the Wi-Fi access provided at the airport or hotel or even in-flight doesn’t mean it is secure. In 2003 litigation technology consultant Jeff Flax noted that most Wi-Fi hotspots aren’t encrypted and that it isn’t economically feasible to encrypt public networks such as those from hotels, airports, and other providers. In 2008 Forbes magazine cautioned “Travelers beware: Poorly secured airport Wi-Fi networks are catnip for snoops” in the article Hacking Airport Wi-Fi. Even at 30,000 feet Wi-Fi users were vulnerable to hacking. But take heart: there is a remedy!

With subscription virtual private networking (VPN) you can surf securely on the road. Virtual private networking provides a secure tunnel between your remote connection and the office network. This ensures that everything a user sends and receives is encrypted and makes web surfing much safer. VPN once implied the need for a network administrator or consultant for setup and support, an expense that can be prohibitive for many solo and small firm practitioners. However, subscription VPN, also referred to as cloud-based, third-party, or hosted VPN, allows you to enjoy the service and support of an in-house information technology department without the overhead. Cloud-based VPN services have been around for awhile and are as secure as traditional VPN offerings, easy to setup, and affordable.

What Are My Options?
When considering subscription VPN, there are two flavors among third-party providers: a PPTP VPN solution or an SSL VPN solution. The PPTP protocol is a standard security technology with a client (application) that comes installed with all computer operating systems and mobile devices. A PPTP VPN has relatively low overhead, making it the fastest choice of the VPN methods but also the least secure method. PPTP doesn’t encrypt the traffic: its main function is to create the tunnel in which the data traffic is transported and authenticate users, but it can be configured for 128-bit encryption. If you are setting up a VPN for your mobile device (Nokia, Palm, iPad, iPod Touch, or iPhone), a PPTP VPN is your only option.

Choosing an SSL VPN is the most secure option because it is encrypted out of the gate and doesn’t require a client because it uses the web browser (Internet Explorer, Safari, Firefox) as the client application. SSL VPN utilities may refer to themselves as being OpenVPN. This means that they were developed using a free and open source software application that adheres to rigorous standards to cloak data transmission on public networks and utilizes SSL/TLS security for encryption. Where they may differ is in the protocols that are used or the levels of encryption offered. If you travel internationally, then SSL VPN may be the only option available for a secure connection as PPTP VPN is often limited or blocked. An SSL VPN may also confer the benefit of being a little easier to set up because it usually requires you to download an installer that does most of the configuration. A PPTP VPN requires you to manually edit your network operating system or device settings in order to utilize the VPN provider’s encryption server. Typically, this involves inputting the name or address of the encryption server, your username and the password, all of which is provided by the service provider when you enroll in the service. With either choice, a PPTP or SSL VPN setup can often be completed in 15 minutes.

Which Option Is Best for Me?
If most of your wireless networking takes place on known, secured networks (home, work, client sites, etc.), then a PPTP VPN is an acceptable option. However, if you are a road warrior who travels to foreign countries that censor Internet access or frequently works on public networks, then you’ll want to select an SSL VPN. This choice costs a little more than a PPTP VPN, but provides the highest security level and greatest protection during the transmission of sensitive data when utilizing uncertain networks.

Before registering for the service you will need to know your operating system, wireless card manufacturer and model number, driver version, and Hotspot location. If you’ve been notified of available system updates, complete those first, making sure that you’ve have the most current drivers and service packs available. The best pricing options may be available with a yearly subscription but it’s best to take a trial or short-term period to see how the VPN operates on your home or work wireless networks. This gives you an opportunity to fix any problems (such as firewall settings) before hitting the road. During this test period you should also ask questions, no matter how trivial, to determine the responsiveness of technical support.

Potential Challenges
Technical support can be limited for cloud-based VPN providers and usually consists of FAQs, a knowledge base, and text-based installation instructions. If you are a power user, this may suffice, but minimal human interaction is usually the tradeoff that keeps these services affordable. Also, some third-party VPNs may conflict with the connection utilities supplied by your wireless card provider. If this happens, you’ll usually receive error messages that will notify you of these conflicts. This may require that you disable the wireless card’s connection utility before starting the VPN. Additionally, your email client (Microsoft Outlook, Eudora, Thunderbird) may balk at changes to the port and SMTP server settings. Web-based email services such as Gmail or Yahoo! should be fine.

There are a large number of third-party VPN providers, both free and paid, in the market. Service providers range from small, anonymous operations with questionable credentials to established providers reviewed by reputable institutions. This article focuses on two paid services that are well known, support SMTP encryption, provide both PPTP and SSL VPN, and have good technical support options.

HotSpotVPN was formed in 2002 and supports multiple levels of encryption. HotSpotVPN supports most major operating systems including Windows 7, Snow Leopard OS X, Linux, FreeBSD, Solaris, and OpenBSD. Supported mobile devices including iPads, iPhones, Droid phones, most Symbian-based Nokias, Windows Mobile and PocketPC, and Nokia Internet Tablets.

HotSpotVPN offers two VPN services, referred to as HotSpotVPN-2 or HotSpotVPN-1. HotSpotVPN-2 is the SSL VPN offering, available at $10.88 per month for Blowfish encryption (128 bits), $11.88 for AES-192 (192 bits), and $13.88 for AES-256 (256 bits). Each SSL VPN includes a complimentary PPTP HotSpotVPN-1 account for your handheld device. HotSpotVPN-1 is the PPTP VPN and uses 128-bit MPPE encryption. HotSpotVPN-1 is $8.88 per month. You can get 12 months for the price of 10 if you purchase an annual subscription. You can also purchase HotSpotVPN1 for a day ($3.88), three days ($5.88), or a week ($6.88). Technical support options include FAQs, a knowledge base, and brief illustrative videos for each service offering and operating system. Email support is available, but turnaround may be greater than 24 hours on the weekend for a response.

WiTopia (formerly Full Mesh Networks) was founded in early 2003. WiTopia supports VoIP as well as the iPad, iPhone, and IPod Touch, Mac OS X, Windows XP, Windows Vista, Windows 7, Linux/FreeBSD/Solaris and Android phones, Windows Mobile, and Symbian OS. The client can be installed on multiple machines, but only one can be used at a time unless multiple accounts are purchased or a CloakBox VPN router (also from WiTopia) is used. The two VPN clients offered by WiTopia are the personalVPN – SSL (for the Mac or PC) or the personalVPN – PPTP. WiTopia doesn’t offer any free trial periods, but all products carry an unconditional 30-day money-back guarantee.

A subscription to personalVPN – SSL (openVPN) ($59.99 annually) provides unlimited access to all WiTopia VPN gateways as well as alternate ports and 256-bit encryption options. An installer is downloaded and run to preload all WiTopia gateways. The personalVPN – PPTP ($39.99 annually) requires no installation and provides 128-bit encryption. Most computers and smartphones have compatible PPTP software built in so you don’t have to install anything to use it. This is the product that you would order to protect your iPad, iPhone, and IPod Touch. If you have both laptops and mobile devices, then you would order the SSL/PPTP bundled package for $69.99. Technical support consists of FAQs, email, a Support Wiki, and a very responsive 24 x 7 x 365 live chat.

Tonya L. Johnson is a research specialist in the American Bar Association’s Legal Technology Resource Center. She can be reached at Tonya.Johnson@americanbar.org.

© Copyright 2011, American Bar Association.