Running software firewalls on PCs is nowadays accepted as a necessary security layer, but it is surprising that same concept has yet to be applied to the one area that it could arguably make a much bigger difference – Wi-Fi connectivity.
Desktop software firewalls – and simple firewalls in general – can be of limited use against inbound traffic because they only guarantee to protect against attacks on documented ports (80 for http, and so on), and there are plenty of attacks that don’t use those. A Wi-Fi firewall, on the other hand, can be inherently stronger because it protects the channel of connectivity, not the software interfaces opened using that channel.
Granted, this is simpler function than software and application firewalling, but no less important for Wi-Fi users who cart around their life on laptops. They connect from within a LAN, from outside it at home using broadband, and from public Wi-Fi hotspots. They could also be using multiple wireless access points (APs), the credentials of which can be very hard to verify. Most users see that their laptops have connected wirelessly and think no more about the issue.
Sana Security’s Primary Response Air Cover , to give it its full name, is best described as a sort of Wi-Fi firewall for any PC connecting wirelessly, principally laptops. Depending on how it has been configured, it will only let a PC connect to one or more from a specified list of authorised access points. It will also control how the wireless interfaces on the PC can be accessed by other PCs (ad-hoc wireless networking and bridged connections), and will block or allow access to wired Ethernet and even Bluetooth interfaces.
The user sets up to three profiles, ‘work’, ‘home’ and ‘away’, and then decides which security parameters should be applied to each one. There is a bit more to this that you’d think. For instance, the ‘work’ profile should either block Wi-Fi altogether (because wired Ethernet is being used) or allow only a named AP/Mac address combination where Wi-Fi is present. When using the ‘home’ profile, things get a bit trickier because in all likelihood a longer list of other people’s APs will always appear to the software, and so more care needs to be taken. When ‘away’ from home using public networks, it makes sense to trust nothing, allowing only those APs that have been verified before allowing a connection.
If another computer or AP is attempting to make a connection to the PC in any one of these modes against the set policy, the user is given a pop-up warning and told that the program has disallowed the action. In each profile, the software lets admins force the laptop to connect only to APs that can offer the required level of encryption, ideally some form of WPA. Our test wireless card supported only WEP, which the program rated as medium risk.
The one assumption in all this is that the allowed AP, with its unique SSID and MAC address combination, is legitimate. In principle, this isn’t easy to spoof because that would lead to a conflict between the real and rogue AP trying to impersonate it. However, what would happen if the real AP itself has been hacked? Air Cover would argue that if this happens, then client security is probably the least of your concerns.
Still, it would have been nice to have had the ability to force the software to disallow a connection made without RADIUS authentication (see here for a review of a public authentication service for Wi-Fi from Witopia), just as a back-up to using SSID/Mac address combinations to identify an AP. These have to be set up in the AP itself, as well as at the client end, and so could not easily be simulated.
Primary Response Air Cover offers a very useful, and probably essential, layer of security for anyone regularly moving around with a laptop. It is a fact that Wi-Fi is laughably insecure unless basic precautions are taken. This program offers a neat way not just of securing it to a basic degree but giving that connectivity some ‘visibility’. You can see very clearly what APs and other Wi-Fi devices are out there, and what sort of security they are using, which helps when making informed decisions about their trustworthiness.
That has to be a step on from the complacent connectivity mindset of today where users trust more or less any connection their computer presents them with.
Sana Security’s website is here.
This is the sort of software that should come with every laptop. Wireless connectivity is risky, but not necessarily easy to secure for the novice. That is where a Wi-Fi “firewall” comes in. Larger businesses will be using VPNs, but everyone else should beware Wi-Fi’s terrible curse of openness.