Security Concerns
When using an open
wireless network, all traffic between your laptop and the access
point is sent in the clear to anyone in range. When using WEP, anyone
who shares the same WEP key can listen in on your traffic as if it
were an open network. How can you protect your data from prying eyes
while using wireless? The best possible protection is provided by
end-to-end encryption, which is provided by tools such as SSL, PPTP,
and SSH. For example, browsing to an SSL-enabled web page will keep
your conversation private, leaving any would-be eavesdroppers with
data that looks much like line noise. The encryption and
identification facilities provided by the 128-bit SSL implementation
is widely regarded as "good enough"
for use over untrusted networks, both wired and wireless.
SSL
may be fine for web pages (and some mail clients), but what about
protecting other traffic? The following is one method for securing
your email using OpenSSH. For a more thorough
exploration of the possibilities of SSH, I highly recommend
SSH, The Secure Shell: The Definitive
Guide (O'Reilly).
OpenSSH
is being developed for BSD, but thanks to the great work by their
porting team, it compiles under many Unix-like operating systems
(including Linux, Solaris, HP/UX, Mac OS X, and many others). You can
even use it in Windows with the Cygwin package (check out http://www.cygwin.com and download it now, if
you haven't already; it almost makes Windows fun to
use!).
Download OpenSSH and build it. You'll also need a
copy of the OpenSSL libraries to compile OpenSSH. You can get
OpenSSL from http://www.openssl.org. Once
you've installed OpenSSH, you can use it to tunnel
POP traffic from your local laptop to your mail server (called
"mailhost"). We'll
assume you have a shell account on the mail server for this example,
although any machine on your internal network that accepts SSH
connections should suffice.
7.7.1 Establish the Connection
Under OpenSSH:
laptop# ssh -L 110:mailhost:110 -l user -N mailhost
Naturally, substitute user with your username,
and mailhost with your mail
server's hostname or IP address. Note that you will
have to be root on your laptop for this example, since
you'll be binding to a privileged port (110, the POP
port). You should also disable any locally running POP daemon (look
in /etc/inetd.conf), or it will get in the way.
Assuming you have your RSA or DSA keys set up, you can even run this
in the background (just tack on an &). This
sets up the tunnel, and starts forwarding your local ports to the
remote end through it. The -N switch tells SSH to
not bother running an actual command on the remote end and to just do
the forwarding.
7.7.2 Configure Your Mail Software
You now need to tell your mail
software to connect to your tunnel rather than connecting directly to
your mail server. This is different in each application, but the idea
is always the same: you want your email client to connect to
localhost instead of
mailhost.
Here's how to set it up under Netscape Communicator;
other clients may have different menu choices, but the principle is
the same:
-
Go to Edit 
Preferences.
-
Expand the Mail & Newsgroups tree, and select Mail Servers.
-
Remove your existing incoming mail server, and add a new one.
-
Under General, type "localhost" as
the Server Name. Select POP3 as the Server Type.
-
Hit OK, make sure your tunnel is established, and retrieve your mail.
Naturally, it doesn't have to end with POP. You can
also forward SMTP for outgoing mail (port 25). Simply specify
multiple -L entries, like this:
laptop# ssh -L 110:mailhost:110 -L 25:mailhost:25 -l user -N mailhost
Now just set your outgoing mail server to localhost,
and all of your incoming and outgoing email will be
protected from prying eyes (er, ears) on your wireless network.
Sections
