7.7 Security Concerns

When using an open wireless network, all traffic between your laptop and the access point is sent in the clear to anyone in range. When using WEP, anyone who shares the same WEP key can listen in on your traffic as if it were an open network. How can you protect your data from prying eyes while using wireless? The best possible protection is provided by end-to-end encryption, which is provided by tools such as SSL, PPTP, and SSH. For example, browsing to an SSL-enabled web page will keep your conversation private, leaving any would-be eavesdroppers with data that looks much like line noise. The encryption and identification facilities provided by the 128-bit SSL implementation is widely regarded as "good enough" for use over untrusted networks, both wired and wireless.

SSL may be fine for web pages (and some mail clients), but what about protecting other traffic? The following is one method for securing your email using OpenSSH.[3] For a more thorough exploration of the possibilities of SSH, I highly recommend SSH, The Secure Shell: The Definitive Guide (O'Reilly).

[3] OpenSSH (http://www.openssh.com) is a free, open source implementation of the SSH protocol.

OpenSSH is being developed for BSD, but thanks to the great work by their porting team, it compiles under many Unix-like operating systems (including Linux, Solaris, HP/UX, Mac OS X, and many others). You can even use it in Windows with the Cygwin package (check out http://www.cygwin.com and download it now, if you haven't already; it almost makes Windows fun to use!).

Download OpenSSH and build it. You'll also need a copy of the OpenSSL libraries to compile OpenSSH. You can get OpenSSL from http://www.openssl.org. Once you've installed OpenSSH, you can use it to tunnel POP traffic from your local laptop to your mail server (called "mailhost"). We'll assume you have a shell account on the mail server for this example, although any machine on your internal network that accepts SSH connections should suffice.

7.7.1 Establish the Connection

Under OpenSSH:

laptop# ssh -L 110:mailhost:110 -l user -N mailhost

Naturally, substitute user with your username, and mailhost with your mail server's hostname or IP address. Note that you will have to be root on your laptop for this example, since you'll be binding to a privileged port (110, the POP port). You should also disable any locally running POP daemon (look in /etc/inetd.conf), or it will get in the way.

Assuming you have your RSA or DSA keys set up, you can even run this in the background (just tack on an &). This sets up the tunnel, and starts forwarding your local ports to the remote end through it. The -N switch tells SSH to not bother running an actual command on the remote end and to just do the forwarding.

7.7.2 Configure Your Mail Software

You now need to tell your mail software to connect to your tunnel rather than connecting directly to your mail server. This is different in each application, but the idea is always the same: you want your email client to connect to localhost instead of mailhost.

Here's how to set it up under Netscape Communicator; other clients may have different menu choices, but the principle is the same:

  • Go to Edit figs/U2192.gif Preferences.

  • Expand the Mail & Newsgroups tree, and select Mail Servers.

  • Remove your existing incoming mail server, and add a new one.

  • Under General, type "localhost" as the Server Name. Select POP3 as the Server Type.

  • Hit OK, make sure your tunnel is established, and retrieve your mail.

Naturally, it doesn't have to end with POP. You can also forward SMTP for outgoing mail (port 25). Simply specify multiple -L entries, like this:

laptop# ssh -L 110:mailhost:110 -L 25:mailhost:25 -l user -N mailhost

Now just set your outgoing mail server to localhost, and all of your incoming and outgoing email will be protected from prying eyes (er, ears) on your wireless network.