VPN solution suitable for insecure wifi hotspots?

[abignet]

Greetings all,

Long time reader, first time poster. I'm trying to figure out VPN's and determine what would be the best solution for me.

Here's my context:
-I have a home network (a few computers and a NAS connected to each other via a switch and a router/firewall) that I would like to be able to access remotely via my laptop.
-Most of the places where I'd be wanting to connect from are not secure (eg, a family member's home with an open, insecure wireless network; open, insecure wireless hotspots like coffee shops, hotels, etc.).

I'd like a solution that:
1) Has very strong security and encryption (I don't want to be opening holes into my home network; I don't even use wireless in my home network because I'm so cautious about this.).
2) Will be likely to work in most places (eg, my understanding from this article is that VPN Pass-Through is often disabled in public wireless hotspots, but that SSL VPN solutions are not blocked; I don't know if that is still the case or not.).
3) Will enable me to access anything on my home network (NAS, computers, etc.), including being able to securely Remote Desktop into any powered on computers.
4) Has Gigabit ports, and supports jumbo frames (assuming a hardware based solution is the way to go, which is what I'm guessing).
5) Has good throughput (I realize this will also be limited by my internet connection at each end. Some of the kinds of things I'd be wanting to do are: access/edit files such as Word, Excel, Access, and txt documents; check e-mail securely; web browse securely; secure Remote Desktop.).
6) Can handle media streaming (This is probably not realistic, which is why I made it separate from #5, but ideally, in addition to all of the above I'd like to be able to securely stream video content from my home network. The througput only needs to be good enough to handle one person, myself. Video file resolution could be as high as 720x480.).
7) Has netbios support (I've interpreted that this is helpful in accessing the remote network resources because it makes/helps them to show up in Windows Network Neighborhood on the client computer; I don't know if there are downsides to this.).
8) Is something that I can purchase 1x (ie, I don't think I want something that requires monthly or yearly service payments like gotomypc or whatever. My usage will be sporadic; there will probably be periods where I'll use it alot and periods where I don't use it at all. I'd rather pay for something once, even if it is more complicated on the frontend than paying for a service that is easier but that I don't use enough to justify.).
9) Will enable me to browse the internet and check e-mail securely (eg, If I'm connected via an insecure wireless hotspot I certainly don't want to read sensitive e-mails or do online banking, but if I could do those things through the VPN somehow that would be great. Sometimes I all I may wish to do is to securely check my e-mail through the VPN, whereas other times I may wish to also Remote Desktop into a computer or access other remote resources on my home network.).

Here are things that I don't care much about:
a) I don't mind having to (buy and) install software on my laptop (so long as the software does not demand much in the way of CPU or RAM--my laptop is old; it is probably the equivalent of current netbooks.).
b) I don't need a lot of tunnels; it is likely only going to be me connecting.
c) I don't mind if it is complicated to set up (as long as there are thorough instructions available), though I'd prefer something that did not require ongoing complicated maintenance (ie, if it is difficult to setup, but once it is setup it just works, that is fine). I'm new to VPN, but not new to technology in general. A complicated solution that is secure, fast, reliable and affordable is totally fine.

From what I've read so far it seems that #'s 1, 3, 4, 5, 7, and 8 should all be achievable, at least with some VPN routers. I am less clear about 2 and especially about 6.

With #9 I've had the impression that some VPN solutions have the ability to run all internet traffic on the client computer through the VPN connection, thus making an insecure wireless hotspot connection into a secure one (if I understand things correctly, which I may not). I haven't been able to determine if, for example, the Netgear client software can do this or not.

The NETGEAR FVS318G sounds cool, but I honestly don't know enough yet to know if that will do all that I want. I'm looking forward to the review, in addition to learning more about VPN's in general.

The Linksys RVL200 sounds interesting, but does not have Gigabit.

If the RVL200 or something like it (which also lacked Gigabit) were the most secure, fast, reliable and affordable option I would certainly consider them. My current router lacks Gigabit (but my switch is Gigabit).

Many, many thanks in advance to anyone who can offer me some advice, instruction, etc.!

 

[thiggins]

If you already have a Gigabit switch, you don't need another in the router.

SSL VPN is much easier to deal with and should work fine for your needs. As long as a public hotspot allows secure browsing, it should allow SSL VPN.

Media streaming shouldn't be a problem as long as the secure connection has enough bandwidth to handle your stream. That depends on the stream. You may need to profile some of your streams, as I did in this article.

You might also consider the NETGEAR FVS336G, which has better SSL tunnel thoughput and Gigabit ports.

You may not get Microsoft network browsing through the VPN tunnel. Many routers block the NETBIOS traffic because it's "chatty". You can always reach a share by its IP address, however.

 

[abignet]

Tim, thanks much for your reply.

If you already have a Gigabit switch, you don't need another in the router.

True. It's more of a "it would be nice" kind of thing. The extra ports on my current router are rarely used because they're not Gigabit, but if they were I would use them when I needed extra ports (ie, testing/building a machine or something) (of course, technically I can use them, I just prefer not to since they're not Gigabit).

SSL VPN is much easier to deal with and should work fine for your needs. As long as a public hotspot allows secure browsing, it should allow SSL VPN.
...
You might also consider the NETGEAR FVS336G, which has better SSL tunnel thoughput and Gigabit ports.

Cool. That is helpful. A couple of questions though. The Netgear site has a vulnerability page with the following on it (#3):

"SSL Certificate – Signature Verification Failed Vulnerability" – This is an inherent vulnerability in nearly all SSL implementations if unsigned or self-signed certificates are employed to identify the SSL termination device.

NETGEAR Response: This vulnerability is not applicable if the certificate used in the device is signed by a trusted third-party Certificate Authority. Please note that the factory default and default certificate used in the FVS336G is self-signed (NOT signed by a trusted third party certificate authority). However, the intent of the device is and best practices call for the administrator to upload a certificate signed by trusted third party (like VeriSign, godaddy.com , geotrust, etc) through 'VPN->Certificates' menu.

If a trusted third party-signed certificate is not employed, then the administrator is engaging in a potential security risk that is endemic to nearly all SSL implementations.

The manual also states:

Your VPN firewall contains a self-signed certificate from NETGEAR. We recommend that you replace this certificate prior to deploying the VPN firewall in your network.
...
A self-signed certificate will trigger a warning from most browsers as it provides no protection against identity theft of the server.

Being new to VPN I am unsure of what the security implications are of just using the included self-signed Netgear certificate. A quick look at Verisign and Thawte seems to indicate that at minimum I'd be looking at $300/year for a certificate from them (and I'm not even sure which certificate I would need to buy). Also, if I did just use the Netgear certificate (assuming that doing so was safe), won't it expire eventually, and would that make me less secure? I'm not understanding what the risk is of my using the Netgear certificate. Is part of the risk that someone could be intercepting my attempt to VPN into my network and pass me a fake certificate or something?

The FVS336G does sound very interesting. I don't care about the dual WAN ports, but everything else sounds very good. Thanks for mentioning it!

Media streaming shouldn't be a problem as long as the secure connection has enough bandwidth to handle your stream. That depends on the stream. You may need to profile some of your streams, as I did in this article.

Cool.

You may not get Microsoft network browsing through the VPN tunnel. Many routers block the NETBIOS traffic because it's "chatty". You can always reach a share by its IP address, however.

Do you know if using Computer Name would work? For example, if on my home network I have Computer1 and Server1 and shares on each can be accessed locally by using each name and appropriate share: \\Computer1\ShareA \\Server1\ShareB ; once I was connected via VPN could I use \\Server1\ShareB to connect, or would I have to use \\Server1_IP\ShareB ?

The reason being is that currently the IP's on my home network are dynamically assigned by the router (and I assume I'd be doing the same thing with a new router), but there are applications that access files on my home network via name (hostname?) method (\\Computer1\ShareA).

Also, how does one know what IP's to try to access when trying to access shares on the local network via VPN?

You mention in your review of the FVS336G that:

Full Tunnel Mode will allow a remote user full access to the LAN without restrictions. I found this level of access to be more than necessary, as it also routes simple web surfing for the remote client through the VPN tunnel.

This sounds like what I am looking for regarding wanting my web browsing on my laptop to be routed through the VPN. I think I get the gist of the bandwidth reasons for using Split Tunnel Mode (ie, if my web browsing is not sensitive then I can do it quicker through my direct connection than through the VPN, thus saving time, energy, etc.), but are there any security implications to using Full Tunnel Mode that I should be aware of?

Thanks for your continued assistance. I know I'm asking LOTS of questions. Your input is a HUGE help to me!

 

[dreid]

Certificates, Shares, and Full Tunnel

Your concerns about the Netgear certificate are valid. You can enable your browser to accept self-signed certificates, but it does expose you to the risk of a spoofed certificate. A certificate from Verisign or Thawte can be revoked if compromised, making it less risky.

I was using the FVS336G SSL VPN with it's self-signed certificate for some time. I had no problems with it until the Netgear self-signed certificate expired, which caused the SSL VPN functionality to fail. I contacted Netgear on this issue, but Netgear's responses did not solve the problem, which was disappointing. What you discovered in the manual seems to be the right solution, which is to replace the Netgear self-signed certificate.

As to connecting shares over a VPN connection, the best practice is to assign static IP addresses to systems with shared drives instead of letting them get their IP dynamically. Then you know what IP your server is using. Once you've gone through the exercise of assigning static IP addresses to your server and mapped your connections on the laptop to the server's static IP (\\Server_IP\Share), you'll connect to that drive automatically when you're on your LAN or VPN.

With Full Tunnel, you access web sites via the VPN tunnel to your home network's ISP, thus you're not filtered by the local network. The security implications may be an issue for those running the local network, as you've now bypassed the local network's web filtering via your VPN tunnel.

 

[abignet]

dreid, thanks for your response.

Do you (or anyone else) know if it is possible to use a self-signed certificate with a SSL VPN router in such a way that does not pose any security risks? For example, is it possible to configure one's browser to accept only that particular self-signed certificate and not all self-signed certificates? Would that eliminate all risks, or would it still be possible for someone to somehow intercept and spoof the SSL VPN router's certificate (thus resulting in my connecting to someone else and not to my own router)?

Given what you wrote I've been experimenting with some VPN software that comes with my NAS. Its called ReadyNAS Remote and is based on software by Leaf Networks. It seems pretty nifty, but the connection I am testing it over is not good enough for streaming video, so I don't know yet about that part (though I feel doubtful that it will be up to the task). The Remote software only addresses half of my dilemma, however. I can access my NAS files securely through Remote, but I still need a way to browse the internet and so forth (FTP, etc.) securely while over an insecure wireless connection.

So I tried out WiTopia yesterday and today. It works well by itself, but when launching ReadyNAS Remote WiTopia forces Remote to go through it which is not what I want (it makes Remote slower). So I'm not sure what exactly I'm going to do. I imagine that other services like WiTopia will have similar constraints. Ultimately I probably would like to go with a SSL VPN router, but I'm not crazy about the cost, and the certificate issues are troubling.

If anyone has any further thoughts I welcome them.

Thanks again for replying.

 

[abignet]

Doug (dreid),

Thanks much for the great review of the FVS318G (http://www.smallnetbuilder.com/content/view/30923/51/). Your comparisons between it and other routers (such as the FVS336G) were very informative.

Regarding our discussion about SSL certificates, I've done some further hunting and have found a few more affordable options:
http://www.startssl.com/?app=1
http://www.namecheap.com/learn/other-services/ssl-certificate-pricing.asp?pricefor=ssl
In theory one of these could be used with the FVS336G, correct?