Desdinova
join:2003-01-26
Gaithersburg, MD
| Secure Net Access in Hotel Room
If I missed a topic that answers my question, please excuse this post!
I'm going out of town next week and I'll be going online with my laptop via the hotel's broadband in my room. How can I check e-mail, banking, etc. securely while being hooked into their network? I'm not TOTALLY stupid about networks (at least, I don't think I am *grin*) and I've never had any issues in securing my network at home, but I'm unsure how to go through the hotel's network without being vulnerable to other users.
I'll be using a wired connection as the laptop's wireless is quirky at best. I'm running XP Pro.
Any thoughts or tutorials would be greatly appreciated! |
|
tdumaine
join:2004-03-14
Redmond, WA
 ·Comcast
| If its wired, its fairly safe (unless theres a bad apple employee in the networking part of the hotel). If you are really paranoid, you have 2 options.
1. (easy option) Vpn. Set it up at home, forward ports if needed on a router, and you're in like flynn if the hotel doesnt block vpn ports.
2. (harder option) Ssh. Set up a ssh server on the home computer, get a tunneling client (putty, tunnelier), open port 22 (can be changed to any port really), and use a proxy (i use built in socks on xp), and then everything that leaves the computer over the localhost:portyouchose is encrypted before it goes out. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
1 edit |  reply to Desdinova
In addition most if not all banks use SSL when you connect to their site over the public internet. Look for the lock icon on IE.
Many ISPs also offer SSL email connections. Check with yours or you can use an option like Mail2Web to send/receive email via a SSL connection.
»https://www.mail2web.com/cgi-bin/login.a···d=0&il=1
FWIW, here is some help with SSH that you might be interested in. Another option while using a SSH tunnel, in addition to a SOCKS proxy, is to run either Remote Desktop (if your home PC is running Vista Ultimate/Business or XP Pro/MCE) or UltraVNC (Vista Home and XP Home editions) through the SSH tunnel. That way your surfing the internet, emailing, banking, etc just like your sitting in front of your home PC.
»theillustratednetwork.mvps.org/S···ell.html
You could also just simply access the home PC with Remote Desktop or UltraVNC. Make sure you use a strong password and configure the encryption options for either high encryption (Remote Desktop) or use the UltraVNC encryption plug-in.
If you want to try setting up a PPTP VPN server at home see these. You can also easily run Remote Desktop or UltraVNC through a VPN tunnel...
»theillustratednetwork.mvps.org/V···VPN.html
»www.onecomputerguy.com/networkin···rver.htm
»www.onecomputerguy.com/networking/xp_vpn.htm
Other options include OpenVPN, SSL-Explorer or a third-party server solution like Hamachi. You could also setup a supported router with third-party firmware like DD-WRT and have a VPN or SSH server running on the router.
The laptop firewall should be configured to block all incoming probes. In Vista configure the network type as Public and in XP configure for No exceptions. See the latter part of this page for help with that..
»theillustratednetwork.mvps.org/L···ity.html
--
"When all else fails, read the instructions..."
MS-MVP Windows Networking 2003-2007 |
|
Desdinova
join:2003-01-26
Gaithersburg, MD | reply to Desdinova
Excellent! I'll start playing with my options and figure out the best way to go from there. Thank you both for the help!! |
|
Kilroy
Premium,MVM
join:2002-11-21
Ann Arbor, MI | reply to Desdinova
Take a listen or a read of Security Now! - Episode number 29. »www.grc.com/SecurityNow.htm#29
--
How hard does DRM have to bite before business abandon it? |
|
awolfpup
Premium
join:2001-01-18
Macon, GA
clubs: 
·Cox HSI
·Comcast
| reply to Desdinova
As I work for a company[LodgeNet-Stayonline] that actually provides tiered network support for both chain and independant hotels, I'm probably the best qualified here to actually answer your questions.
Since I have no idea which hotel you will be staying at, I can only assume that, once you connect your laptop whether it be wired or wireless to the hotels network, if your on one of our supported hotels, you must first open your web browser to any public web page, as this will generate the hotel's internal laptop authentication internet access page. Some hotels offer direct access while other simply require you to enter your last name and room number so that they can verify you are indeed a guest of the hotel and not sitting/standing outside the hotel trying to use the hotels wireless network[if wireless is available].
said by Desdinova  :I'm going out of town next week and I'll be going online with my laptop via the hotel's broadband in my room. How can I check e-mail, banking, etc. securely while being hooked into their network? Checking your email, are you using a 3rd party application[such as outlook] or do you use just web mail?
If using web mail interface from your local ISP, you would access your web mail same as always, as ISP's always use https for web emails.
If using a 3rd party email program, it will work just the same as it did before.
Usually the only problem, with using a 3rd party email program is with not being able to send out email.
Their are only [3] steps to try to use to correct this problem:
1. Contact your regular ISP that you are sending email through and have them set you up for smtp authentication.
2. Contact the helpdesk for the hotel your calling from and ask for the outgoing[SMTP] server address guests can use while at this particular hotel if your ISP's authentication settings do not permit you to send out email. Be sure to turn off outgoing SMTP authentication if you try to use the hotels SMTP outgoing server as authentication will not be needed.
3. If the above [2] options fail to get you sending email with your 3rd party application, the final/last option is use your web email from your regular ISP that you send/receive email through.
said by Desdinova :...I've never had any issues in securing my network at home, but I'm unsure how to go through the hotel's network without being vulnerable to other users. On our networks, we do use a firewall which is apart of our hotels server side equipment, this firewall creates what we term "a subscriber profile", this prevents anyone from outside or inside from directly accessing your laptop, however; for ease of use, we do keep all outbound ports open for guests.
The only problem we have with this setup is with one type of VPN, where if the person inside the hotels network, issues the initial VPN connection request and the server on the other end receives, and then terminates that request and then the employer's server re-issues the request to join the VPN...if your VPN software uses this type of VPN client/server..this will fail, as the firewall will block the incoming request, as it was not originated from your laptop; which is what a firewall does.
Also with regard to VPN, NAT-Transversal must be enabled; if your VPN fails to connect, then try turning off NAT-Transversal...
I have also seen a setting called NAT transparency, having been on, turn it off[if its on] this may allow you to connect as well...or if its off, try turning it on.
said by Desdinova :I'll be using a wired connection as the laptop's wireless is quirky at best. Have you already contacted your intended hotel and inquired as too whether they offer in-room wired ethernet connections? Alot of hotels are moving more and more to wireless. Always check before you arrive at the hotel, ask to speak with the MoD[Manager-on-Duty]; reason is, due to high turnover in the hospitiality industry, the front desk staff may not be fully aware or informed of what the hotels internet access amenities are. The hotel's manager/assist mod/ or even the assist. GM or hotels GM[GM = General Manager] are your best resources for hotel amenties with regards to internet access that is offered at the hotel.
Hope you enjoy your hotel stay, at which ever hotel you decide to stay at!
--
Ex-Earthlink Hi-speed Tech Support Rep. |
|
pardon
@cox.net
| said by awolfpup :If using web mail interface from your local ISP, you would access your web mail same as always, as ISP's always use https for web emails. Not cox. *maybe changed this last month at best |
|
awolfpup
Premium
join:2001-01-18
Macon, GA
clubs:
·Cox HSI
·Comcast
2 edits | said by pardon :said by awolfpup :If using web mail interface from your local ISP, you would access your web mail same as always, as ISP's always use https for web emails. Not cox. *maybe changed this last month at best I have seen many a problem in the past with cox, cox seems to block outoing email with any other smtp service provider other than their own...
several times i had to contact cox support to find out their smtp out going server: mail.east.cox.... or something to that effect, it varied by geographic location in the states...north/south/west...etc...then the guests email would send out flawlessly...
Note: this only would effect 3rd party email applications, not web based email.
--
Ex-Earthlink Hi-speed Tech Support Rep. |
|
dervari
join:2000-01-17
Atlanta, GA
clubs: | reply to Desdinova
When I travel, I use www.hotspotvpn.com. ALL outgoing internet traffic is VPN'ed to their servers and proxied to the internet. |
|
tdumaine
join:2004-03-14
Redmond, WA
·Comcast
| said by dervari :When I travel, I use www.hotspotvpn.com. ALL outgoing internet traffic is VPN'ed to their servers and proxied to the internet. Sure hope you trust them 100% |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
1 edit |  reply to pardon
said by pardon :said by awolfpup :If using web mail interface from your local ISP, you would access your web mail same as always, as ISP's always use https for web emails. Not cox. *maybe changed this last month at best Cox only uses SSL for POP3 and not SMTP.
»POP SSL now active
Also the web based email only uses SSL for login. The rest of the session is unencrypted... 
--
"When all else fails, read the instructions..."
MS-MVP Windows Networking 2003-2007 |
|
awolfpup
Premium
join:2001-01-18
Macon, GA
clubs:
·Cox HSI
·Comcast
| said by SoonerAl :Also the web based email only uses SSL for login. The rest of the session is unencrypted... If a guest connects to a VPN first, then opens there browser to there web email..then the data between their laptop and the VPN server would be encrypted...
I monitor *guest internet traffic* day in/ day out; when a guest uses a VPN connection however, I can only see the initial connection, then the termination of said connection, which is how a VPN connection is suppose to work.
========
Clarifing use of term:
*guest internet traffic* -- we do not see actual data being transmitted, only the destination IP of the web site the guest is surfing too.
Example of typical read out:
MAC address of guest's laptop[wired/wireless device] -> NAT - DHCP IP[10.x.x.x/192.x.x.x/etc] /port# the data is going out on on the internal side of the network -> Public IP of destination web site/public port#.
--
Ex-Earthlink Hi-speed Tech Support Rep. |
|
ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
clubs:
 ·VOIPo
·Metrocast Communic..
 ·AT&T DSL Service
·ViaTalk
| I believe it was Lodgenet that provided the wireless service when I stayed in an extended stay in Warwick, RI for 6 weeks. Their service was great, and their tech support was even better.  |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to awolfpup
said by awolfpup :said by SoonerAl :Also the web based email only uses SSL for login. The rest of the session is unencrypted... If a guest connects to a VPN first, then opens there browser to there web email..then the data between their laptop and the VPN server would be encrypted... Understood...
The problem is not everyone, ie. your typical Mom & Pop for example, have access to or use a VPN. Most folks in my peer group, can you say retirees, go Huh? and roll their eyes when I mention VPN.
So I would like to see Cox, my ISP, provide a totally SSL encrypted email (web based and POP3/SMTP) experience. Why they don't do that is beyond me...
--
"When all else fails, read the instructions..."
MS-MVP Windows Networking 2003-2007 |
|
Desdinova
join:2003-01-26
Gaithersburg, MD
| reply to Desdinova
Thanks wolfpup, for the detailed answer (sorry it took so long for me to get back here!).
I was at a Best Western and the service loaded just as you described: as soon as I launched the browser and the first time I tried to connect to a website, the hotel's disclaimer loaded and after I clicked "I Agree" it then launched their own site. From there I could go anywhere I wanted.
But now that I know that the occasional DSL member might be down at the front desk monitoring my traffic I'll be VERY careful where I browse...*giggle* |
|
dervari
join:2000-01-17
Atlanta, GA
clubs:
·Comcast
| reply to awolfpup
said by awolfpup :I monitor *guest internet traffic* day in/ day out; when a guest uses a VPN connection however, I can only see the initial connection, then the termination of said connection, which is how a VPN connection is suppose to work. Remind me never to stay at your hotel. |
|
awolfpup
Premium
join:2001-01-18
Macon, GA
clubs:
·Cox HSI
·Comcast
1 edit | said by dervari :said by awolfpup :I monitor *guest internet traffic* day in/ day out; when a guest uses a VPN connection however, I can only see the initial connection, then the termination of said connection, which is how a VPN connection is suppose to work. Remind me never to stay at your hotel. I refer back to my previous post, under the section titled:
"Clarifying use of term"...
=====
Our network is setup to monitor itself, when that process fails; thats when a human is then required to monitor guest traffic[as clarified above] with regard to excessive bandwidth, things we will look for: file-streaming[audio or video]; file sharing; online gaming; etc.
When we get a report of slow browsing from a guest at one of our supported hotels, the first thing we look for is bandwidth saturation...any guest that may be monopolizing the hotels available bandwidth...which in turn can slow the network for other guests in the hotel...we then terminate the offending laptop's internet connection due to abuse; which is clearly defined in the TOS[Terms Of Service] page that is displayed prior to the guests access of the hotels network.
Remember, we don't see actual data, only information we can see follows the format mentioned above:
Example:
00:99:99:99:FF:FF -> 10.0.0.100.5040 -> 69.210.64.63.80
-- we do not see actual user data ---
--
Ex-Earthlink Hi-speed Tech Support Rep. |
|
dervari
join:2000-01-17
Atlanta, GA
clubs:
·Comcast
| I still don't like what I do being recorded. That's why I usually use a VPN. The only thing that shows up in logs is my connection to the VPN endpoint.
And the "stay in your hotel" comment was tongue in cheek. |
|
