When using an open wireless network, all traffic between your laptop and the access point is sent in the clear to anyone in range. When using WEP, anyone who shares the same WEP key can listen in on your traffic as if it were an open network. How can you protect your data from prying eyes while using wireless? The best possible protection is provided by end-to-end encryption. This is provided by tools such as SSL, PPTP, and SSH. For example, browsing to an SSL-enabled web page will keep your conversation private, leaving any would-be eavesdroppers with data that looks much like line noise. The encryption and identification facilities provided by the 128-bit SSL implementation are widely regarded as good enough for use over untrusted networks, like wireless.
SSL may be fine for web pages (and some mail clients), but what about protecting other traffic? This section describes one method for securing your email using OpenSSH.[3] For a more thorough exploration of the possibilities of SSH, I highly recommend SSH: The Secure Shell, also published by O'Reilly.
OpenSSH is a free, open source implementation of the SSH protocol. You can get it online at http://www.openssh.com/.OpenSSH is being developed for BSD, but thanks to the great work by their porting team, it compiles under many Unix-like operating systems (including Linux, Solaris, HP/UX, MacOS X, and many others). You can even use it in Windows, using the Cygwin package. Check out http://www.cygwin.com/ and download it now, if you haven't already. It almost makes Windows fun to use!
Download OpenSSH and build it. You'll also need a copy of the OpenSSL libraries to compile OpenSSH. You can get OpenSSL from http://www.openssl.org/. Once you've installed OpenSSH, you can use it to tunnel POP traffic from your local laptop to your mail server (called "mailhost"). We'll assume you have a shell account on the mail server for this example, although any machine on your internal network that accepts SSH connections should suffice.
7.5.1 Establish the ConnectionUnder OpenSSH:
laptop# ssh -L 110:mailhost:110 -l user -N mailhost
(Naturally, substitute userwith your username and mailhostwith your mail server's hostname or IP address.) Note that you will have to be root on your laptop for this example, since you'll be binding to a privileged port (110, the POP port). You should also disable any locally running POP daemon (look in /etc/inetd.conf), or it will get in the way.
Assuming you have your RSA or DSA keys set up, you can even run this in the background (just tack on an &). This sets up the tunnel, and starts forwarding your local ports to the remote end through it. The -N switch tells SSH to not bother running an actual command on the remote end and to just do the forwarding.
7.5.2 Configure Your Mail SoftwareYou now need to tell your mail software to connect to your tunnel rather than connecting to your mail server directly. This is different in each application, but the idea is always the same: you want your email client to connect to localhost instead of mailhost.
Here's how to set it up under Netscape Communicator; other clients may have different menu choices, but the principle is the same:• Go to Edit
Preferences.
• Expand the Mail & Newsgroups tree, and select Mail Servers.
• Remove your existing incoming mail server, and add a new one.
• Under General, type localhost as the Server Name. Select POP3 as the Server Type.
• Hit OK, make sure your tunnel is established, and retrieve your mail.
laptop# ssh -L 110:mailhost:110 -L 25:mailhost:25 -l user -N mailhost
Now just set your outgoing mail server to localhost, and all of your incoming and outgoing email will be protected from prying eyes (er, ears) on your wireless network.