Security Basics mailing list archives
Re: Third party remote management
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Tue, 11 Aug 2009 12:09:57 -0430
On Martes 11 Agosto 2009 09:53:51 W W escribió:
Our helpdesk is looking at some third party remote management tools like Gotomypc and Logmein to remotely manage our road warriors. What are some of the best practices for using these services? My initial thought is to not allow these services as your network credentials are being passed through their infrastructure (ie when you log into a remote users laptop with your network admin creds) with no oversight. Any thoughts would be appreciated.
Well, depends on your requirements of security. When you put your email in google, you are trusting in google. When you use something like logmein, you are doing the same with logmein. Our thoughts: These companies won't sell our soul, because they don't want to loss clients and money. ---- I didn't tested the tool in fact. I only read about it, and a particular document is very interesting to understand the situation: https://secure.logmein.com/documentation/Security/wp_lmi_security.pdf The communication seems to have a "re-encryption point", in this point, the admin of (you name it), have the capability to intercept the communication, and depending of the nested protocol, the admin will see everything passing through (you name it). Assuming that you put your trust on logmein, the security model seems to be valid and secure. Some else about cryptography algorithms, SSL version, Signatures and more, need to be known. ---- If you don't trust your infrastructure in other hands, you have two options: 1.- You can use something like securID to protect the access to your infrastructure. Two factor authentication will not protect the information traveling across the remote access company (logmein/whatever), but, with a good security policy, it can prevent some troubles on unauthorized access if your pc password is stolen. *some points about security: - You are required to limit 1 token to 1 user - Only 1 login of 1 user each 1 token period. *some flaws: - data sent are prone to be intercepted. 2.- (VNC)/(Remote Desktop) + VPN + 1 public ip address: I think that is the best strategy if you don't trust on third party companies. One VPN at border will secure the connection to the internal network. You have to be careful about: - Certificates. - Cryptography used - keys - Firewall rules for the VPN
Thanks W ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f72 7d1 ------------------------------------------------------------------------
-- Regards. Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503 BBPIN: 0x 247066C1
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Third party remote management W W (Aug 11)
- Re: Third party remote management Preston Connors (Aug 11)
- Re: Third party remote management H. Kurth Bemis (Aug 11)
- Re: Third party remote management Aarón Mizrachi (Aug 11)
- RE: Third party remote management Sampath Kumar Marella (Aug 11)
- <Possible follow-ups>
- RE: Third party remote management Ivan Carlos (Aug 11)
- RE: Third party remote management Juanjo Rodriguez - QITEC (Aug 11)
- Re: Third party remote management Preston Connors (Aug 11)