Firewall Wizards mailing list archives
Re: Assessment Of GoToMyPC vs. Network Security
From: "Chris Byrd" <cbyrd01 () gmail com>
Date: Fri, 7 Apr 2006 15:59:28 -0500
My comments are inline below. On 4/4/06, Jim Seymour <jseymour () linxnet com> wrote:
G'day all, I've been asked to assess this product/service for our use. Follows the security-oriented bits of my proprosed response. Have I got it right? Something I'm missing? Too paranoid? Not paranoid enough? ;)
Phrases like "A small footprint server is installed on the computer to be accessed" should ring loud alarm bells in the mind of any halfway competent network security person. Consider: The idea is to turn inherently insecure client PCs, which, to make them "safe," we hide behind firewalls administered by competent, knowledgeable, IT (security) professionals, into servers permanently connected to
Every application installed on a PC is potentially a "small footprint server". And if your IT (security) professionals are truly competent and knowledgeable, than your PCs should not be inherently insecure. If you are relying on all of your security to be provided by your Internet firewalls, you've already lost. Client side, wireless, physical, insider, and social engineering attacks all bypass the firewall.
services operated by somebody else, over the Internet? Then we allow "random" other PCs anywhere on the Internet to connect to them? All of this somewhat browser-based? The same browsers that are generally the most oft-compromised application on *any* operating system platform?
GoToMyPC is not really browser based - the browser is just the vehicle to install and launch their ActiveX application. Using their corporate product you can require pre-authorization of client computers before they are allowed to connect.
Since GoToMyPC utilizes standard HTTP and HTTPS ports and protocols,
It uses tcp/8200 by default, falling back to http and https if 8200 is blocked. Further, the http request method is 'JEDI', which shouldn't be allowed through a properly configured http application proxy.
tunneling itself through the firewall, I actually regard it as a potential security threat. I was considering blocking access to its servers and network. There doesn't appear to be *anything* to prevent any employee from signing up for their own GoToMyPC account, installing the requisite software on their desktop, and having their way with their desktop PC from anywhere in the world. There's really
If you don't control what employees can install or do on the company PCs, there isn't *anything* you can do to protect your network. Using ssh, netcat, or vnc over httptunnel would have the same effect using free software, and should be controlled at the desktop and on the network as well.
Here's a "comforting" tidbit: "It's also important that remote access sessions be terminated after inactivity. Remote users walk away from
This is true for any remote access solution and isn't unique to GoToMyPC.
MC> A socially-engineered employee sitting in front of the MC> machine might be coerced into installing a back door or MC> keystroke logger or other malware.
Again, if your employees can install keystroke loggers or other malware, you've got bigger problems than GoToMyPC.
[snip - discussion of keystroke loggers and sholder surfing]
Using one time passwords for GoToMyPC should be set as mandatory. You should also integrate it with token-based authentication to prevent these types of attacks.
In summary: GoToMyPC strikes me as an extremely bad idea. There are plenty of testimonials from ostensibly reputable IT people claiming what a wonderful service it is. Frankly, given the way it operates, I have to go with the sentiments expressed by the opening quote: I'm surprised any so-called "IT professional" would even consider letting this thing onto their Corporate LANs.
While I'm not the biggest fan of GoToMyPC, based on your post I'd suggest that you look at other areas of security before installing a new remote-access solution. It may be that GoToMyPC is fine in a well-secured environment that doesn't have extraordinary security requirements. Best of luck to you, - Chris _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Assessment Of GoToMyPC vs. Network Security Jim Seymour (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Paul D. Robertson (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Jim Seymour (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Chris Byrd (Apr 09)
- Re: Assessment Of GoToMyPC vs. Network Security Brian Loe (Apr 09)
- Message not available
- Fwd: Assessment Of GoToMyPC vs. Network Security Layer One (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Jim Seymour (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Paul D. Robertson (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Joe Matusiewicz (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Kevin (Apr 09)
- Re: Assessment Of GoToMyPC vs. Network Security Chris Byrd (Apr 09)
- Re: Assessment Of GoToMyPC vs. Network Security Clayton Scott Kern (Apr 09)