This was ment to go to the list and not just Paul. I suck at the
interweb this morning.

From: Layer One
Date: Apr 7, 2006 9:11 AM
Subject: Re: [fw-wiz] Assessment Of GoToMyPC vs. Network Security
To: "Paul D. Robertson"


I was tasked with doing a similar assessment a while back for
GoToMyPC. I ultimately told the business that it was a bad idea. First
off, there is the tunneling issue. While GoToMyPC actually does give
the admins a fair ammount of control over who can do what, where, and
when, it does allow users to basically tunnel around your secure
end-points. The other issue I had with it is that of the remote host
computers. If you cant validate the security of the remote host, then
you shouldnt let it on your network, plain and simple. If your company
is looking for a remote access solution, they need to go with an
in-house, enterprise wide solution. If its just remote access to
applications or internal web resources theres any number of solutions
(in-house Citrix solutions, SSL VPNs, etc). If you are looking for a
full remote access solution, go with a proven VPN solution, some good
network architecture, and NAC/NAQ to make sure that the connecting end
points adhere to your corporate standards.

However, one good thing I will say about GoToMyPC is that they are
really good about helping you block their product if you want them to.
In addition to putting your own blocks in on your firewall, if you
contact them and flat out say 'I work for XYZ Corp and we dont want
our users using your service', they will block your address space
within their own systems. This helps cut down on users going out on
their own, installing it with a personal account, then bypassing your
policies.

On 4/7/06, Paul D. Robertson wrote:
> On Tue, 4 Apr 2006, Jim Seymour wrote:
>
> > servers and network. There doesn't appear to be *anything* to
> > prevent any employee from signing up for their own GoToMyPC account,
> > installing the requisite software on their desktop, and having their
> > way with their desktop PC from anywhere in the world. There's really

>
> You can control what software an employee can install, that's getting
> easier/better in a Windows environment.
>
> You can for instance, regularly download the software, MD5 it and block i=

t
> by MD5.
>
> Paul
> -------------------------------------------------------------------------=

----
> Paul D. Robertson "My statements in this message are personal opinio=

ns
> paul@compuwar.net which may have no basis whatsoever in fact."
> http://fora.compuwar.net Infosec discussion boards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/li...rewall-wizards
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards