My comments are inline below.

On 4/4/06, Jim Seymour wrote:
>
> G'day all,
>
> I've been asked to assess this product/service for our use. Follows
> the security-oriented bits of my proprosed response. Have I got it
> right? Something I'm missing? Too paranoid? Not paranoid enough?


> Phrases like "A small footprint server is installed on the computer
> to be accessed" should ring loud alarm bells in the mind of any
> halfway competent network security person. Consider: The idea is to
> turn inherently insecure client PCs, which, to make them "safe," we
> hide behind firewalls administered by competent, knowledgeable, IT
> (security) professionals, into servers permanently connected to


Every application installed on a PC is potentially a "small footprint
server". And if your IT (security) professionals are truly competent
and knowledgeable, than your PCs should not be inherently insecure.=20
If you are relying on all of your security to be provided by your
Internet firewalls, you've already lost. Client side, wireless,
physical, insider, and social engineering attacks all bypass the
firewall.

> services operated by somebody else, over the Internet? Then we
> allow "random" other PCs anywhere on the Internet to connect to them?
> All of this somewhat browser-based? The same browsers that are
> generally the most oft-compromised application on *any* operating
> system platform?


GoToMyPC is not really browser based - the browser is just the vehicle
to install and launch their ActiveX application. Using their
corporate product you can require pre-authorization of client
computers before they are allowed to connect.

> Since GoToMyPC utilizes standard HTTP and HTTPS ports and protocols,


It uses tcp/8200 by default, falling back to http and https if 8200 is
blocked. Further, the http request method is 'JEDI', which shouldn't
be allowed through a properly configured http application proxy.

> tunneling itself through the firewall, I actually regard it as a
> potential security threat. I was considering blocking access to its
> servers and network. There doesn't appear to be *anything* to
> prevent any employee from signing up for their own GoToMyPC account,
> installing the requisite software on their desktop, and having their
> way with their desktop PC from anywhere in the world. There's really


If you don't control what employees can install or do on the company
PCs, there isn't *anything* you can do to protect your network.

Using ssh, netcat, or vnc over httptunnel would have the same effect
using free software, and should be controlled at the desktop and on
the network as well.

> Here's a "comforting" tidbit: "It's also important that remote access
> sessions be terminated after inactivity. Remote users walk away from


This is true for any remote access solution and isn't unique to GoToMyPC.

> MC> A socially-engineered employee sitting in front of the
> MC> machine might be coerced into installing a back door or
> MC> keystroke logger or other malware.


Again, if your employees can install keystroke loggers or other
malware, you've got bigger problems than GoToMyPC.

> [snip - discussion of keystroke loggers and sholder surfing]


Using one time passwords for GoToMyPC should be set as mandatory. You
should also integrate it with token-based authentication to prevent
these types of attacks.

> In summary: GoToMyPC strikes me as an extremely bad idea. There are
> plenty of testimonials from ostensibly reputable IT people claiming
> what a wonderful service it is. Frankly, given the way it operates,
> I have to go with the sentiments expressed by the opening quote: I'm
> surprised any so-called "IT professional" would even consider letting
> this thing onto their Corporate LANs.


While I'm not the biggest fan of GoToMyPC, based on your post I'd
suggest that you look at other areas of security before installing a
new remote-access solution. It may be that GoToMyPC is fine in a
well-secured environment that doesn't have extraordinary security
requirements.

Best of luck to you,

- Chris
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards