Re: Risk regarding remote login services

[Gary Flynn <flynngn () JMU EDU>]

Basgen, Brian wrote:

> >  I'm working on ways to adequately assess the risk of
> > solutions like LogMeIn, GoToMyPC, etc. The main concerns that
> > I have so far are: (1) traditional end point security issues;
> > (2) source addresses are essentially masked by the service;
> > (3) these solutions are user managed/not IT controlled (no
> > policy enforcement, for example); (4) confidential/sensitive
> > data being sent through a third party in an unmanaged way;
> > (5) the security of the third party becomes axiomatic to your
> > institution.
> >
> >  The last four points, in particular, seem to make these
> > solutions distinct from traditional VPN offerings.  I don't
> > want to get into making spacious arguments about why this
> > solution is problematic, but it seems difficult to latch onto
> > specifics considering such an open field of possible risk.
> >
> >  I'm curious to know institutions that allow one of these
> > solutions, and how they employ it. I'm also curious to hear
> > from those that prohibit it, and what justifications they use
> > for doing that.

Use of GoToMyPC is discouraged but not controlled. Any Internet
exposure of a service, whether it be RDP or SSH, must be
requested. During the handling of the request, we encourage limiting
access to VPN connections or specific addresses but we do not
demand it.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature