Re: Telnet vs PcAnywhere

["Ron and Lisa Mehring" <rmehring () havelocknc net>]

Tony,

Some of this may be off subject but I feel the need to mention. (Sorry to
all)

1.  I would not allow them (vendors) in without a specific MOA.  Define the
specific requirement(s) for access and then some.  Justification is a
necessity.  Set the boundaries. Considering your health care signature I
would ensure that attention to detail is managed on this subject.  Ensure
the risk you are assuming is appropriate for the access requirement your
vendors require. Boy, is it easy for those contracts to fly through without
all departmental perspectives being applied (Security, Systems. Financial.
managerial ect...)

2.  I would ensure by name access is allowed in and those personnel with
access sign agreements. Using a PKI would be beneficial.

3. The remote technical aspects are somewhat moot if reliable session
encryption\algorithm is used and the source and endpoint can be trusted.
This technical issue could probably worked into an acceptable risk level
dependent of course on your business and sensitivity of information.  I
would prefer SSH be used if it fits application wise.  I am not an expert on
PC anywhere so I cannot comment on it in depth.  My experience with PC
anywhere has been through dial in access.  I am totally against it if
used\utilized by an untrusted source via dial-in.  To many ways for this
access to go unchecked in most environments.

Summary:
I am one to not allow vendors (typically untrusted) remote access to
anything.  Be wary, look as those contracts and understand the "true"
requirement.

Some little tidbits that I hope help.

Take Care
Ron Mehring
Information Assurance Specialist





----- Original Message -----
From: "Tony Lindsey" <tonylindseyt () excite com>
To: <security-basics () securityfocus com>
Sent: Thursday, March 06, 2003 10:18 PM
Subject: Telnet vs PcAnywhere


> Folks,
>
> What is the difference in security protection/features between granting an
outside vendor VPN access using TELNET versus using PCANYWHERE?  Some of our
vendors need vpn access to their servers inside our network..and I have seen
the firewall rules set up both ways.
> In my discussions with the firewall administrators, security people,
network engineers, server administrators, etc...it seems as though the
people are using telnet and pcAnywhere interchangeably.  I was always under
the impression that telnet was more restrictive.
> Tony Lindsey
> Audit and Risk Management Group
> Managed Medical Services LLP
> U.S. Division
>
>
>
> _______________________________________________
> Join Excite! - http://www.excite.com
> The most personalized portal on the Web!