RE: GOTOMYPC Corporate?

["Graydon McKee" <graydon.s.mckee.iv () orcmacro com>]

Well, I would agree that GoToMyPC is a security risk but there are always risks out there.  The
trouble is deciding what is acceptable risk for your current environment.  Personally, I'd like to
see GoToMyPC go away but that decision is not mine to make.  To answer the question as to how do I
know an employee hasn't bought the product for himself and installed it without my knowledge.  Your
right I could put hands on every machine and do physical audits, or I could just watch connections
over Port 8200 and match those with authorized machines.  We run static IP's on our internal so that
is pretty easy.  Or I could just only allow connections thru my firewall on Port 8200 for those
machines that are authorized with an ACL (Which is what I do.)  
 
When speaking about security and remote connections - how can you trust that a home user with VPN
connection doesn't take company data and move it to his home machine, how can you be assured that
their systems are secure, that there is no bridging between their open internet connection, that
they are running a fully updated Anti-Virus program.  There is risk involved in every connection.
All the policies and procedures in the world can't secure the network without monitoring and
enforcement. In theory we can dictate that personal machines on the remote end of a VPN fall under
our control and must conform to our policies but how often does this happen in the real world?
People are people and they are going to do what they want.  By establishing system security in such
a way that it hampers an employees ability to do their job they will find a way to work around it.
By setting up system security in such a way that channels the employees workflow with minimal
impact, you can control and monitor what is happening. 
 
I'm not sure how things are in your environment but there are plenty of decisions that I have no
part of but still have to make them work as securely as I can.  At the end of the day, IMHO, the
network is there for one reason, to allow the employees to do the business of the company.  As the
security administrator, my job is to make is as secure as possible without undue interference to the
company workflow.  It's all a balancing act.  What I'd like to have happened to secure the network
and what I can actually implement can be different.  It all comes down to what level of risk is the
company willing to take in order to do business.  
 
 
Graydon S McKee IV - GSEC
Firewall/Security Administrator
ORC Macro - Macro International
11785 Beltsville Drive
Calverton, Maryland 20705
301-572-0583 Fax: 301-572-0982
 
  _____  

From: Steve Marin [mailto:steve () skabnmarin com] 
Sent: Tuesday, March 09, 2004 6:53 PM
To: graydon.s.mckee.iv () orcmacro com; Scott.Swenka () sunhealth org; security-basics () securityfocus com
Subject: Re: GOTOMYPC Corporate?
 
GoToMyPc in my opinion is a severe security risk. Why you ask? Well for the fact that, how do you
know for sure that an employee has not signed up for the service and can now access his machine and
corp LAN without the knowledge if any person in management. The answer is you will not know unless
you do an audit of eevery machine. So if you have any data that is proprietary or confidential, it
can be accessed without the company's knowledge.
 
Granted I'm extremly biased to my own product (which automatically blocks off GoToMyPC) but if you
really read what GoToMyPC is all about it is not as "Secure" as they claim, not only that they say
that it will bypass your firewall that is in place.....
 
-Steve
----- Original Message ----- 
From: "Graydon McKee" <graydon.s.mckee.iv () ORCMacro com>
To: <Scott.Swenka () sunhealth org>; <security-basics () securityfocus com>
Sent: Tuesday, March 09, 2004 6:12 AM
Subject: RE: GOTOMYPC Corporate?
 
> We are using it here with pretty good results.  One of the benefits is that the user can access
> their machine from any other machine without the need for special VPN software or hardware.  We
> don't have any issues with HIPAA or PHI so that was never a factor for us.  The only thing that
> causes a concern for me right now is that every machine that has it loaded is constantly
connecting
> to the gotomypc servers via port 8200.  gotomypc is rather closed mouthed about this and only
> indicates that they utilize "unused bandwidth" and this does not cause an issue.  Granted that may
> be the case but I have been concerned when 18% of my current bandwidth consists of these machines
> connecting to gotomypc even when they are not in use.  Since the decision to utilize this software
> was decided at paygrades above mine, I can only monitor the situation and gather information.
When
> I find issues with its use then I'll make a move to re-evaluate the deployment of gotomypc.  
>
> Aside from that one issue, our experience has been rather positive.  
>
> Graydon S McKee IV - GSEC
> Firewall/Security Administrator
> ORC Macro - Macro International
> 11785 Beltsville Drive
> Calverton, Maryland 20705
> 301-572-0583 Fax: 301-572-0982
>  
> -----Original Message-----
> From: Scott.Swenka () sunhealth org [mailto:Scott.Swenka () sunhealth org] 
> Sent: Friday, March 05, 2004 12:20 PM
> To: security-basics () securityfocus com
> Subject: GOTOMYPC Corporate?
>
> So what is the general consensus on GOTOMYPC Corporate?
>
> Personally, I don't have alot of trust or warm and fuzzy feelings about it,
> due to the risks it poses, and the possible potential of PHI
> (Private/Personal Health Information), and Financial data being leaked out.
> As well as the concerns with it pertaining to HIPAA compliancy.
>
> What is everyones elses feelings on it?
>
> Personally, I would rather have them come in on a VPN client, and use a
> internal VNC (or other remote desktop) solution.
>
> Scott C. Swenka
> Network Security
> Sun Health Corporation
>
>
> *******************************************************************************
>
> The information contained in this transmission may be legally privileged
> and/or confidential information. Any dissemination, distribution or copying
> of this transmission by anyone other than the intended recipient is
> strictly prohibited. If you receive this in error, please inform the sender
> immediately and remove any record of this message.
> *******************************************************************************
>
>
>
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the skills 
> of an Ethical Hacker to better assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------

Attachment: Graydon McKee.vcf
Description:

Attachment: smime.p7s
Description: