Security Basics mailing list archives
RE: GOTOMYPC Corporate?
From: "Graydon McKee" <graydon.s.mckee.iv () orcmacro com>
Date: Wed, 10 Mar 2004 09:45:35 -0500
Well, I would agree that GoToMyPC is a security risk but there are always risks out there. The trouble is deciding what is acceptable risk for your current environment. Personally, I'd like to see GoToMyPC go away but that decision is not mine to make. To answer the question as to how do I know an employee hasn't bought the product for himself and installed it without my knowledge. Your right I could put hands on every machine and do physical audits, or I could just watch connections over Port 8200 and match those with authorized machines. We run static IP's on our internal so that is pretty easy. Or I could just only allow connections thru my firewall on Port 8200 for those machines that are authorized with an ACL (Which is what I do.) When speaking about security and remote connections - how can you trust that a home user with VPN connection doesn't take company data and move it to his home machine, how can you be assured that their systems are secure, that there is no bridging between their open internet connection, that they are running a fully updated Anti-Virus program. There is risk involved in every connection. All the policies and procedures in the world can't secure the network without monitoring and enforcement. In theory we can dictate that personal machines on the remote end of a VPN fall under our control and must conform to our policies but how often does this happen in the real world? People are people and they are going to do what they want. By establishing system security in such a way that it hampers an employees ability to do their job they will find a way to work around it. By setting up system security in such a way that channels the employees workflow with minimal impact, you can control and monitor what is happening. I'm not sure how things are in your environment but there are plenty of decisions that I have no part of but still have to make them work as securely as I can. At the end of the day, IMHO, the network is there for one reason, to allow the employees to do the business of the company. As the security administrator, my job is to make is as secure as possible without undue interference to the company workflow. It's all a balancing act. What I'd like to have happened to secure the network and what I can actually implement can be different. It all comes down to what level of risk is the company willing to take in order to do business. Graydon S McKee IV - GSEC Firewall/Security Administrator ORC Macro - Macro International 11785 Beltsville Drive Calverton, Maryland 20705 301-572-0583 Fax: 301-572-0982 _____ From: Steve Marin [mailto:steve () skabnmarin com] Sent: Tuesday, March 09, 2004 6:53 PM To: graydon.s.mckee.iv () orcmacro com; Scott.Swenka () sunhealth org; security-basics () securityfocus com Subject: Re: GOTOMYPC Corporate? GoToMyPc in my opinion is a severe security risk. Why you ask? Well for the fact that, how do you know for sure that an employee has not signed up for the service and can now access his machine and corp LAN without the knowledge if any person in management. The answer is you will not know unless you do an audit of eevery machine. So if you have any data that is proprietary or confidential, it can be accessed without the company's knowledge. Granted I'm extremly biased to my own product (which automatically blocks off GoToMyPC) but if you really read what GoToMyPC is all about it is not as "Secure" as they claim, not only that they say that it will bypass your firewall that is in place..... -Steve ----- Original Message ----- From: "Graydon McKee" <graydon.s.mckee.iv () ORCMacro com> To: <Scott.Swenka () sunhealth org>; <security-basics () securityfocus com> Sent: Tuesday, March 09, 2004 6:12 AM Subject: RE: GOTOMYPC Corporate?
We are using it here with pretty good results. One of the benefits is that the user can access their machine from any other machine without the need for special VPN software or hardware. We don't have any issues with HIPAA or PHI so that was never a factor for us. The only thing that causes a concern for me right now is that every machine that has it loaded is constantly
connecting
to the gotomypc servers via port 8200. gotomypc is rather closed mouthed about this and only indicates that they utilize "unused bandwidth" and this does not cause an issue. Granted that may be the case but I have been concerned when 18% of my current bandwidth consists of these machines connecting to gotomypc even when they are not in use. Since the decision to utilize this software was decided at paygrades above mine, I can only monitor the situation and gather information.
When
I find issues with its use then I'll make a move to re-evaluate the deployment of gotomypc. Aside from that one issue, our experience has been rather positive. Graydon S McKee IV - GSEC Firewall/Security Administrator ORC Macro - Macro International 11785 Beltsville Drive Calverton, Maryland 20705 301-572-0583 Fax: 301-572-0982 -----Original Message----- From: Scott.Swenka () sunhealth org [mailto:Scott.Swenka () sunhealth org] Sent: Friday, March 05, 2004 12:20 PM To: security-basics () securityfocus com Subject: GOTOMYPC Corporate? So what is the general consensus on GOTOMYPC Corporate? Personally, I don't have alot of trust or warm and fuzzy feelings about it, due to the risks it poses, and the possible potential of PHI (Private/Personal Health Information), and Financial data being leaked out. As well as the concerns with it pertaining to HIPAA compliancy. What is everyones elses feelings on it? Personally, I would rather have them come in on a VPN client, and use a internal VNC (or other remote desktop) solution. Scott C. Swenka Network Security Sun Health Corporation ******************************************************************************* The information contained in this transmission may be legally privileged and/or confidential information. Any dissemination, distribution or copying of this transmission by anyone other than the intended recipient is strictly prohibited. If you receive this in error, please inform the sender immediately and remove any record of this message. ******************************************************************************* --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Attachment:
Graydon McKee.vcf
Description:
Attachment:
smime.p7s
Description:
Current thread:
- GOTOMYPC Corporate? Scott . Swenka (Mar 08)
- RE: GOTOMYPC Corporate? Graydon McKee (Mar 09)
- <Possible follow-ups>
- Re: GOTOMYPC Corporate? pcannon9 (Mar 09)
- RE: GOTOMYPC Corporate? Mark Medici (Mar 09)
- RE: GOTOMYPC Corporate? Christopher Herrmann (Mar 10)
- Re: GOTOMYPC Corporate? Steve Marin (Mar 11)
- RE: GOTOMYPC Corporate? Graydon McKee (Mar 11)