Re: Third party remote management

[Aarón Mizrachi <unmanarc () gmail com>]

On Martes 11 Agosto 2009 09:53:51 W W escribió:
> Our helpdesk is looking at some third party remote management tools
> like Gotomypc and Logmein to remotely manage our road warriors.  What
> are some of the best practices for using these services?  My initial
> thought is to not allow these services as your network credentials are
> being passed through their infrastructure (ie when you log into a
> remote users laptop with your network admin creds) with no oversight.
>
> Any thoughts would be appreciated.

Well, depends on your requirements of security. When you put your email in 
google, you are trusting in google. When you use something like logmein, you 
are doing the same with logmein. 

Our thoughts: These companies won't sell our soul, because they don't want to 
loss clients and money.

----

I didn't tested the tool in fact. I only read about it, and a particular 
document is very interesting to understand the situation:

https://secure.logmein.com/documentation/Security/wp_lmi_security.pdf

The communication seems to have a "re-encryption point", in this point, the 
admin of (you name it), have the capability to intercept the communication, 
and depending of the nested protocol, the admin will see everything passing 
through (you name it).

Assuming that you put your trust on logmein, the security model seems to be 
valid and secure. Some else about cryptography algorithms, SSL version, 
Signatures and more, need to be known.

----

If you don't trust your infrastructure in other hands, you have two options:

1.- You can use something like securID to protect the access to your 
infrastructure. Two factor authentication will not protect the information 
traveling across the remote access company (logmein/whatever), but, with a 
good security policy, it can prevent some troubles on unauthorized access if 
your pc password is stolen.

*some points about security:

- You are required to limit 1 token to 1 user
- Only 1 login of 1 user each 1 token period.

*some flaws:

- data sent are prone to be intercepted.

2.- (VNC)/(Remote Desktop) + VPN + 1 public ip address: I think that is the 
best strategy if you don't trust on third party companies. One VPN at border 
will secure the connection to the internal network.

You have to be careful about:

- Certificates.
- Cryptography used
- keys
- Firewall rules for the VPN

> Thanks
> W
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL
> certificate.  We look at how SSL works, how it benefits your company and
> how your customers can tell if a site is secure. You will find out how to
> test, purchase, install and use a thawte Digital Certificate on your Apache
> web server. Throughout, best practices for set-up are highlighted to help
> you ensure efficient ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f72
> 7d1 ------------------------------------------------------------------------

-- 
Regards.
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.