Webex Remote Access

[Erik Decker <edecker () LUC EDU>]

We are investigating using the new Webex Remote Access for providing vendor access to some internal servers, on demand 
and as needed by the vendor.
 
I'm curious if anyone out there in the list has reviewed the security functionality of the Remote Access Server.  As 
with all remote access technologies, leaving anything "always on" for external vendors to connect to by default makes 
me nervous.  Attached are a list of pros and cons that I can see.  I'm curious what other institutions think?
 
PROS
- audit trail for all activity made on the remote connection
- encrypted session 
- individual logins for all vendor users.
- email notification every time a technician connects to the server
 
CONS
- no true two factor authentication (our VPN access currently gives us this)
- with no two factor:  access codes could be compromised with a keylogger.
- to prevent unauthorized access from vendor's you must disable the vendor account or the remote access service.  
 
There are lots of PRO's you get with this system, I'm a big fan of the auditing options, but the biggest concern comes 
from no two factor authentication.  Relying on system admins to disable Remote Access will lead to the service not 
getting shut down after use, and thus allowing access outside of support windows.  
 
Has anyone else experienced this product, yet?  I'd be curious to your feelings on the matter.

Thanks!
 
 
Erik Decker
Security Administrator
Information Security Office
Loyola University Chicago

Attachment: Webex Remote Access White Paper.pdf
Description: