Assessment Of GoToMyPC vs. Network Security

[jseymour () linxnet com (Jim Seymour)]

G'day all,

I've been asked to assess this product/service for our use.  Follows
the security-oriented bits of my proprosed response.  Have I got it
right?  Something I'm missing?  Too paranoid?  Not paranoid enough? ;)


Analysis and comments regarding GoToMyPC

    "i dealt with this site/issue about 6 months ago. ideally,
    you should not have to be bothering yourself with auditing
    gotomypc at all, because no sane, responsible network admin
    would ever let his users connect to gotomypc in the first
    place."

    (ref: <http://seclists.org/lists/pen-test/2002/Mar/0037.html>)

Phrases like "A small footprint server is installed on the computer
to be accessed" should ring loud alarm bells in the mind of any
halfway competent network security person.  Consider: The idea is to
turn inherently insecure client PCs, which, to make them "safe,"  we
hide behind firewalls administered by competent, knowledgeable, IT
(security) professionals, into servers permanently connected to
services operated by somebody else, over the Internet?   Then we
allow "random" other PCs anywhere on the Internet to connect to them?
All of this somewhat browser-based?  The same browsers that are
generally the most oft-compromised application on *any* operating
system platform?

> From GoToMyPC's "Personal Overview" document: "Like traditional VPNs,
GoToMyPC can leverage the public Internet to slash recurring
telecommunications costs..."  In reality, GoToMyPC is leveraging
traditional VPN architecture to *incur* recurring telecommunications
costs--they do charge a monthly per-user fee.

Since GoToMyPC utilizes standard HTTP and HTTPS ports and protocols,
tunneling itself through the firewall, I actually regard it as a
potential security threat.  I was considering blocking access to its
servers and network.  There doesn't appear to be *anything* to
prevent any employee from signing up for their own GoToMyPC account,
installing the requisite software on their desktop, and having their
way with their desktop PC from anywhere in the world.  There's really
nothing I can do to stop it before the fact, other than block access
to GoToMyPC's services.  From an article in the IBM-sponsored "Expert
Knowledgebase":

    "There's even a commercial service that implements remote
    access to the desktop via HTTP, called GoToMyPC.com. It's
    very scary indeed, letting your users (and evil attackers)
    anywhere on the Internet control your machines remotely via
    outgoing HTTP secured only by a user-chosen password. As we
    all know, users choose lame passwords unless there is some
    sort of password complexity requirement, which doesn't exist
    at GoToMyPC.com.

    So, what can you do? First off, block access to GoToMyPC.com
    at your border firewall or gateway unless you have a very
    specific business need for it."

    (ref: <http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295199,sid63_gci980532,00.html>)

GoToMyPC's "Overview" document asserts "Upon request, Citrix Online
will also filter GoToMyPC connections made to a company's network
address block, ensuring that only company authorized computers can be
accessed by company authorized users."  Interesting claim.  I wonder
how that works with NAT'd firewalls?  (Answer: It can't?)

GoToMyPC's "Overview" document asserts it "gives administrators a way
to maintain control over the endpoints..."  Only *if* those
end-points are attempted using corporate identity, no?  As I noted
above:  What's to stop anyone within the organization from setting up
their own private account?

Here's a "comforting" tidbit: "It's also important that remote access
sessions be terminated after inactivity.  Remote users walk away from
public PCs [Note: *Public* PCs.  As in: PCs in public kiosks,
libraries, and Internet cafe's?] without logging out...  Users are
automatically logged out of the GoToMyPC.com Web site when their SSL
session remains inactive for fifteen minutes."  So for up to fifteen
minutes after an employee walks away from a public terminal connected
to something on the company's internal, allegedly secure, LAN, just
anybody can walk up and have that employee's access to it?  If *that*
thought doesn't ring alarm bells in management's minds, I can't
imagine what will.

GoToMyPC is "Transparent to NAT," VPNs are not.  This is true for the
VPN technologies against which they wish to compare themselves.  This
is not true for OpenVPN, for example.

"...[Does] not impact security of corporate LAN."  I'd argue that it
*does" impact security of a corporate LAN, by allowing any PC located
on that corporate LAN to become a "server," persistently connected to
servers not under control of that corporation's network security
personnel.  Other security professionals agree.  Witness this
exchange on a SANS (System And Network Security) mailing list:

    >> typical PC not to require much download. Plus, the attacker
    >> already has local console access: all he needs is privilege
    >> escalation.

    MC> Exactly my point. Using GoToMyPc removes a layer or eight
    MC> of protection, but it's not like opening an otherwise
    MC> secure machine to the Internet completely.

    Of course it's not. But if you follow a defence in depth
    model, it doesn't make sense to use GoToMyPC for database
    access since it transform a potential security failure into
    a total breach. Plus you now have to secure and maintain at
    least two machines instead of one.

    I know what I'm talking about: I'm responsible for a citrix
    server farm that is accessed by external users. Trust me on
    that: securing things like that properly doesn't come cheap
    and it doesn't come easy.

GoToMyPC claims that any PC, anywhere on the Internet, being able to
allow a user to connect to a corporate LAN is an advantage.  Any PC,
anywhere on the Internet.  Any PC, owned by anybody, in any
condition, virus-/worm-/Trojan-infected or not.  This is an
"advantage?"  It has been Corporate policy that we do *not* allow
access to our LAN by other-than-corporate equipment.  The writer
above offers a couple of scenarios as to why this has been our
policy:

    MC> A socially-engineered employee sitting in front of the
    MC> machine might be coerced into installing a back door or
    MC> keystroke logger or other malware.

    No need to go that far, really. Here are a couple of
    scenarii that leads to a system breach:

    1/ Employee Alice, far from home, get a call that request
    him to log into GoToMyPC. He goes to the local internet cafe
    and logs in from a rented machine. Sadly for him, Bob, the
    guy next to him is simply looking at his keyboard when he
    logs in. After some time, he logs out and walks away.  Bob
    goes to the machine Alice just left, uses the history to
    navigate to the login page and gets access to your machine.

    2/ Alice is at home and just got cable network.
    Unfortunately, for her, Bob lives next door and uses the
    same service. Since Alice is new to broadband, she doesn't
    have a very secure box. Bob, on the other hand, is bored,
    hacks into Alice's machine and get a keyloger in place.
    After a while, he has the keys to your machine.

    (ref: <http://lists.sans.org/pipermail/list/2004-June/016679.html>)

Think the "keystroke logging" scenario unlikely?  Perhaps this story
will be enlightening: "Guilty Plea in Kinko's Keystroke Caper" at
<http://www.securityfocus.com/news/6447>.  In brief: A cracker
installed a keystroke logger on public-access rent-a-computers and
logged access to hundreds of accounts and user names.  This went on
for nearly two years before being discovered.

In summary: GoToMyPC strikes me as an extremely bad idea.  There are
plenty of testimonials from ostensibly reputable IT people claiming
what a wonderful service it is.  Frankly, given the way it operates,
I have to go with the sentiments expressed by the opening quote: I'm
surprised any so-called "IT professional" would even consider letting
this thing onto their Corporate LANs.


Thanks,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/scform.php>.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards