Firewall Wizards mailing list archives
Assessment Of GoToMyPC vs. Network Security
From: jseymour () linxnet com (Jim Seymour)
Date: Tue, 4 Apr 2006 11:15:49 -0400 (EDT)
G'day all, I've been asked to assess this product/service for our use. Follows the security-oriented bits of my proprosed response. Have I got it right? Something I'm missing? Too paranoid? Not paranoid enough? ;) Analysis and comments regarding GoToMyPC "i dealt with this site/issue about 6 months ago. ideally, you should not have to be bothering yourself with auditing gotomypc at all, because no sane, responsible network admin would ever let his users connect to gotomypc in the first place." (ref: <http://seclists.org/lists/pen-test/2002/Mar/0037.html>) Phrases like "A small footprint server is installed on the computer to be accessed" should ring loud alarm bells in the mind of any halfway competent network security person. Consider: The idea is to turn inherently insecure client PCs, which, to make them "safe," we hide behind firewalls administered by competent, knowledgeable, IT (security) professionals, into servers permanently connected to services operated by somebody else, over the Internet? Then we allow "random" other PCs anywhere on the Internet to connect to them? All of this somewhat browser-based? The same browsers that are generally the most oft-compromised application on *any* operating system platform?
From GoToMyPC's "Personal Overview" document: "Like traditional VPNs,
GoToMyPC can leverage the public Internet to slash recurring telecommunications costs..." In reality, GoToMyPC is leveraging traditional VPN architecture to *incur* recurring telecommunications costs--they do charge a monthly per-user fee. Since GoToMyPC utilizes standard HTTP and HTTPS ports and protocols, tunneling itself through the firewall, I actually regard it as a potential security threat. I was considering blocking access to its servers and network. There doesn't appear to be *anything* to prevent any employee from signing up for their own GoToMyPC account, installing the requisite software on their desktop, and having their way with their desktop PC from anywhere in the world. There's really nothing I can do to stop it before the fact, other than block access to GoToMyPC's services. From an article in the IBM-sponsored "Expert Knowledgebase": "There's even a commercial service that implements remote access to the desktop via HTTP, called GoToMyPC.com. It's very scary indeed, letting your users (and evil attackers) anywhere on the Internet control your machines remotely via outgoing HTTP secured only by a user-chosen password. As we all know, users choose lame passwords unless there is some sort of password complexity requirement, which doesn't exist at GoToMyPC.com. So, what can you do? First off, block access to GoToMyPC.com at your border firewall or gateway unless you have a very specific business need for it." (ref: <http://expertanswercenter.techtarget.com/eac/knowledgebaseAnswer/0,295199,sid63_gci980532,00.html>) GoToMyPC's "Overview" document asserts "Upon request, Citrix Online will also filter GoToMyPC connections made to a company's network address block, ensuring that only company authorized computers can be accessed by company authorized users." Interesting claim. I wonder how that works with NAT'd firewalls? (Answer: It can't?) GoToMyPC's "Overview" document asserts it "gives administrators a way to maintain control over the endpoints..." Only *if* those end-points are attempted using corporate identity, no? As I noted above: What's to stop anyone within the organization from setting up their own private account? Here's a "comforting" tidbit: "It's also important that remote access sessions be terminated after inactivity. Remote users walk away from public PCs [Note: *Public* PCs. As in: PCs in public kiosks, libraries, and Internet cafe's?] without logging out... Users are automatically logged out of the GoToMyPC.com Web site when their SSL session remains inactive for fifteen minutes." So for up to fifteen minutes after an employee walks away from a public terminal connected to something on the company's internal, allegedly secure, LAN, just anybody can walk up and have that employee's access to it? If *that* thought doesn't ring alarm bells in management's minds, I can't imagine what will. GoToMyPC is "Transparent to NAT," VPNs are not. This is true for the VPN technologies against which they wish to compare themselves. This is not true for OpenVPN, for example. "...[Does] not impact security of corporate LAN." I'd argue that it *does" impact security of a corporate LAN, by allowing any PC located on that corporate LAN to become a "server," persistently connected to servers not under control of that corporation's network security personnel. Other security professionals agree. Witness this exchange on a SANS (System And Network Security) mailing list: >> typical PC not to require much download. Plus, the attacker >> already has local console access: all he needs is privilege >> escalation. MC> Exactly my point. Using GoToMyPc removes a layer or eight MC> of protection, but it's not like opening an otherwise MC> secure machine to the Internet completely. Of course it's not. But if you follow a defence in depth model, it doesn't make sense to use GoToMyPC for database access since it transform a potential security failure into a total breach. Plus you now have to secure and maintain at least two machines instead of one. I know what I'm talking about: I'm responsible for a citrix server farm that is accessed by external users. Trust me on that: securing things like that properly doesn't come cheap and it doesn't come easy. GoToMyPC claims that any PC, anywhere on the Internet, being able to allow a user to connect to a corporate LAN is an advantage. Any PC, anywhere on the Internet. Any PC, owned by anybody, in any condition, virus-/worm-/Trojan-infected or not. This is an "advantage?" It has been Corporate policy that we do *not* allow access to our LAN by other-than-corporate equipment. The writer above offers a couple of scenarios as to why this has been our policy: MC> A socially-engineered employee sitting in front of the MC> machine might be coerced into installing a back door or MC> keystroke logger or other malware. No need to go that far, really. Here are a couple of scenarii that leads to a system breach: 1/ Employee Alice, far from home, get a call that request him to log into GoToMyPC. He goes to the local internet cafe and logs in from a rented machine. Sadly for him, Bob, the guy next to him is simply looking at his keyboard when he logs in. After some time, he logs out and walks away. Bob goes to the machine Alice just left, uses the history to navigate to the login page and gets access to your machine. 2/ Alice is at home and just got cable network. Unfortunately, for her, Bob lives next door and uses the same service. Since Alice is new to broadband, she doesn't have a very secure box. Bob, on the other hand, is bored, hacks into Alice's machine and get a keyloger in place. After a while, he has the keys to your machine. (ref: <http://lists.sans.org/pipermail/list/2004-June/016679.html>) Think the "keystroke logging" scenario unlikely? Perhaps this story will be enlightening: "Guilty Plea in Kinko's Keystroke Caper" at <http://www.securityfocus.com/news/6447>. In brief: A cracker installed a keystroke logger on public-access rent-a-computers and logged access to hundreds of accounts and user names. This went on for nearly two years before being discovered. In summary: GoToMyPC strikes me as an extremely bad idea. There are plenty of testimonials from ostensibly reputable IT people claiming what a wonderful service it is. Frankly, given the way it operates, I have to go with the sentiments expressed by the opening quote: I'm surprised any so-called "IT professional" would even consider letting this thing onto their Corporate LANs. Thanks, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.linxnet.com/scform.php>. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Assessment Of GoToMyPC vs. Network Security Jim Seymour (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Paul D. Robertson (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Jim Seymour (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Chris Byrd (Apr 09)
- Re: Assessment Of GoToMyPC vs. Network Security Brian Loe (Apr 09)
- Message not available
- Fwd: Assessment Of GoToMyPC vs. Network Security Layer One (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Jim Seymour (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Paul D. Robertson (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Joe Matusiewicz (Apr 07)
- Re: Assessment Of GoToMyPC vs. Network Security Kevin (Apr 09)
- Re: Assessment Of GoToMyPC vs. Network Security Chris Byrd (Apr 09)
- Re: Assessment Of GoToMyPC vs. Network Security Clayton Scott Kern (Apr 09)