[Dshield] Outbound GoToMyPC
dshieldlists at versateam.com
Fri Jun 29 15:39:19 GMT 2007
Steven Brower wrote:
> What about outbound GoToMyPC? That is, what is the security risk to a
> networked work environment which allows exclusively *outbound* access to
GoToMyPC is only outbound. That is, the "host" desktop PC connects
outbound (through the firewall) to the Citrix GoToMyPC server to wait
for a connection; and the "client" PC connects outbound (through its
firewall, if any) to the GoToMyPC server which then connects it to the
"host" desktop. That makes it pretty difficult for your firewall to know
whether it is the "host" desktop connecting to wait for the user, or the
user connecting to have access to another "host" desktop out on the
Internet somewhere. (I believe it uses port 80, but I could be wrong.)
I think it is possible to restrict file transfers by policy. If so, then
what you have is someone bypassing (tunneling through) the firewalls at
both ends to view and control the "host" desktop. You still have
whatever authentication and security is protecting the "host" desktop.
So, sure, if your network policies allow it, someone could leave their
system logged in all the time, or download malware with their web
browser. But you can make it hard(er) for any malware on the "client"
end to transfer itself to the "host", or for any confidential data on
the "host" desktop or network to end up unprotected on the "client".
If file transfers are disabled, the main issues are password compromise
(the two GoToMyPC passwords, plus the password on the "host" desktop),
social engineering and other end-user antics, whether or not you trust
Citrix to run GoToMyPC securely, and possibly keyloggers.
More information about the list