[Dshield] Outbound GoToMyPC

M Cook dshieldlists at versateam.com
Fri Jun 29 15:39:19 GMT 2007

Steven Brower wrote:
> What about outbound GoToMyPC?  That is, what is the security risk to a
> networked work environment which allows exclusively *outbound* access to
> GoToMyPC?  

GoToMyPC is only outbound. That is, the "host" desktop PC connects 
outbound (through the firewall) to the Citrix GoToMyPC server to wait 
for a connection; and the "client" PC connects outbound (through its 
firewall, if any) to the GoToMyPC server which then connects it to the 
"host" desktop. That makes it pretty difficult for your firewall to know 
whether it is the "host" desktop connecting to wait for the user, or the 
user connecting to have access to another "host" desktop out on the 
Internet somewhere. (I believe it uses port 80, but I could be wrong.)

I think it is possible to restrict file transfers by policy. If so, then 
what you have is someone bypassing (tunneling through) the firewalls at 
both ends to view and control the "host" desktop. You still have 
whatever authentication and security is protecting the "host" desktop. 
So, sure, if your network policies allow it, someone could leave their 
system logged in all the time, or download malware with their web 
browser. But you can make it hard(er) for any malware on the "client" 
end to transfer itself to the "host", or for any confidential data on 
the "host" desktop or network to end up unprotected on the "client".

If file transfers are disabled, the main issues are password compromise 
(the two GoToMyPC passwords, plus the password on the "host" desktop), 
social engineering and other end-user antics, whether or not you trust 
Citrix to run GoToMyPC securely, and possibly keyloggers.

More information about the list mailing list