[unisog] security implications of using PCAnywhere on campus network

Peter Van Epp vanepp at sfu.ca
Thu Nov 18 17:09:13 GMT 2004


<snip>
> 
> If your user can ssh to a Unix account inside your firewall, she can no
> doubt get along without your adjusting the firewall. While we don't use
> PC-Anywhere here, we did post instructions for using Remote Desktop
> Connection (RDC) which is shipped with Windows XP. I believe it has pretty
> much the same functionality. The instructions are at
> 
> http://www.nber.org/help/localhelp/rdc.html
> 
> As far as I know, we only have one user, but no complaints. I suppose you
> could prevent this with group policies, but I think it is otherwise
> available by default on standard XP installations.
> 
> "Security implications", are at least 6 orders of magnitude less than the
> implications of allowing users to receive mail or VPN from a computer that
> is ever connected outside the firewall. 
> 
> Daniel Feenberg
> 

	I don't think I'd agree with most of this assessment (other than even
SMTP is dangerous through a firewall :-)). VPNs (and to a somewhat less 
extent SMTP) through a firewall from an untrusted host are dangerous period.
It is possible to tunnel IP in SMTP or DNS or many other protocols typically 
allowed through a firewall (there is code to do so floating around on the web 
to do so from years ago). A SMTP tunnel would usually require the cooperation 
of the user (or social engineering to get the user to run something inside the 
firewall to establish the tunnel) and is more complex than a PC anywhere/RDC 
type connection which raises the bar a little bit. 
	The primary thing to think about here is how secure is the machine on 
the remote end? If you are like here, probably not at all which is a major 
problem. Think about all the PC viruses that install back doors on the PC. 
With a remote desktop type connection (and even worse with a VPN that allows 
unlimited access behind your firewall) allows someone (anyone, which is the 
problem :-)) access to your network via that remote PC.  As has been pointed 
out this is primarily a risk management issue. If the access that is desired 
is sufficiently contained and low risk, it may be acceptable (and even if you 
think it is high risk, as long as your management has decided to accept that 
risk, thats fine too, your job, or at least mine, is to make sure they 
understand the risk they are taking when they make that decision). If this 
gives the user unlimited access inside your firewall I'd have to question why 
you have the firewall (although I will admit, that would be my question with 
most firewalls I see too, much hassle, little to no real protection for 
reasons like these :-)).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list