[unisog] security implications of using PCAnywhere on campus
Peter Van Epp
vanepp at sfu.ca
Thu Nov 18 17:09:13 GMT 2004
> If your user can ssh to a Unix account inside your firewall, she can no
> doubt get along without your adjusting the firewall. While we don't use
> PC-Anywhere here, we did post instructions for using Remote Desktop
> Connection (RDC) which is shipped with Windows XP. I believe it has pretty
> much the same functionality. The instructions are at
> As far as I know, we only have one user, but no complaints. I suppose you
> could prevent this with group policies, but I think it is otherwise
> available by default on standard XP installations.
> "Security implications", are at least 6 orders of magnitude less than the
> implications of allowing users to receive mail or VPN from a computer that
> is ever connected outside the firewall.
> Daniel Feenberg
I don't think I'd agree with most of this assessment (other than even
SMTP is dangerous through a firewall :-)). VPNs (and to a somewhat less
extent SMTP) through a firewall from an untrusted host are dangerous period.
It is possible to tunnel IP in SMTP or DNS or many other protocols typically
allowed through a firewall (there is code to do so floating around on the web
to do so from years ago). A SMTP tunnel would usually require the cooperation
of the user (or social engineering to get the user to run something inside the
firewall to establish the tunnel) and is more complex than a PC anywhere/RDC
type connection which raises the bar a little bit.
The primary thing to think about here is how secure is the machine on
the remote end? If you are like here, probably not at all which is a major
problem. Think about all the PC viruses that install back doors on the PC.
With a remote desktop type connection (and even worse with a VPN that allows
unlimited access behind your firewall) allows someone (anyone, which is the
problem :-)) access to your network via that remote PC. As has been pointed
out this is primarily a risk management issue. If the access that is desired
is sufficiently contained and low risk, it may be acceptable (and even if you
think it is high risk, as long as your management has decided to accept that
risk, thats fine too, your job, or at least mine, is to make sure they
understand the risk they are taking when they make that decision). If this
gives the user unlimited access inside your firewall I'd have to question why
you have the firewall (although I will admit, that would be my question with
most firewalls I see too, much hassle, little to no real protection for
reasons like these :-)).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog