[unisog] security implications of using PCAnywhere on
Ralph.Forsythe at twtelecom.com
Thu Nov 18 17:11:56 GMT 2004
For what it's worth, SSH clients can be as damaging as VPN access. SSH
has the unique ability to allow tunneling through itself, which can
allow all sorts of access you might not normally want or allow. It
isn't a full blown VPN, but consider turning off tunneling at the server
if you really don't want people accessing anything other than a shell.
Alternatively put your SSH server on a DMZ and lock it down at the
BTW, I usually just lurk here as I'm not with a university, however the
company I work for provides Internet access for a few and I like to keep
up on what affects our customers. However in this case it seemed like
someone should mention the tunnel issue, if only to bring to light the
fact that allowing SSH could make you vulnerable in the same ways a VPN
might, if the user gets a clue and the server isn't set up to block it.
- Ralph Forsythe
Time Warner Telecom
Managed Security Services Engineer
ralph.forsythe at twtelecom.com
From: David Foster [mailto:foster at ncmir.ucsd.edu]
Sent: Wednesday, November 17, 2004 5:16 PM
To: unisog at lists.sans.org
Subject: Re: [unisog] security implications of using PCAnywhere on
We have a strict policy of not allowing the use of PCAnywhere or VNC or
the like for remote control of desktops.
If users want in, they use an ssh client.
The content contained in this electronic message is not intended to
constitute formation of a contract binding TWTC. TWTC will be
contractually bound only upon execution, by an authorized officer, of
a contract including agreed terms and conditions or by express
application of its tariffs.
This message is intended only for the use of the individual or entity
to which it is addressed. If the reader of this message is not the
intended recipient, or the employee or agent responsible for
delivering the message to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
message is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to
the sender of this E-Mail or by telephone.
More information about the unisog