[unisog] security implications of using PCAnywhere on
Jim.Dillon at cusys.edu
Thu Nov 18 22:53:55 GMT 2004
And MarketScore.com demonstrates just how secure an SSL based VPN is if you don't have good controls over the browser and user actions on that remote computer - one affirmative click by a stupid or careless user and you've proxied everything (including your credentials) through someone else. I think Peter had it pretty much nailed in his response.
IF you've got a clear risk assessment and
IF you've got a good enough business purpose/value for the access and
IF you've got a well trained, careful, and trustworthy end user and
IF you establish the proper client/remote pc controls
then given the establishment of "business value" and the need for service (e.g. pseudo 24x7 coverage for a critical service lacking sufficient budget for on-site support...)
you may find it worthwhile to implement such a tool.
I'll refer back to my first post and say again that I've yet to see even the first question, the risk assessment (risk/potential cost vs. potential benefits as they apply to strategic goals and objectives) done properly prior to such an implementation. As an auditor I would then find the practice questionable as it puts a number of things at risk without management's acceptance of that risk as a necessary and beneficial cost of doing business. If someone with signature authority equal to or greater than the assessed risk is willing to accept that risk as reasonable and necessary, then move forward while establishing those strong client/remote PC side controls, otherwise I'm seldom going to find the practice to be prudent.
Unfortunately the attention paid to security in general is often times low enough to leave this question under the risk assessment radar. The rogue backdoor T1 out at the research park and the uncontrolled wireless in admin department A and the 18 modem farms and 10 email servers at the ends of several subnets and the 1500 notebooks walking on and off various nets and the 2000 blindly trusting grid members and 40,000 Web Surfing neophytes kind of pushes this risk issue into the low-level noise. (Of course this is an imaginary sort of worst case scenario, not anywhere you know, isn't it????)
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of Michael Holstein
Sent: Thursday, November 18, 2004 10:22 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] security implications of using PCAnywhere on
> If your user can ssh to a Unix account inside your firewall, she can no
> doubt get along without your adjusting the firewall. While we don't use
> PC-Anywhere here, we did post instructions for using Remote Desktop
> Connection (RDC) which is shipped with Windows XP. I believe it has pretty
> much the same functionality. The instructions are at
If they can do that, they've basically got a VPN anyway : eg
IMHO, a VPN is the only appropriately secure method of remote access. Be
it IPSEC, SSH, SSL or whatever -- but exposing remote-accesss services
to the 'net' at large is inviting problems.
Michael Holstein CISSP GCIA
Cleveland State University
unisog mailing list
unisog at lists.sans.org
More information about the unisog