[unisog] security implications of using PCAnywhere on campusnetwork

Jim Dillon Jim.Dillon at cusys.edu
Thu Nov 18 22:53:55 GMT 2004


And MarketScore.com demonstrates just how secure an SSL based VPN is if you don't have good controls over the browser and user actions on that remote computer - one affirmative click by a stupid or careless user and you've proxied everything (including your credentials) through someone else.  I think Peter had it pretty much nailed in his response.  

So...

IF you've got a clear risk assessment and
IF you've got a good enough business purpose/value for the access and
IF you've got a well trained, careful, and trustworthy end user and
IF you establish the proper client/remote pc controls
then given the establishment of "business value" and the need for service (e.g. pseudo 24x7 coverage for a critical service lacking sufficient budget for on-site support...)

you may find it worthwhile to implement such a tool.  

I'll refer back to my first post and say again that I've yet to see even the first question, the risk assessment (risk/potential cost vs. potential benefits as they apply to strategic goals and objectives) done properly prior to such an implementation.  As an auditor I would then find the practice questionable as it puts a number of things at risk without management's acceptance of that risk as a necessary and beneficial cost of doing business.  If someone with signature authority equal to or greater than the assessed risk is willing to accept that risk as reasonable and necessary, then move forward while establishing those strong client/remote PC side controls, otherwise I'm seldom going to find the practice to be prudent.  

Unfortunately the attention paid to security in general is often times low enough to leave this question under the risk assessment radar.  The rogue backdoor T1 out at the research park and the uncontrolled wireless in admin department A and the 18 modem farms and 10 email servers at the ends of several subnets and the 1500 notebooks walking on and off various nets and the 2000 blindly trusting grid members and 40,000 Web Surfing neophytes kind of pushes this risk issue into the low-level noise.  (Of course this is an imaginary sort of worst case scenario, not anywhere you know, isn't it????)

JD...

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of Michael Holstein
Sent: Thursday, November 18, 2004 10:22 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] security implications of using PCAnywhere on
campusnetwork


> If your user can ssh to a Unix account inside your firewall, she can no
> doubt get along without your adjusting the firewall. While we don't use
> PC-Anywhere here, we did post instructions for using Remote Desktop
> Connection (RDC) which is shipped with Windows XP. I believe it has pretty
> much the same functionality. The instructions are at

If they can do that, they've basically got a VPN anyway : eg

/etc/ssh/sshd.config

AllowTcpForwarding=yes


IMHO, a VPN is the only appropriately secure method of remote access. Be 
it IPSEC, SSH, SSL or whatever -- but exposing remote-accesss services 
to the 'net' at large is inviting problems.


Cheers,

Michael Holstein CISSP GCIA
Cleveland State University
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list