RE: GOTOMYPC Corporate?

From: Christopher Herrmann (CHerrmann_at_oddfellows.com.au)
Date: 03/10/04

  • Next message: patrick: "RE: passwords in asp pages"
    To: security-basics@securityfocus.com
    Date: Wed, 10 Mar 2004 10:09:27 +1100
    
    

    I trialled it for a while, and found it very easy to set up and administer,
    but I was concerned about how it actually operates: about how it actually
    "gets around" a firewall. It is a java-based system if I'm not mistaken.

    CH

    -----Original Message-----
    From: Mark Medici [mailto:mark@dbma.com]
    Sent: Wednesday, 10 March 2004 7:35
    To: security-basics@securityfocus.com
    Subject: RE: GOTOMYPC Corporate?

    I have used it myself, and have recommended it to clients because it is a
    reliable and simple method to circumvent firewalls an NAT boundaries for
    outside remote access. And I have recommended to other clients to block it
    outright for the same reason.

    It's primarily a policy concern. Either you want to allow remote access or
    you don't. If you do want to allow remote access, then GoToMyPC is a very
    nice and very well-supported application choice that can be installed and
    used by a novice. The ongoing cost of GoToMyPC is only slightly higher than
    the support and maintenance costs of doing it yourself via VPN and VNC, and
    is much more usable (IMHO). The two-year cost is lower than pcAnywhere when
    initial setup and ongoing support are factored-in, plus GoToMyPC is better
    supported (every try to get support from Symantec?) and "nicer" and more
    convenient to use.

    GoToMyPC does encrypt traffic, requires two separate passwords to connect to
    a host, plus optionally a valid Windows logon/password on the host. This is
    accomplished without drilling holes through your firewall and/or installing
    or configuring ad hoc VPN connections between the remote and the host. In
    fact, the GoToMyPC remote can be a kiosk or Internet café machine -- it
    doesn't have to be a notebook or home computer.

    ____________________________________________________________
    DBM Associates * Mark A. Medici * Senior Consulting Engineer
    Whitehouse Station, NJ USA * +1 908-534-1665
    mark@dbma.com * http://www.dbma.com
    > -----Original Message-----
    > From: pcannon9@comcast.net [mailto:pcannon9@comcast.net]
    > Sent: Monday, March 08, 2004 3:40 PM
    > To: pcannon9@comcast.net
    > Cc: security-basics@securityfocus.com
    > Subject: Re: GOTOMYPC Corporate?
    >
    > When the issue came up here last year my concerns were similiar to yours.
    >
    > I did the same think you suggested, vpn with vnc, then null routed the
    > gotomypc servers outbound in case someone installed it locally.
    >
    > Pat Cannon
    > Network Administrator
    > Transcentive
    > > So what is the general consensus on GOTOMYPC Corporate?
    > >
    > > Personally, I don't have alot of trust or warm and fuzzy feelings about
    > it,
    > > due to the risks it poses, and the possible potential of PHI
    > > (Private/Personal Health Information), and Financial data being leaked
    > out.
    > > As well as the concerns with it pertaining to HIPAA compliancy.
    > >
    > > What is everyones elses feelings on it?
    > >
    > > Personally, I would rather have them come in on a VPN client, and use a
    > > internal VNC (or other remote desktop) solution.
    > >
    > > Scott C. Swenka
    > > Network Security
    > > Sun Health Corporation
    > >
    > >
    > >
    > **************************************************************************
    > *****
    > >
    > > The information contained in this transmission may be legally privileged
    > > and/or confidential information. Any dissemination, distribution or
    > copying
    > > of this transmission by anyone other than the intended recipient is
    > > strictly prohibited. If you receive this in error, please inform the
    > sender
    > > immediately and remove any record of this message.
    > >
    > **************************************************************************
    > *****
    > >
    > >
    > >
    > >
    > >
    > > ------------------------------------------------------------------------
    > ---
    > > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    > off
    > > any course! All of our class sizes are guaranteed to be 10 students or
    > less
    > > to facilitate one-on-one interaction with one of our expert instructors.
    > > Attend a course taught by an expert instructor with years of in-the-
    > field
    > > pen testing experience in our state of the art hacking lab. Master the
    > skills
    > > of an Ethical Hacker to better assess the security of your organization.
    > > Visit us at:
    > > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    > > ------------------------------------------------------------------------
    > ----
    > >
    >
    > --------------------------------------------------------------------------
    > -
    > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    > any course! All of our class sizes are guaranteed to be 10 students or
    > less
    > to facilitate one-on-one interaction with one of our expert instructors.
    > Attend a course taught by an expert instructor with years of in-the-field
    > pen testing experience in our state of the art hacking lab. Master the
    > skills
    > of an Ethical Hacker to better assess the security of your organization.
    > Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    > --------------------------------------------------------------------------
    > --
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the
    skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

    ========================================================================
       This message has been scanned for spam & viruses by Mail Sleuth.
       To report SPAM forward the message to: spam@mailsleuth.com.au
       Mail Sleuth www.mailsleuth.com.au
    ========================================================================

    ========================================================================
       This message has been scanned for spam & viruses by Mail Sleuth.
       To report SPAM forward the message to: spam@mailsleuth.com.au
       Mail Sleuth www.mailsleuth.com.au
    ========================================================================

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: patrick: "RE: passwords in asp pages"