Re: Blocking unauthorized remote access
- From: Mike Dorn <mrdorn@xxxxxxxx>
- Date: Sun, 24 Sep 2006 12:19:13 -0500
Leythos wrote:
In article <12hc6h5e4l05r37@xxxxxxxxxxxxxxxxxx>, mrdorn@xxxxxxxx says...
Has anybody seen a comprehensive list of addresses used by the various "services" that allow unauthorized users to remote into their work computers from home, bypassing corporate security? These things work by making an outbound connection from the target PC to a fixed external site. The user then contacts the external site from their home PC or traveling laptop, and the site uses the previously-opened connection to create a remote session for them. It's not caught by normal firewall config, because the outbound ssl connection appears to be legal.
I'm sure this is a valuable tool for some folks, but it breaks security policy by allowing unauthorized remote access, so my client wants the ability to shut it down.
It's really simple to block/stop - the first rule of security is ONLY ALLOW ACCESS TO REQUIRED SITES. That means if you allow outbound HTTP/HTTPS access without any restrictions, then you are not going to be able to block it. If you only allow outbound access to approved sites, well, they can't really connect to one of those sites.
Hmm.. I believe I already mentioned in my original post that a whitelist approach was not really an option. It doesn't match the company's internet needs, and would not be supported by their management. (I don't get paid to build to ivory-tower ideals, only to meet the clients real-world needs.)
The entire concept of "approved sites" is pretty meaningless today for most businesses in the real world. (Just out of curiosity--anybody here actually attempting that? In what kind of business is it even practical?)
This particular company has a legitimate business interest in thousands of diverse sites & applications, the precise selection of which would be extremely difficult to pre-define, and which it is gnerally able to leave up to the discretion of its users. Beyond that, it is not interested in heavily curtailing most benign additional use of the internet by its employees, within reasonable limits. (Porn, terrorism, illegal activities, etc.) Websense is generally able to strike that reasonable balance for http (80) traffic, and will draw our attention to anyone operating out-of-bounds.
What we have here is one specific type of application that needs an additional measure of control. It's easy to block all traffic to a particular list of IP addresses using an ACL on the firewall. All I asked for here, is whether or not anybody already had such a list handy. "Sorry, I don't know" is a perfectly legitimate answer.
.
- References:
- Blocking unauthorized remote access
- From: Mike Dorn
- Blocking unauthorized remote access
- Prev by Date: Re: Blocking unauthorized remote access
- Next by Date: Re: Blocking unauthorized remote access
- Previous by thread: Re: Blocking unauthorized remote access
- Next by thread: Re: Blocking unauthorized remote access
- Index(es):
Relevant Pages
|
