[VPN] Clientless VPN

safieradam safieradam at hotmail.com
Wed Apr 16 12:10:55 EDT 2003

I'm raising the specter of clientless VPN again because I came across this
service which seems to meet the requirements:

I do consider this a form of VPN.  They may only be transmitting the screen
image, essentially pcAnywhere like, but the functionality of getting the
work done is there.

They download the client as a java app so the user does not need to do
special installation.  Instead, it keeps polling a service server so the
initial connection is outbound.

Despite my security issues with it this is very attractive.  Even has PDA,
Mac and Unix support....


Security issues:

Password user authentication only.  I assume this will change as the service
evolves. On the positive side, they do seem to use digital signatures on the
target - " multiple passwords, including an access code that resides on the
host computer and is never transmitted or stored on GoToMyPC servers ".

They advertise/encourage using Kiosk PC's for the client.  If you are using
someone else's PC you cannot be sure key-stroke/screen/memory logging is not
going on so your personal passwords could be captured.  A PC/PDA you control
is better as long as you didn't execute some malware along the line.

- You trust the service / software. You are downloading their Java applet,
which could change anytime.  You are essentially trusting them to encrypt
the link from the client to the host and not peek.  Well, the company trusts
the VPN admin for the company VPN so if you have a contract with GoTo...
That is what security is all about - who do you trust and for what?

- Can bypasses firewall.  At least our firewall policy needs review and this
could be a headache.  Both the client and the "target" initiate outbound
connections to a third party service.  If you company policy allows outbound
surfing to just about any address your users could set this up to or from
their office PC without your knowledge.  You may need to implement IP and
DNS name filtering for outbound traffic.  That will only work if GoToMyPC
play nice and don't get into rotating names and addresses or sell the server
part to companies that use their own IP addresses to set up a corporate
service.  URL content filtering on outbound traffic might work.

- Does the phrase below mean that if your policy is to disabled all
downloading on the users PC GoToMyPC launch their own program that ignores
the browser and downloads and runs a Java app?
" For a user who connects to the host computer via a client with a Mac or
Unix operating system (or from a Windows-based client that does not accept
downloadable files), the Java-enabled Universal Viewer launches
automatically. There is nothing the user needs to do to select the
appropriate Viewer - our technology will automatically detect the client
computer's operating system and launch the appropriate Viewer. "

Any other holes I missed?

I see a review of many companies policies coming up.

Adam Safier

More information about the VPN mailing list