[VPN] Clientless VPN

safieradam safieradam at hotmail.com
Wed Apr 16 17:16:23 EDT 2003


Corrections:

"URL content filtering" was meant to be "URL scanning and web page
content filtering".  i.e. block encrypted web page content.

"At least our firewall policy needs review" was supposed to be "At least
_your_ firewall policy needs review".

RG pointed out that there was a thread on the topic a while back.  My quick
review shows that the common solution was to block the GoToMyPC servers.
While that may work for now because the GoToMyPC folks are nice enough to
maintain a single server farm, it leaves a network open to variations /
competitors, like http://www.htthost.com.   Hackers have used tunneling for
a long time so it's not just web pages and http.  The only real solution I
see is to prohibit encrypted application content in high level policy and
actually block encrypted application content in your perimiter defense or
proxy server.  Adds a nice bit of overhead.  At least content filtering is
not a new concept and vendors exist.

Adam Safier

----- Original Message -----
From: "safieradam" <safieradam at hotmail.com>
To: <vpn at lists.shmoo.com>
Sent: Wednesday, April 16, 2003 12:10 PM
Subject: [VPN] Clientless VPN


> I'm raising the specter of clientless VPN again because I came across this
> service which seems to meet the requirements:
>
> I do consider this a form of VPN.  They may only be transmitting the
screen
> image, essentially pcAnywhere like, but the functionality of getting the
> work done is there.
>
> They download the client as a java app so the user does not need to do
> special installation.  Instead, it keeps polling a service server so the
> initial connection is outbound.
>
> Despite my security issues with it this is very attractive.  Even has PDA,
> Mac and Unix support....
>
> https://www.gotomypc.com
>
> Security issues:
>
> Password user authentication only.  I assume this will change as the
service
> evolves. On the positive side, they do seem to use digital signatures on
the
> target - " multiple passwords, including an access code that resides on
the
> host computer and is never transmitted or stored on GoToMyPC servers ".
>
> They advertise/encourage using Kiosk PC's for the client.  If you are
using
> someone else's PC you cannot be sure key-stroke/screen/memory logging is
not
> going on so your personal passwords could be captured.  A PC/PDA you
control
> is better as long as you didn't execute some malware along the line.
>
> - You trust the service / software. You are downloading their Java applet,
> which could change anytime.  You are essentially trusting them to encrypt
> the link from the client to the host and not peek.  Well, the company
trusts
> the VPN admin for the company VPN so if you have a contract with GoTo...
> That is what security is all about - who do you trust and for what?
>
> - Can bypasses firewall.  At least our firewall policy needs review and th
is
> could be a headache.  Both the client and the "target" initiate outbound
> connections to a third party service.  If you company policy allows
outbound
> surfing to just about any address your users could set this up to or from
> their office PC without your knowledge.  You may need to implement IP and
> DNS name filtering for outbound traffic.  That will only work if GoToMyPC
> play nice and don't get into rotating names and addresses or sell the
server
> part to companies that use their own IP addresses to set up a corporate
> service.  URL content filtering on outbound traffic might work.
>
> - Does the phrase below mean that if your policy is to disabled all
> downloading on the users PC GoToMyPC launch their own program that ignores
> the browser and downloads and runs a Java app?
> " For a user who connects to the host computer via a client with a Mac or
> Unix operating system (or from a Windows-based client that does not accept
> downloadable files), the Java-enabled Universal Viewer launches
> automatically. There is nothing the user needs to do to select the
> appropriate Viewer - our technology will automatically detect the client
> computer's operating system and launch the appropriate Viewer. "
>
> Any other holes I missed?
>
> I see a review of many companies policies coming up.
>
> Adam Safier
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>



More information about the VPN mailing list