[VPN] Clientless VPN (apologies for the c ross-post)

[Evans, TJ (BearingPoint)]

If I read your statement(s) correctly - 
	You recommend blocking all encrypted traffic?  

IMHO - This leaves a few problems unsolved, and creates many new ones!

Unsolved:
	Unencrypted, although possibly still tunneled, traffic.
		(ICMP tunnels, remote command prompt (e.g - NetCat), etc.
etc.)

Newly Created:
	You would block all SSL'ified websites?
	Block all encrypted mail?	
	Etc.

Don't get me wrong - there are ways to mitigate the new problems, but my
concern would be that I think this would send the wrong message to your
employees ... and discourage (prevent?) them from following good practices
(encrypting important client emails, only logging into sites that make use
of SSL, etc.).  

Naturally - the real-world / business needs of your employees may permit
such an approach ... but I think this would lean too far to one side of the
"security vs. functionality/usability" scale for most.



Thanks!
TJ
<PS - don't forget to patch your Win* servers ... *fun* >
-----Original Message-----
From: safieradam [mailto:safieradam at hotmail.com] 
Sent: Wednesday, April 16, 2003 5:16 PM
To: vpn at lists.shmoo.com
Subject: Re: [VPN] Clientless VPN

Corrections:

"URL content filtering" was meant to be "URL scanning and web page
content filtering".  i.e. block encrypted web page content.

"At least our firewall policy needs review" was supposed to be "At least
_your_ firewall policy needs review".

RG pointed out that there was a thread on the topic a while back.  My quick
review shows that the common solution was to block the GoToMyPC servers.
While that may work for now because the GoToMyPC folks are nice enough to
maintain a single server farm, it leaves a network open to variations /
competitors, like http://www.htthost.com.   Hackers have used tunneling for
a long time so it's not just web pages and http.  The only real solution I
see is to prohibit encrypted application content in high level policy and
actually block encrypted application content in your perimiter defense or
proxy server.  Adds a nice bit of overhead.  At least content filtering is
not a new concept and vendors exist.

Adam Safier

----- Original Message -----
From: "safieradam" <safieradam at hotmail.com>
To: <vpn at lists.shmoo.com>
Sent: Wednesday, April 16, 2003 12:10 PM
Subject: [VPN] Clientless VPN


I'm raising the specter of clientless VPN again because I came across this
service which seems to meet the requirements:

I do consider this a form of VPN.  They may only be transmitting the
screen image, essentially pcAnywhere like, but the functionality of getting
the work done is there.

They download the client as a java app so the user does not need to do
special installation.  Instead, it keeps polling a service server so the
initial connection is outbound.

Despite my security issues with it this is very attractive.  Even has PDA,
Mac and Unix support....

https://www.gotomypc.com

Security issues:

Password user authentication only.  I assume this will change as the
Service evolves. On the positive side, they do seem to use digital
signatures on the target - " multiple passwords, including an access code
that resides on the host computer and is never transmitted or stored on
GoToMyPC servers ".


They advertise/encourage using Kiosk PC's for the client.  If you are
using someone else's PC you cannot be sure key-stroke/screen/memory logging
is not going on so your personal passwords could be captured.  A PC/PDA you
control is better as long as you didn't execute some malware along the line.

- You trust the service / software. You are downloading their Java applet,
 which could change anytime.  You are essentially trusting them to encrypt
 the link from the client to the host and not peek.  Well, the company
trusts the VPN admin for the company VPN so if you have a contract with
GoTo... That is what security is all about - who do you trust and for what?

 - Can bypasses firewall.  At least our firewall policy needs review and th
is could be a headache.  Both the client and the "target" initiate outbound
connections to a third party service.  If you company policy allows
outbound
 surfing to just about any address your users could set this up to or from
 their office PC without your knowledge.  You may need to implement IP and
 DNS name filtering for outbound traffic.  That will only work if GoToMyPC
 play nice and don't get into rotating names and addresses or sell the
server
 part to companies that use their own IP addresses to set up a corporate
 service.  URL content filtering on outbound traffic might work.

 - Does the phrase below mean that if your policy is to disabled all
 downloading on the users PC GoToMyPC launch their own program that ignores
 the browser and downloads and runs a Java app?
 " For a user who connects to the host computer via a client with a Mac or
 Unix operating system (or from a Windows-based client that does not accept
 downloadable files), the Java-enabled Universal Viewer launches
 automatically. There is nothing the user needs to do to select the
 appropriate Viewer - our technology will automatically detect the client
 computer's operating system and launch the appropriate Viewer. "

 Any other holes I missed?



 I see a review of many companies policies coming up.

 Adam Safier




******************************************************************************
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.
******************************************************************************