Project Management

The issue of remote access software and vigilance

Protecting the network from the inside out is a task of eternal vigilance. In this blog post, Rick Vanover takes a look at some particular tools that are used for console access over the Internet and their position in network policy.

In protecting access to internal networks from the outside, sometimes we need to look at just what is occurring on the inside to get a good picture of what is going on. In particular, I want to focus in this post on Web-based remote access services. Don’t get me wrong -- these services are great -- I support a lot of my family with services like LogMeIn’s Free product. I like these tools because they are incredibly easy to use, they always work, and they work with any Internet connection. This is where my issue starts to take shape.

Web-based remote access software is brilliant in that it generally connects with outbound HTTPS traffic to the Web site that manages the service. The requesting client connects to the same Web site to authenticate initially and usually authenticate back down to the computer hosting the remote access. All traffic is usually SSL encrypted, and the services usually offer mechanisms that protect against authentication failures as well as a configurable authentication.

The products are good, but there is a very clear dividing line between the small office and home office (SOHO) and the enterprise on these tools. The SOHO can’t live without these tools. These products are simply a requirement. One good example in experience I had was providing full IT support for a church. Without these tools, the task would be futile as there were no funds available for any purchases.

The enterprise blocks these Web sites for outbound traffic without question. Tools beyond LogMeIn include GoToMyPc, WebEx, Bomgar, Goverlan, Remoteus, eBLVD, and more. Many of them may work in different mechanisms than LogMeIn, but it is important to know the field. For enterprise networks, users are crafty and may sign up for one of the services for a trial. What can be even worse is when these services are purchased autonomously from IT’s assistance.

What is your take on using these services? The arguments are plenty. These tools can allow information to leak from an organization, allow users to bypass Web policies, and possibly allow unknown individuals to be given console access on a system on your network. Share your comments below on how you address these Web-based remote access services.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

40 comments
jwmartin
jwmartin

I use Netmotion Wireless. It creates a secure vpn. Support is some of the best I've ever talked to in the IT field - they speak English too! Of course you have to pay for it but you can rest assured that it is secure.

apotheon
apotheon

"[i]you can rest assured that it is secure.[/i]" What proof do you offer to support that assurance?

Mindspiel
Mindspiel

Haha...agree...wireless security...hmm...we could talk about it

Gh0stMaker
Gh0stMaker

If your company truly requires security, wireless is a no no.

b4real
b4real

A lot of you mention VNC, PCAnywhere, Remote Desktop etc - those are not so bad, my real concern are the ones that go over the Internet.

Gh0stMaker
Gh0stMaker

256 bit - AES algorithm encryption is what the US Gov uses and many of the internet solutions like LogMein use that same security.

nemo_8080
nemo_8080

I think that this automated services are supported by humans... Any leak can occure, even in good terms...

razz2
razz2

All of my clients use Watchguard or Sonicwall Hardware with the associated IPsec or SSL VPN clients. Branch offices are hardware to hardware VPN. I use eBlvd to gain access to a server in each building and then use GenControl, Remote Assistance or just VNC to control clients. Works great, uses only one eBlvd license per client and is secure. In a few places I do use the LogMeIn Free but find the eBlvd allows better support of unattended machines. As to 'playing web cop' (@bblackmoor), saying it is waste of time for IT or staff is a wide reaching statement. In many companies the security needs dictate what needs to be done. Making it clear what is allowed and what the results are for misuse are a standard practice in todays world, but without monitoring and actively dealing with violations of the acceptable use policy it means nothing. Good hardware web filtering is a start and once tuned is non-obtrusive. In a small business just using OpenDNS helps. But, there has to be some cop sometimes or when the exec staff wants to use the Polycom system and the bandwidth is gone because of streaming media things get bad.

Gh0stMaker
Gh0stMaker

Properly setup security devices are a great and non-obtrusive tool for proper security.

brad_winne
brad_winne

In our business, our support desk has to connect with our clients' POS systems. We have adopted the policy of using the GoTo Assist tool, due to the fact that the customer must log into the server and allow access. Therefore, we have no unattended access. Also, each session is recorded and archived for later review in case there is an issue.

bill
bill

I also work as a tech/support person with our POS customers. We usually use pcanywhere but in times when we are unable to setup port forwarding in the router, we have used VNC SC. That is VNC that has been configured and compiled so that the customer has to start it and it connects only to a dedicated computer at our office. We use Ultra VNC for the listen part on our end.

bblackmoor
bblackmoor

It is a complete waste of company time and resources to try and micromanage every user's web access. The more effort is put into playing web traffic cop, the less productive everyone becomes. Rather than doing their jobs, employees waste time trying to justify their access to do their jobs. Most people just give up. Either way, the company's productivity suffers. In an intelligently run company, employees are given clear instructions on what they may and may not do with company assets, and are informed of the penalties that will be applied to people who violate those policies. In a a poorly run company, employees waste begging for permissiuon to do their jobs. In extreme cases, like CarMax, even people in IT do not have Internet access at their desks at all, which is the logical coclusion of these wrong-headed web filtering policies.

Mindspiel
Mindspiel

Fully agree. Limiting resources to people is completely wrong step for a company. As long as I lead IT that will not happen.

Gh0stMaker
Gh0stMaker

I have to totally disagree from a security and bandwidth perspective. Security Gateways like Fortinet are a very good way of controlling where users go, prottecting the LAN from spam, malware etc, and very easy to manage if setup properly. It's all in how the procedures are put in place and not get too crazy with setting early on.

apotheon
apotheon

"[i]I have to totally disagree from a security and bandwidth perspective.[/i]" [url=http://blogs.techrepublic.com.com/security/?p=391][i]Using pf and ALTQ for QoS management[/i][/url] might be just what you need to deal with bandwidth costs. Whether "playing Web cop" is necessary for "security" depends a lot on your specific setup.

bblackmoor
bblackmoor

"Security systems like Watchguard, Sonicwall, Fortinet etc protect companies from lawsuits and ensure the internet policy is being done." No, they don't. At best, they provide the illusion of safety. And like the Homeland Security Guard who makes you throw away your 4 oz. bottle of shampoo at the airport, it accomplishes nothing other than wasting time and money.

razz2
razz2

@MichaelSawyer1969: I think your were directing that post at bblackmoor but it was indented under me, so to clarify, we agree.

Gh0stMaker
Gh0stMaker

Content filtering is not to get employees in trouble, but is a very necessary way of stopping malware from entering the network environment. I.T. professionals are hired to protect the companies network, and help users be more productive sometimes by socially engineering the users internet habits.

razz2
razz2

@bblackmoor : Then I am glad you are not in charge of network security for me or my clients. Limiting, through filtering, a staffer that searched for a chinese calendar to find out the sex of her unborn baby, can prevent hacking, spyware, virus' and inappropriate content. (true story of an employee that did that ending up full of crap on her machine). It is a fact of life and required that any good network has controls. The extent depends on the business needs and employee job requirements. One employee browsing and even accidently displaying bad content (read porn) can cause issues that go beyond the visual (although that in and of itself can require an employer to show they have taken prudent prevention steps to avoid legal issues). No anti-virus or anti anything is 100%. The recent IE patch issue last month was a good example. MS estimated one in every 500 Windows users had been exposed to sites that tried to exploit the zero-day flaw. Some estimates were over 10,000 infected sites with a possible 600 being major firms. Nothing to with security? Everything to do with security. I have clients with proprietary data on their network where a loss would be devastating. A single intrusion, key logger or even an intentional email can be a huge loss. No one wants to be the police but no one should have completely un-restricted internet access in a business. Un-restricted access is not needed. @MichaelSawyer1969: I think your were directing that post at bblackmoor but it was indented under me, so to clarify, we agree.

Mindspiel
Mindspiel

Hmm ... depends on content filtering, or to which content we allow access...issues of security and bandwidth management

bblackmoor
bblackmoor

Limiting and filtering users' web access has nothing whatsoever to do with security.

Gh0stMaker
Gh0stMaker

Executives want to see reports given to them on a regular basis even in smaller companies. Security systems like Watchguard, Sonicwall, Fortinet etc protect companies from lawsuits and ensure the internet policy is being done.

apotheon
apotheon

Not all networks are the same. Some, for instance, don't require auditors. edit: Wait -- apparently it's "All that is gold does not glitter," and apparently Tolkien's grasp of grammar was kinda sketchy, since I'm pretty sure he didn't mean to say that everything that glitters is made of something other than gold.

markannon
markannon

It is the responsibility of a company to ensure due diligence in respect of security to equipment and data. Gone are the days where we can get away with just instructing our users how to act. Auditors want systems in place to prevent malicious activities.

csmith.kaze
csmith.kaze

We use gotomypc for all of our Docs and VNC for internal support. At my previous employer, they used Bomgar(Actually, I live about 5 miles away from Bomgar HQ). Both can be considered mid-sized business(current) to small enterprise(former). All of my big vendors have some form of remote assistance. So Remote Assistance is by far not removed from the large compaines. And I use Crossloop for the all important family support.

Mindspiel
Mindspiel

Hi Michael, My name is Mario Milisic and my responsibility are IT and anything related. Regarding RA and related software, well...i think that RA solutions like LogMeIn are quite a bit essential for any sys. or network admin at any level, soho or enterprise. Everyday, i use stuff like LogMein, VNC, TC and...list can go on. My collage's use TC for servers, i personally use LogMeIn for remote servers, my home computer, laptop, remote destinations almost everywhere without any problem or intrusion. VNC for few servers when i need high security. At local domain there is no user with write permissions and there is no way for common user to install any RA software without admin knowledge or w/o admin approval. For business critical servers and applications i practice to denial remote access to everyone except me, and that system works good for me. kind regards, Mario

dchamp
dchamp

I use TeamView, and won't use anything else it's so complete and free!

Ed-M
Ed-M

...but does anyone know how to get it to use the default mail client instead of insisting on Outlook for connection invitations? EdM

Gh0stMaker
Gh0stMaker

Free for non-commerical use; not for business.

dcohen65
dcohen65

We also recently implemented Teamviewer after reviewing the various options out there, their ease of use, and associated cost. It is important to note Teamviewer is not free for business use, but is is free for non-business use. What really drew me to this tool was the ability to use one tool to provide remote support to our users, and the same tool operating under a free license for supporting friends/family. The ease-of-use is impressive, and the abilities offered are substantial. Recently they even implemented a browser-based console if you needed to provide support from a system that lacked the installed software.

nathan
nathan

I allow my clients, all of whom have SBS 2003, to use RWW or nothing. While there are pros and cons to each tool, I favor the one that is built in; there's nothing more to install or manage.

csmith.kaze
csmith.kaze

under that logic you prefer windows firewall and windows defender over 3rd party tools too? just wondering...

nathan
nathan

On the client-side, I'll leave Windows Firewall in place, but protect the gateway with a SonicWALL. The reason I leave Windows Firewall in place is because I can manage it with Group Policy. Can you recommend any security products that can be enforced with GP?

apotheon
apotheon

My preference, on MS Windows systems, is to use third party tools at all times. In general, that's the way to go -- since the built-in tools on MS Windows are usually substandard. Once in a while, though, I find myself looking at the alternatives and thinking "Wow, there just isn't anything better." I really don't think that the choice of using a built-in tool should be based entirely on not having to manage a third-party tool, though.

ray.labrecque
ray.labrecque

We struggled with this for a couple of years. Even purchased LogMeIn Hamachi, played with GoToMy PC and tried a Linksys Router's integrated VPN. None of them worked for us. The security was acceptable but the usability and/or inter-interoperability with other VPN clients was problematic at best. We finally implemented a Cisco ASA 5505 and its' SSL VPN as SSL VPN's were supposed to be really secure and compatible to most other clients (or easier to remove and re-install when they were not.) Compatibility to other VPN clients is an issue for us as our techs need to support many sites where the VPN solution is site specific and out of our control. So the Isaac Asimov / Anne Mccaffrey days of totally intrinsic WWW compatibility is NOT here yet. In fact I bet I will not be when it is! Now to overcome the latest threats to SSL connections!!!!

dave.schutz
dave.schutz

Currently we are using Sonicwall vpn client software for remote access. It works okay, but is costly. Next year we are going to implement a Sonicwall SSL box which should provide access for more users.

apotheon
apotheon

"[i]The products are good, but there is a very clear dividing line between the small office and home office (SOHO) and the enterprise on these tools. The SOHO can?t live without these tools.[/i]" Which tools, exactly? Are you talking about commercial remote access desktop application tools like LogMeIn, or Web-based remote access services, or remote access tools in general?

JaredH
JaredH

I believe that this was the over all question of the article. To me, the answer is... it depends on your environment. I work in a school district and having remote access available to students is very bad! I am required by law, to filter the Internet for minors. Remote access sites, & SSL proxies, are all on the block list to stop minors from bypassing the filtering that the law requires.

Nimrod11089
Nimrod11089

We use NetSupport Manager. We have absolute control of access via a 'middle man' gateway machine. Remote clients connect to the gateway only by possessing a valid gateway key. Further, controls cannot access the gateway w/o a valid username/password. No open ports on firewalls, uses https (although any port can be configured).

Jaqui
Jaqui

for windows systems, I would guess he means the proprietary tools. after all, on all but windows systems we have far more remote admin options than a few proprietary tools. We have remote administration within a lan via vpn and remote xserver sessions, with ssh and webmin we have it from any internet connected system anywhere in the world, WITHOUT the security risk of remote xserver sessions over the internet.

Editor's Picks