In protecting access to internal networks from the outside, sometimes we need to look at just what is occurring on the inside to get a good picture of what is going on. In particular, I want to focus in this post on Web-based remote access services. Don’t get me wrong — these services are great — I support a lot of my family with services like LogMeIn’s Free product. I like these tools because they are incredibly easy to use, they always work, and they work with any Internet connection. This is where my issue starts to take shape.
Web-based remote access software is brilliant in that it generally connects with outbound HTTPS traffic to the Web site that manages the service. The requesting client connects to the same Web site to authenticate initially and usually authenticate back down to the computer hosting the remote access. All traffic is usually SSL encrypted, and the services usually offer mechanisms that protect against authentication failures as well as a configurable authentication.
The products are good, but there is a very clear dividing line between the small office and home office (SOHO) and the enterprise on these tools. The SOHO can’t live without these tools. These products are simply a requirement. One good example in experience I had was providing full IT support for a church. Without these tools, the task would be futile as there were no funds available for any purchases.
The enterprise blocks these Web sites for outbound traffic without question. Tools beyond LogMeIn include GoToMyPc, WebEx, Bomgar, Goverlan, Remoteus, eBLVD, and more. Many of them may work in different mechanisms than LogMeIn, but it is important to know the field. For enterprise networks, users are crafty and may sign up for one of the services for a trial. What can be even worse is when these services are purchased autonomously from IT’s assistance.
What is your take on using these services? The arguments are plenty. These tools can allow information to leak from an organization, allow users to bypass Web policies, and possibly allow unknown individuals to be given console access on a system on your network. Share your comments below on how you address these Web-based remote access services.