Steven, I have just stumbled upon this firewall mailing list, and saw the recent thread in regards to the use of the WebEx product for online support. I hope I can address your (and others) concerns.
Yes, the WebEx product does indeed provide an online support feature. Basically, the user is required to allow the support personnel (in your case, the vendor, and I will refer to them as such from now on) to take control of their desktop. At that point, the vendor has the ability to manipulate your desktop, until such time as you stop them (by pressing a key, for example, this is customizable). There are several important things to consider: first of all, the use of this feature does indeed require manual user intervention. There is no way (in code) to fire it up remotely. Secondly, control is over the desktop only - that is, one could not, for example, use the WebEx product to upload/download documents, viruses or trojans. Of course, the support person (or your vendor) could concievably fire up IE or NS from your desktop, and use that to download something from their site (or anywhere), but that has nothing to do with the WebEx app as such. The session, I might add, can only be initiated by the user - not by the vendor (as I hope the vendor has told you). Lastly, but maybe most importantly, the online support feature cannot be activated by itself. The vendor has to pay Webex for it, and we enable that on their site. The model here is not peer-to-peer - it is peer-to-server-to-peer. What this means is that it cant be used outside of a specific environment - i.e. you have to connect to a Webex site that has this feature enabled before you can even use it. In other words, simply having the client on your box does not mean that you can use the online support feature. So the question here is: why would you allow an untrustworthy party (as you seem to imply your vendor is) control over anything inside your network, if you are not monitoring them? VNC or PCA won't help you in this case, and in fact, are probably less safe, since they are acting as a service that can be triggerred remotely at any time. At least when you use WebEx you must connect to specific sites and perform an actual authorization step before communication is established. I do want to address another comment about WebEx being a trojan (you knew I would :-). Basically, this is like saying that any sharing feature is like a trojan. WebEx isnt any worse - and is indeed better in some senses - than a host of programs, such as PCA and VNC which have been mentioned in this thread. I would argue that calling it a trojan is stretching the imagination somewhat - after all, WebEx cannot be installed on your system without your approval, nor can it be triggerred without you asking for it, nor will it open any backdoors of any sort for somebody to abuse, and the online support feature only works in specific, well-defined circumstances. I just cant understand the reference to a trojan (unless you refer to the "webex trojan", a well known trojan that has been out there even before Webex became a company - I think its currently in version 1.4). Webex is a meeting client, and most users won't ever use the support feature, since it is not the main purpose of the product. I hope this helps. Feel free to email me with any questions regarding Webex and our product security, and Ill reply as best I can (without betraying company security policies of course :-) Barak Engel Manager, Security Operations Webex Communications Inc. Public PGP Key: http://keyserver.pgp.com/pks/lookup?op=get&exact=off&[EMAIL PROTECTED] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
