Paul, Yes, of course you could install WebEx anywhere without anyone knowing - just like most any other piece of software. What you couldnt do is install a Webex *switching server* - since we dont normally sell them :-)
What Im asserting, basically, is that even if the client *is* installed on a machine, it *cant* be operated without a user specifically asking for it, manually. I am also saying that it cant be triggerred remotely. And lastly, I am saying that for this feature to work requires a set of circumstances that makes it difficult to abuse. Basically what Im trying to say is that I dont think that it will be abused *incidentally*. Of course, it can for example be abused by a disgruntled employee. Now the question becomes - how much does one trust one's employees? Btw, we really are not in support space. We are in the meeting space. The meeting product has an additional feature that can be purchased for an additional fee that allows the *customer* to support *their* users. Webex is not a part of it except in the sense that we provide the tool. Cheers, Barak -----Original Message----- From: Paul Robertson [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 1:08 PM To: Barak Engel Cc: '[EMAIL PROTECTED]' Subject: RE: WebEx and the firewall mailing list On Fri, 21 Dec 2001, Barak Engel wrote: > Paul, > > Whoa! Seems like an exposed nerve there :-))) Tunneling on purpose breaks perimeter defense. Since we've lost the desktop config war, that's all that's left that isn't "reviving the victim afterwards." > > Yes, WebEx will work through port 80. Thats a very strong feature of the > product, and one that clients in general find most desirable (it was indeed > customer driven). While I understand that this might force a network admin > who doesnt want to allow it to add another rule to their firewall, how is > that different than dealing with thousdands of others apps out there? Just > because the rule is of a different nature? How about if somebody configured > VNC or PCA on their box to use port 80, then controls it from home? How VNC doesn't speak HTTP, nor does PCA- a simple proxy-based solution solves that problem. > about safeweb and triangle boy or similar services? Same brush as WebEx, though perhaps with more paint in at least one case- since WebEx wasn't the product that prompted the tunneling article I referenced. > And no, I cant see the reference to a trojan. A trojan (or at least in the > malicious sense) will allow somebody to remotely control your machine > without your knowledge, and do bad things to/with it. WebEx doesnt. Its a Trojans can remotely control a machine with the knowlege of the person installing them, and be installed. I'd be pretty surprised if I couldn't install WebEx on a server without the admin knowing. > meeting client, for heaven's sake :-) Do you allow netmeeting? AIM? MSNM? > Any meeting/chat capabilities? Anything of the sort? If you dont, then go > ahead, block access to Webex as well. Its your security policies after all > :-)))) Otherwise, I dont see how this is different. > > As for installing a server in your network and connecting from home - > impossible, since you can only install the client, and you cant control that > remotely. You cant install it "on a server so you can control it from home". So you're asserting that Oncall (a) can't be installed by an entity that doesn't have authorization in a large enterprise, and (b) can't be abused as a control vector if so installed? - that seems to fly in the face of your Web site's "Remotely reconfigure a customer's system" claim. > Of course, you could concievably open a meeting (if your company is using > WebEx already, so you have the ability to create a meeting, which infers > that its already approved), get your spouse or someone in your home to > connect to it, desktop share, go home, and if its still running (hasnt timed > out), be able to control your work PC desktop only (which is limited, as Ive > explained before). What can I say? if someone is smart enough to figure this > process out, they'll be smart enough to figure out a host of other things as > well, with a larger damage potential. How does WebEx differentiate between my "work PC desktop" and my server? Except that the host of other things doesn't come as support contract mandates. That creates a social vector that may be exploited in the future by unreputable people. > We cant give you any assurance that your users won't install the WebEx > client. How could we? How do you stop your users from downloading and > installing backorifice for remote control of their desktop (hey, it happens) > as you mention? If you can control your users to such an extent as to what > they download and install on their boxes, you should be able to block them > from installing our client as well. > > As for our security policies, architecture and third party assurances - I > will be happy to discuss these with you under NDA, should you wish to pursue > a potential purchase of our product. If you need an NDA to provide 3rd party assurance, I'll continue to make the same recommendations. Policies don't mean a great deal to me, and given the nature of your service, in-band attacks are the obvious vector, and there's not a lot of architecture which can stop in-band attacks (hence the concern over tunneling products ;).) > Im not going to tell you that WebEx provides a security product. We dont. > We provide a meeting service, one that seems to be accepted well. We're not > forcing anyone to use it, but of course we're happy if you do. Im not sure > how it came to be that out of all the meeting services out there, we were > singled out in this mailing list, but it happened and Im just trying to You're in the remote support space, not just the meeting space, and you were singled out because someone had a specific question about your product- a search for archives on Google should provide the entire context. FWIW, I haven't seen a firewall-friendly meeting service that I'd recommend to anyone who cares about their network integrity, so don't feel singled out... > help. So can we sign a peace treaty please? :-) > > And a very merry christmas to all of you. Happy holidays, Paul ---------------------------------------------------------------------------- - Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
