On Thu, 20 Dec 2001, Barak Engel wrote: > triggerred remotely at any time. At least when you use WebEx you must > connect to specific sites and perform an actual authorization step before > communication is established.
And therefore extend trust that said site is secure- any assurance there? > > I do want to address another comment about WebEx being a trojan (you knew I > would :-). Basically, this is like saying that any sharing feature is like a > trojan. WebEx isnt any worse - and is indeed better in some senses - than a No it most certainly isn't. Most sharing features don't tunnel through firewalls. > host of programs, such as PCA and VNC which have been mentioned in this > thread. I would argue that calling it a trojan is stretching the imagination PCA and VNC both use distinct ports and are "connect in" rather than "tunnel out" products- an astoundingly large difference to most firewall administrators. > somewhat - after all, WebEx cannot be installed on your system without your > approval, nor can it be triggerred without you asking for it, nor will it Any program can be installed on a system without approval. That's like saying Sub7 can't be installed without your approval. You say "your system" like user == owner- that's a home model, not a business model. End users or small site administrators who may not know they're circumventing a security policy that doesn't allow tunneling out could certainly fall foul of a corporate security department, and even support staff who own the configuration of a machine can't necessarily disallow approval to a service like WebEx unless someone blocks WebEx's networks at the border router (which has been one of my solutions to the risks such tunneling risks (my May Information Security Magazine article was inspired by such product offerings.) If you can't see the worries that draw firewallers to a trojan reference, that doesn't instill a great deal of confidence in how you view security. > open any backdoors of any sort for somebody to abuse, and the online support > feature only works in specific, well-defined circumstances. I just cant > understand the reference to a trojan (unless you refer to the "webex > trojan", a well known trojan that has been out there even before Webex > became a company - I think its currently in version 1.4). Webex is a meeting > client, and most users won't ever use the support feature, since it is not > the main purpose of the product. If an administrator places WebEx on a server to connect from home, then gets laid off, how exactly does WebEx suggest a company discover and protect its networks' insecurity? How do you suggest a network security organization even detect its presence? With VNC (which I wouldn't run without SSH as a transport) and PCA, a firewall administrator can simply ensure that inbound access on the appropriate TCP ports is disabled. With WebEx, especially in a large multi-ten thousand user enterprise with a fairly open WAN, the alternative is really only to completely block access to WebEx's Web site(s). > I hope this helps. Feel free to email me with any questions regarding Webex > and our product security, and Ill reply as best I can (without betraying > company security policies of course :-) Is there any third-party assurance that your networks/servers are secure? How do your customers get assurance that your own administrators aren't able to WebEx into your servers after terminiation? What exactly does WebEx recommend be done to ensure that no unauthorized installations occur on a particular network? How can a corporate security department or operations department do the equivalent of unplugging a modem in the case of WebEx where they may be different structurally than the administrative department? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
