Paul, Whoa! Seems like an exposed nerve there :-)))
Yes, WebEx will work through port 80. Thats a very strong feature of the product, and one that clients in general find most desirable (it was indeed customer driven). While I understand that this might force a network admin who doesnt want to allow it to add another rule to their firewall, how is that different than dealing with thousdands of others apps out there? Just because the rule is of a different nature? How about if somebody configured VNC or PCA on their box to use port 80, then controls it from home? How about safeweb and triangle boy or similar services? And no, I cant see the reference to a trojan. A trojan (or at least in the malicious sense) will allow somebody to remotely control your machine without your knowledge, and do bad things to/with it. WebEx doesnt. Its a meeting client, for heaven's sake :-) Do you allow netmeeting? AIM? MSNM? Any meeting/chat capabilities? Anything of the sort? If you dont, then go ahead, block access to Webex as well. Its your security policies after all :-)))) Otherwise, I dont see how this is different. As for installing a server in your network and connecting from home - impossible, since you can only install the client, and you cant control that remotely. You cant install it "on a server so you can control it from home". Of course, you could concievably open a meeting (if your company is using WebEx already, so you have the ability to create a meeting, which infers that its already approved), get your spouse or someone in your home to connect to it, desktop share, go home, and if its still running (hasnt timed out), be able to control your work PC desktop only (which is limited, as Ive explained before). What can I say? if someone is smart enough to figure this process out, they'll be smart enough to figure out a host of other things as well, with a larger damage potential. We cant give you any assurance that your users won't install the WebEx client. How could we? How do you stop your users from downloading and installing backorifice for remote control of their desktop (hey, it happens) as you mention? If you can control your users to such an extent as to what they download and install on their boxes, you should be able to block them from installing our client as well. As for our security policies, architecture and third party assurances - I will be happy to discuss these with you under NDA, should you wish to pursue a potential purchase of our product. Im not going to tell you that WebEx provides a security product. We dont. We provide a meeting service, one that seems to be accepted well. We're not forcing anyone to use it, but of course we're happy if you do. Im not sure how it came to be that out of all the meeting services out there, we were singled out in this mailing list, but it happened and Im just trying to help. So can we sign a peace treaty please? :-) And a very merry christmas to all of you. Barak -----Original Message----- From: Paul Robertson [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 5:40 AM To: Barak Engel Cc: '[EMAIL PROTECTED]' Subject: Re: WebEx and the firewall mailing list On Thu, 20 Dec 2001, Barak Engel wrote: > triggerred remotely at any time. At least when you use WebEx you must > connect to specific sites and perform an actual authorization step before > communication is established. And therefore extend trust that said site is secure- any assurance there? > > I do want to address another comment about WebEx being a trojan (you knew I > would :-). Basically, this is like saying that any sharing feature is like a > trojan. WebEx isnt any worse - and is indeed better in some senses - than a No it most certainly isn't. Most sharing features don't tunnel through firewalls. > host of programs, such as PCA and VNC which have been mentioned in this > thread. I would argue that calling it a trojan is stretching the imagination PCA and VNC both use distinct ports and are "connect in" rather than "tunnel out" products- an astoundingly large difference to most firewall administrators. > somewhat - after all, WebEx cannot be installed on your system without your > approval, nor can it be triggerred without you asking for it, nor will it Any program can be installed on a system without approval. That's like saying Sub7 can't be installed without your approval. You say "your system" like user == owner- that's a home model, not a business model. End users or small site administrators who may not know they're circumventing a security policy that doesn't allow tunneling out could certainly fall foul of a corporate security department, and even support staff who own the configuration of a machine can't necessarily disallow approval to a service like WebEx unless someone blocks WebEx's networks at the border router (which has been one of my solutions to the risks such tunneling risks (my May Information Security Magazine article was inspired by such product offerings.) If you can't see the worries that draw firewallers to a trojan reference, that doesn't instill a great deal of confidence in how you view security. > open any backdoors of any sort for somebody to abuse, and the online support > feature only works in specific, well-defined circumstances. I just cant > understand the reference to a trojan (unless you refer to the "webex > trojan", a well known trojan that has been out there even before Webex > became a company - I think its currently in version 1.4). Webex is a meeting > client, and most users won't ever use the support feature, since it is not > the main purpose of the product. If an administrator places WebEx on a server to connect from home, then gets laid off, how exactly does WebEx suggest a company discover and protect its networks' insecurity? How do you suggest a network security organization even detect its presence? With VNC (which I wouldn't run without SSH as a transport) and PCA, a firewall administrator can simply ensure that inbound access on the appropriate TCP ports is disabled. With WebEx, especially in a large multi-ten thousand user enterprise with a fairly open WAN, the alternative is really only to completely block access to WebEx's Web site(s). > I hope this helps. Feel free to email me with any questions regarding Webex > and our product security, and Ill reply as best I can (without betraying > company security policies of course :-) Is there any third-party assurance that your networks/servers are secure? How do your customers get assurance that your own administrators aren't able to WebEx into your servers after terminiation? What exactly does WebEx recommend be done to ensure that no unauthorized installations occur on a particular network? How can a corporate security department or operations department do the equivalent of unplugging a modem in the case of WebEx where they may be different structurally than the administrative department? Paul ---------------------------------------------------------------------------- - Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
