Quoting Paul Robertson ([EMAIL PROTECTED]): > > triggerred remotely at any time. At least when you use WebEx you must > > connect to specific sites and perform an actual authorization step before > > communication is established. > > And therefore extend trust that said site is secure- any assurance there?
I would assume it's about as secure as the Telcos you use to send traffic between stages, as secure as the Router-OS, the Firewall-OS, the Backbone structure, etc. Sure, sending data between two points by virtue of a third, negotiating and managing, point, you expose data to one more potentiall point of interception, to put an overly complicated emphasis on this POE is, however, not very practicable. > > I do want to address another comment about WebEx being a trojan (you knew I > > would :-). Basically, this is like saying that any sharing feature is like a > > trojan. WebEx isnt any worse - and is indeed better in some senses - than a > > No it most certainly isn't. Most sharing features don't tunnel through > firewalls. Most firewall products (unless you filter on application level) can't tell Port80 traffic from Port80 traffic, no matter *what* is being carried, there. If you filter on application level, you still have to trust encrypted data streams. Nothing stops me from writing a remote control trojan doing its work over SSL with seemingly proper cleartext pre-negotiation. > > somewhat - after all, WebEx cannot be installed on your system without your > > approval, nor can it be triggerred without you asking for it, nor will it > > Any program can be installed on a system without approval. That's like > saying Sub7 can't be installed without your approval. That's twisting reality. If I get the level of access, I need to install, run and share my desktop with WebEx, I will use something else to do the work. > You say "your system" like user == owner- that's a home model, not a > business model. Aggreed. Poor business decisions should not be blamed on vendors or concepts, though. It seems you have not had a look into the way WebEx works: -> Arrive at Website -> Download Client -> Start Client -> book into 'meeting' -> Actively allow access to Desktop -> Maintain allowed access to prevent timeout as opposed, to, e.g. Sub7: -> Install Program, which installs Sub7 in the Background -> Sub7 'hides' -> Sub7 opens POE -> Remote Client accesses POE even with an installed WebEx, the system online, and the User booked into a 'meeting', the System will only receive, not send any data (with the exception of 'sync' notices). The difference between a Client - Bridge - Client model and a Client - Server model is, what is important here. > approval to a service like WebEx unless someone blocks WebEx's networks at > the border router (which has been one of my solutions to the risks such > tunneling risks (my May Information Security Magazine article was inspired > by such product offerings.) Well, if this is the only way, you see to fight illegitimate access, then so be it. > If you can't see the worries that draw firewallers to a trojan reference, > that doesn't instill a great deal of confidence in how you view security. Misnoming is not necessarily helpful. A trojan is, what the name says: A seemingly begnin program carrying something different than advertised in its belly. WebEx does not really fall into this category. > If an administrator places WebEx on a server to connect from home, then > gets laid off, how exactly does WebEx suggest a company discover and > protect its networks' insecurity? How do you suggest a network security > organization even detect its presence? Assuming the administrator still has enough access to activate the sharing, the NetSec dept. has a bigger problem than WebEx being installed. There is NO way to connect to a box with WebEx' client installed. The client connects outbound. > With VNC (which I wouldn't run without SSH as a transport) and PCA, a > firewall administrator can simply ensure that inbound access on the > appropriate TCP ports is disabled. With WebEx, especially in a large > multi-ten thousand user enterprise with a fairly open WAN, the > alternative is really only to completely block access to WebEx's Web site(s). VNC resides on the system, giving a POE. Are you blocking ssh inbound, too? I hope so, or an Administrator could, after being fired, connect to a machine, he sneakily installed SSH on. Disallow inbound access, and you protect your network from ingres access to servers. While you're at it, disallow outbound access, too, or someone could catch something that initiates an outbound connection for remote control (like those nifty trojans that just connect to IRC and are controlled per PRIVMSG user, or the one that does GET / requests on Port 80 to a httpd and reacts based on the returned 'website'). I guess you're aware of the ability to change VNCs and PCAs ports, right? Disclaimer: I do not work for WebEx, we're using a competitors product for our stuff and I do not know if WebEx is secure or not. Matter of fact is, however, that your approach is incorrect and therefore invalid to establish an analysis of the (in-)security of WebEx' client or WebEx in itself. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
