On Sun, 23 Dec 2001, Jonas M Luster wrote: > > And therefore extend trust that said site is secure- any assurance there? > > I would assume it's about as secure as the Telcos you use to send > traffic between stages, as secure as the Router-OS, the Firewall-OS
I think your assumptions are wrong- telco signaling is at least out-of-band, and I don't have to expose my router's OS to in-band vectors like DNS. Web servers are almost never as secure as you can make switched voice networks, routers and even (in a plurality of cases) firewalls. > > > I do want to address another comment about WebEx being a trojan (you knew I > > > would :-). Basically, this is like saying that any sharing feature is like a > > > trojan. WebEx isnt any worse - and is indeed better in some senses - than a > > > > No it most certainly isn't. Most sharing features don't tunnel through > > firewalls. > > Most firewall products (unless you filter on application level) can't > tell Port80 traffic from Port80 traffic, no matter *what* is being > carried, there. If you filter on application level, you still have to If it's a circuit level gateway, it's not _tunneling_, it's relaying. My statement stands as correct. Please observe the terminology if you're going to attempt to flame for terminology. > trust encrypted data streams. Nothing stops me from writing a remote > control trojan doing its work over SSL with seemingly proper cleartext > pre-negotiation. Or one that does it over HTTP and is called WebEx... > > > somewhat - after all, WebEx cannot be installed on your system without your > > > approval, nor can it be triggerred without you asking for it, nor will it > > > > Any program can be installed on a system without approval. That's like > > saying Sub7 can't be installed without your approval. > > That's twisting reality. If I get the level of access, I need to > install, run and share my desktop with WebEx, I will use something > else to do the work. Perhaps you will _if_ you're an intentionally malicious user, but we have two issues here that aren't covered by that, the first is an oppertunity for a released employee, and the second is for a user to lower the overall security posture in the guise of tech. support, not strictly malicious activity. > > You say "your system" like user == owner- that's a home model, not a > > business model. > > Aggreed. Poor business decisions should not be blamed on vendors or > concepts, though. It seems you have not had a look into the way WebEx > works: It seems you've only looked at the "meeting" feautre, and not the "remote support" feature. [snip] > Well, if this is the only way, you see to fight illegitimate access, > then so be it. It's by no means the only way- however until product and protocol designers start taking security controls seriously, especially for disparate enterprise networks, then it'll certainly be one of the control mechanisms used (as evidenced by another poster in this thread.) > > If you can't see the worries that draw firewallers to a trojan reference, > > that doesn't instill a great deal of confidence in how you view security. > > Misnoming is not necessarily helpful. A trojan is, what the name says: > A seemingly begnin program carrying something different than > advertised in its belly. WebEx does not really fall into this > category. Apples and oranges are alike because they are both fruit, claiming that they share no heritage is silly. Trojans in computer terms aren't necessarily benign seeming, BackOrafice or Sub7 without an innocuous injection method is still regarded as a trojan. > Assuming the administrator still has enough access to activate the > sharing, the NetSec dept. has a bigger problem than WebEx being > installed. There is NO way to connect to a box with WebEx' client > installed. The client connects outbound. If you can't automate an outbound connection... > VNC resides on the system, giving a POE. Are you blocking ssh inbound, > too? I hope so, or an Administrator could, after being fired, connect Absolutely- there's no way I'd allow a tunnel like SSH inbound- it'd be silly to complain about tunnels if I simply allowed them. > I guess you're aware of the ability to change VNCs and PCAs ports, > right? Absolutely- I guess you're aware that not everyone runs packet filtering only firewalls in "let it all through" mode? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
