Hi, Well I am afraid I can't answer all your questions but I have a little experience of setting up PC Anywhere for remote support so for what it's worth here is what I know and I hope some of this is useful to you.
I have had PC Anywhere running over a VPN connection quite happily. I don't know the details of the VPN we use where I work as that side of things is handled by the telecomms people, and I am new to the IT security team. However I have setup laptops for remote support running PC Anywhere before, these laptops needed to connect to a PC or server on the network so that IT staff could support them out of hours. I set the VPN software up as normal and telecomms just setup a standard account for the user. When I installed PC Anywhere I set it up to use a network connection, not a modem connection. Once the VPN connection is established the user has access to all their normal network resources as if they were on the network. Therefore PC Anywhere works fine using a network connection, and it is just as if the user was sitting at the machine at work. the laptops I setup where connecting over a modem using the VPN with PC Anywhere running on top and none of the uers complained that performance was unacceptable. The advantage here is that you get to use the VPN's security for the communications link which should be better then that provided by PC Anywhere. As far as PC Anywhere itself goes I would try and use the latest version, 10.5 I believe. In 10.5, and maybe 10, you can create a custom installation package for both the host and remote machines. When you do this you can use serialization. By giving both the host and remote PC Anywhere packages the same serial number you allow them to connect to each other. However any other PC Anywhere packages that try to connect to your host machine will also need to have this serial number or they won't be allowed to connect. I am not a 100% sure how PC Anywhere's encryption works but if you don't have any better encryption on the communication link then definitely use it. I would suggest public key encryption if you can use it as I believe when using symmetric encryption PC Anywhere passes the session keys in the clear. This could allow an attacker to record and later decrypt the session. However it really depends on how much security you think you need and using the symmetric encryption might be a reasonable risk to take. By the way don't use PC Anywhere encryption, Symantec themselves acknowledge that it is very weak and shouldn't be used unless absolutely necessary. You definitely want to use some form of authentication at the host end to authenticate the remote, even if you are using a VPN or serialization. I would suggest that something like NDS or NT authentication would be best. PC Anywhere's own authentication is not difficult to break if you have the right tools. Remember the need for encryption as if there isn't any these logon credentials are going to be passed in the clear. Even if you use something like NT authentication which normally uses challenge response, the logon and password is passed in the clear to the host. It is at the host that the normal challenge response process takes place. I would ensure you have some form of logging on the host machine, I use PC Anywhere's own logging features and they seem pretty good. This will allow you to see if attackers are trying to break into your host machine. I am afraid that if they manage it you won't be able to trust the logs anymore as they will likely be deleted or altered. Again it depends on how much security you need but you could always consider other forms of logging that aren't as easy to compromise. What kind of access does the user need to the machine? If it isn't administrative access then make sure that the logon they use with the machine doesn't have it. I have setup local NT accounts before on machines people were connecting to and used NT policy to limit what they could run. If you are using the remote machine over some form of DSL/Broadband link without a VPN then I guess some form of firewall on the remote machine is going to be important. I don't know to much about them yet, so other people on the list could give you better info on these. As well as a firewall the remote and host are going to need up to date anti-virus software. Finally I would look at giving the user a set of written guidelines explaining how the link is to be used and such things as using the personal firewall and keeping anti-virus up to date on the remote machine. That way there can be no misunderstandings :). Well I hope some of that short essay is useful, seems I knew more than I thought :). Regards Alan >----- Message from [EMAIL PROTECTED] on Mon, 22 Jul 2002 >16:34:46 >-0400 ----- >To: [EMAIL PROTECTED] >Subject: PCanywhere: security of it and operation over DSL/cable >modems >We have a workstation at the office that needs to allow a user remote >access for running software on the workstation. I don't think a VPN >will >work because the user MUST run the software on this machine, as >if he was >seated at it. I'm looking at gotomypc.com and pcanywhere. >I don't feel >comfortable using gotomypc.com as this is proprietary >company information >and I don't trust someone else having the access >information for the >workstation that has the info on it. > >My questions are as follows: >1. Has anyone got experience with the security of PCanywhere running >over >a DSL/cable modem connection? What should I watch out for? From >what I >understand, I can use HTTPS as one of the options for the connection. >Anyone know the encryption level? Are all parts of the transactions >secured with encryption? > >2. How does the software work if it's over a broadband connection? >My >internal IPs aren't valid for routing. How does the software know >a >connection is being initiated? > >3. Any better solutions come to mind? I'd rather have a PITA setup > >that's secure than a simple one that's not. > >4. What security measures should I implement on the users PC to make >sure >that it's secure as well? I won't have physical access to it but >for the >initial setup. > >I'll be interested in seeing if this gets posted at all due to the >recent >acquisition of securityfocus by Symantec. Can't bite the hand >that feeds >you, I guess. > >Many thanks for any help. Long time reader (well, several months at >least), first time poster. _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
