|
Posted by Mike Dorn on September 24, 2006, 1:39 am
If you were Registered and logged in, you could reply and use other advanced thread options
Has anybody seen a comprehensive list of addresses used by the various
"services" that allow unauthorized users to remote into their work computers
from home, bypassing corporate security? These things work by making an
outbound connection from the target PC to a fixed external site. The user then
contacts the external site from their home PC or traveling laptop, and the site
uses the previously-opened connection to create a remote session for them. It's
not caught by normal firewall config, because the outbound ssl connection
appears to be legal.
I'm sure this is a valuable tool for some folks, but it breaks security policy
by allowing unauthorized remote access, so my client wants the ability to shut
it down. (They have a secure VPN solution for those with legitimate need; these
rogue connections are being used by folks without authorization.) Because of
the size and complexity of the business, it's really not practical to use a
"whitelist" approach to outbound connections. There are also several
mission-critical apps that depend on long-term connections, so limiting the
connection lifetime or access hours is out as well. It makes sense to me to
just block outbound connections to the specific IP addresses of these external
services, but that means I need to know where all of them are. I've got the
info for gotomypc.com and logmein.com, but there's at least half a dozen others
out there commonly in use, probably a lot more. Most of them provide no useful
tech information on their websites, as they're in the business of selling access
services to the users, not helping network admins enforce corporate policy.
Anybody dealt with this before, or know of a good resource?
Thanks!
|
|
Posted by Volker Birk on September 24, 2006, 2:34 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Has anybody seen a comprehensive list of addresses used by the various
> "services" that allow unauthorized users to remote into their work computers
> from home, bypassing corporate security? These things work by making an
> outbound connection from the target PC to a fixed external site. The user
then
> contacts the external site from their home PC or traveling laptop, and the
site
> uses the previously-opened connection to create a remote session for them.
It's
> not caught by normal firewall config, because the outbound ssl connection
> appears to be legal.
http://www.agroman.net/corkscrew/
With such a tool, any site on the outside can be used.
I think, you have a social problem, not a technical one. Try to detect
open sockets or reconnecting sockets after working time and talk to the
people who are installing such things.
Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.
Rudolf Polzer in de.comp.security.misc
|
|
Posted by Mike Dorn on September 24, 2006, 4:53 am
If you were Registered and logged in, you could reply and use other advanced thread options
>
>>Has anybody seen a comprehensive list of addresses used by the various
>>"services" that allow unauthorized users to remote into their work computers
>>from home, bypassing corporate security? These things work by making an
>>outbound connection from the target PC to a fixed external site. The user
then
>>contacts the external site from their home PC or traveling laptop, and the
site
>>uses the previously-opened connection to create a remote session for them.
It's
>>not caught by normal firewall config, because the outbound ssl connection
>>appears to be legal.
>
>
> http://www.agroman.net/corkscrew/
>
> With such a tool, any site on the outside can be used.
Obviously, but this is more of a tool for the serious "hacker" type. We're more
worried about commercial sites that just sell a "click here to use" service, as
any dummy can install them without knowing how it works or investing any serious
effort to set it up.
>
> I think, you have a social problem, not a technical one. Try to detect
> open sockets or reconnecting sockets after working time and talk to the
> people who are installing such things.
>
> Yours,
> VB.
Aren't all admin problems really social problems? Unfortunately, with hundreds
of users spread thru multiple sites and a complex 7x24 operation, we can't just
look for open sockets during "non-working hours". What we can do, however, is
look for traffic to specific addresses, once they are known.
|
|
Posted by Moe Trin on September 24, 2006, 1:20 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>Volker Birk wrote:
>>
>>> Has anybody seen a comprehensive list of addresses used by the various
>>> "services" that allow unauthorized users to remote into their work
>>> computers from home, bypassing corporate security?
Wrong concept - you don't "block", you "permit". Does the user have a
legitimate need to connect to LOCUS.GOV? Yes, then you poke a hole through
an otherwise complete block of everything. (You may find using a restrictive
proxy server a solution for some services.) You don't try individually
blocking all 2,357,975,546 IPv4 addresses that were allocated/assigned by
ICANN as of a week ago. You don't try to individually block the 74,791
network blocks that encompassed those addresses, any more than you'd
individually try to block people from entering your facility.
>>> It's not caught by normal firewall config, because the outbound ssl
>>> connection appears to be legal.
Is the outside immediate destination an "approved" site? Why was the
connection possible? Was the immediate interior destination (someone's
workstation probably) in need of such connection? Why exactly does the
user require an encrypted connection to somewhere? Or is the user using
the connection for other reasons? Has the connection existed for longer
than (example) bringing up a web page, or FTPing in a file?
>Obviously, but this is more of a tool for the serious "hacker" type.
>We're more worried about commercial sites that just sell a "click here
>to use" service, as any dummy can install them without knowing how it
>works or investing any serious effort to set it up.
Why does the user have the capability to install such software? Are you
still running MS-DOS 3.3/Windoze 3.1, with something like Trumpet Winsock
to get networking, or something similarly lacking in control?
>> I think, you have a social problem, not a technical one.
I can agree with this
>> Try to detect open sockets or reconnecting sockets after working time
>> and talk to the people who are installing such things.
There shouldn't be open or reconnecting sockets, because the crap shouldn't
be allowed through the firewall in the first place. As for talking to the
users... before that occurs, there MUST BE _written_company_policy_ in
place prohibiting such activities, and _ALL_ employees aware of that policy.
It is not the network administrator's job to create or enforce that policy.
>Aren't all admin problems really social problems?
Discuss this with the Powers That Be(tm), and then know that the resulting
policy has been officially signed off by those powers. That includes them
running the policies past the company legal advisors who would have to
defend any resulting legal actions a dismissed employee may try to bring.
>Unfortunately, with hundreds of users spread thru multiple sites and a
>complex 7x24 operation, we can't just look for open sockets during
>"non-working hours".
Oh, poor baby. I can't post from work because of an NDA, but I've got
roughly 1700 users on site here, and the company has over 100,000 world
wide. With proper policy in place AND ENFORCED, and with a 'white-list'
firewall that _allows_ access to sites, rather than trying to block
individual sites/addresses/address-ranges, it's relatively easy.
>What we can do, however, is look for traffic to specific addresses, once
>they are known.
Why do you like looking for needles, when access to the haystack should not
be permitted in the first place?
Old guy
|
|
Posted by Volker Birk on September 25, 2006, 3:02 am
If you were Registered and logged in, you could reply and use other advanced thread options > >> Try to detect open sockets or reconnecting sockets after working time
> >> and talk to the people who are installing such things.
> There shouldn't be open or reconnecting sockets, because the crap shouldn't
> be allowed through the firewall in the first place.
If you can prevent from in a sensible way. You seem to see "whitelisting
the web" as a sensible provision, while I don't think that this is a
good idea.
> As for talking to the
> users... before that occurs, there MUST BE _written_company_policy_ in
> place prohibiting such activities, and _ALL_ employees aware of that policy.
I agree.
> It is not the network administrator's job to create or enforce that policy.
That depends on policy ;-)
Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.
Rudolf Polzer in de.comp.security.misc
|
| Similar Threads | Posted | | Re: Blocking Unauthorized Remote Access | September 25, 2006, 6:33 am |
| remote access vpn | February 29, 2008, 11:44 am |
| Enabling remote ssh access | March 28, 2005, 2:35 pm |
| Remote access through firewall | April 15, 2005, 8:28 am |
| Remote access products | June 16, 2005, 11:55 am |
| login to vpn and access remote LAN | November 24, 2005, 4:41 pm |
| Remote access vpn using PPTP | June 19, 2006, 8:50 pm |
| Remote access VPN : PIX515 - ISA 2004 - LAN | June 19, 2006, 12:14 am |
| configure 501 pix as remote access vpn server | February 10, 2006, 2:33 pm |
| using SpyAnywhere to access a remote PC behind a firewall | July 12, 2006, 11:28 am |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map