Blocking unauthorized remote access

Has anybody seen a comprehensive list of addresses used by the various "services" that allow unauthorized users to remote into their work computers from home, bypassing corporate security? These things work by making an outbound connection from the target PC to a fixed external site. The user then contacts the external site from their home PC or traveling laptop, and the site uses the previously-opened connection to create a remote session for them. It's not caught by normal firewall config, because the outbound ssl connection appears to be legal.

I'm sure this is a valuable tool for some folks, but it breaks security policy by allowing unauthorized remote access, so my client wants the ability to shut it down. (They have a secure VPN solution for those with legitimate need; these rogue connections are being used by folks without authorization.) Because of the size and complexity of the business, it's really not practical to use a "whitelist" approach to outbound connections. There are also several mission-critical apps that depend on long-term connections, so limiting the connection lifetime or access hours is out as well. It makes sense to me to just block outbound connections to the specific IP addresses of these external services, but that means I need to know where all of them are. I've got the info for gotomypc.com and logmein.com, but there's at least half a dozen others out there commonly in use, probably a lot more. Most of them provide no useful tech information on their websites, as they're in the business of selling access services to the users, not helping network admins enforce corporate policy. Anybody dealt with this before, or know of a good resource?

Thanks!

Reply to
Mike Dorn
Loading thread data ...

formatting link
With such a tool, any site on the outside can be used.

I think, you have a social problem, not a technical one. Try to detect open sockets or reconnecting sockets after working time and talk to the people who are installing such things.

Yours, VB.

Reply to
Volker Birk

What about a whitelist approach to execution of applications?

Reply to
Sebastian Gottschalk

Obviously, but this is more of a tool for the serious "hacker" type. We're more worried about commercial sites that just sell a "click here to use" service, as any dummy can install them without knowing how it works or investing any serious effort to set it up.

Aren't all admin problems really social problems? Unfortunately, with hundreds of users spread thru multiple sites and a complex 7x24 operation, we can't just look for open sockets during "non-working hours". What we can do, however, is look for traffic to specific addresses, once they are known.

Reply to
Mike Dorn

The problem with that is that it could be hacked. All someone would have to do is to hack into adminstrator level access for whatever software you were using for the whitelist, and add thier application to the whitelist. And this may not defend against services that only require you to use a web browser to connect outbound to the service. All one would have to do is point their web browser, on their work PC to the right address, before they leave at night, then they they log onto the service from the other end, and tunnel into their work PCs that way. No extra software needed.

Reply to
chilly8

If people cannot access, they dont make money. That is why they are not ABOUT to provide admins with any information to help them shut the services down. That would be akin to letting the fox guard the chicken coup, as it were. When I was at Anonymous Antarctic Media, before I went off and formed my own online media company, I was head of a staff of engineers who job it was to design countermeasures for every measure that admins might take to block the service. I am sure that GoToMyPC, LogMeIn, and others probably have similar staffs of engineers whose job it is to design countermeasures for every measure admins take to block thier service. Nothing personal, but its a matter of the bottom line. If people cannot connect, the company does not make any money. For some services, there are companies with whole ARMIES of engineers who job it is to design countermeasures for every attempt made to block the companies' content. I know that all the song swapping services, in their heydey, hired engineers whose job it was to make it difficult, if not impossible, for firewalls to 100 percent block their services, and they were wildly successful at that. Kazaa and Grokster, in their heydey, were about as close to being a sysadmins worst nightmare, as you could get.

Reply to
chilly8

Blah. This argument could be applied to anything, and doesn't improve any discussion. If you assume that whatever you try has to fail miserably, then there's obviously no solution. Reasonable assumptions require just conceptional security and leave the rest to the KISS principle.

And even when a privilege escalation vulnerability exists, it might be way harder to exploit with not being able to run anything but predefined applications. Ever tried to get binary code run with an MS Office macro without LoadLibrary()? And do you know what? Protecting the systems against privilege escalation is exactly one of the tasks of an administrator.

And there's your next problem: WTF would someone allow to run the computers after work, with users still being logged in and not automatically logged out after a certain period of time?

Reply to
Sebastian Gottschalk

Blocking one specific tunnel end-point is trivial.

FUD

Reply to
Sebastian Gottschalk

It's really simple to block/stop - the first rule of security is ONLY ALLOW ACCESS TO REQUIRED SITES. That means if you allow outbound HTTP/HTTPS access without any restrictions, then you are not going to be able to block it. If you only allow outbound access to approved sites, well, they can't really connect to one of those sites.

Reply to
Leythos

It's got a simple technical solution, and it works - did you fail to learn the first rule of security - no access unless it's needed. If you block all sites, except those with a business requirement, then you don't have any problems and don't have to worry about people using things like you suggest.

There is more to the world than your little area.

Reply to
Leythos

Wrong, they can't hack a white-list, they would have to have direct access to the firewall to do that.

And why would you white-list any site that might be able to allow that to work. If you actually think about what should be permitted, there are very few sites that are needed by users in most businesses.

Reply to
Leythos

Again, you're a fool - by default, nothing is reachable, nothing is accessible, only approved sites are permitted. This means that nothing you do will work to allow remote unauthorized users access to their systems - NOTHING WORKS.

You are a fool - nothing you do can work on a properly secured network. Your only hope is that security administrators don't really have a clue and leave gaping holes for you.

Reply to
Leythos

I bet this is the same idiot (him, not you) that claimed he had engineers making an app that would allow people to watch the Olympics in real-time from work and there was nothing that admins could do to block it.

Reply to
Leythos

I believe that he is a total eclipse of figure-skating.

Reply to
Anders

Hmm.. I believe I already mentioned in my original post that a whitelist approach was not really an option. It doesn't match the company's internet needs, and would not be supported by their management. (I don't get paid to build to ivory-tower ideals, only to meet the clients real-world needs.)

The entire concept of "approved sites" is pretty meaningless today for most businesses in the real world. (Just out of curiosity--anybody here actually attempting that? In what kind of business is it even practical?)

This particular company has a legitimate business interest in thousands of diverse sites & applications, the precise selection of which would be extremely difficult to pre-define, and which it is gnerally able to leave up to the discretion of its users. Beyond that, it is not interested in heavily curtailing most benign additional use of the internet by its employees, within reasonable limits. (Porn, terrorism, illegal activities, etc.) Websense is generally able to strike that reasonable balance for http (80) traffic, and will draw our attention to anyone operating out-of-bounds.

What we have here is one specific type of application that needs an additional measure of control. It's easy to block all traffic to a particular list of IP addresses using an ACL on the firewall. All I asked for here, is whether or not anybody already had such a list handy. "Sorry, I don't know" is a perfectly legitimate answer.

Reply to
Mike Dorn

Wrong concept - you don't "block", you "permit". Does the user have a legitimate need to connect to LOCUS.GOV? Yes, then you poke a hole through an otherwise complete block of everything. (You may find using a restrictive proxy server a solution for some services.) You don't try individually blocking all 2,357,975,546 IPv4 addresses that were allocated/assigned by ICANN as of a week ago. You don't try to individually block the 74,791 network blocks that encompassed those addresses, any more than you'd individually try to block people from entering your facility.

Is the outside immediate destination an "approved" site? Why was the connection possible? Was the immediate interior destination (someone's workstation probably) in need of such connection? Why exactly does the user require an encrypted connection to somewhere? Or is the user using the connection for other reasons? Has the connection existed for longer than (example) bringing up a web page, or FTPing in a file?

Why does the user have the capability to install such software? Are you still running MS-DOS 3.3/Windoze 3.1, with something like Trumpet Winsock to get networking, or something similarly lacking in control?

I can agree with this

There shouldn't be open or reconnecting sockets, because the crap shouldn't be allowed through the firewall in the first place. As for talking to the users... before that occurs, there MUST BE _written_company_policy_ in place prohibiting such activities, and _ALL_ employees aware of that policy. It is not the network administrator's job to create or enforce that policy.

Discuss this with the Powers That Be(tm), and then know that the resulting policy has been officially signed off by those powers. That includes them running the policies past the company legal advisors who would have to defend any resulting legal actions a dismissed employee may try to bring.

Oh, poor baby. I can't post from work because of an NDA, but I've got roughly 1700 users on site here, and the company has over 100,000 world wide. With proper policy in place AND ENFORCED, and with a 'white-list' firewall that _allows_ access to sites, rather than trying to block individual sites/addresses/address-ranges, it's relatively easy.

Why do you like looking for needles, when access to the haystack should not be permitted in the first place?

Old guy

Reply to
Moe Trin

Most businesses can work with "Approved" sites, but there are so many people in management that don't want ot give up their MSN News or their stock trading, or their ElvisSightings.com access. In reality, most businesses don't need unlimited web access.

White lists are built based on a customers needs, we use them with every company, and we have multiple levels of filtering based on the user type/group/level. As an example, basic level employees don't even get internet access in most companies, medical claims people only get access to the claims partner websites, managers get a very locked down set of site definitions, even IT has restrictions.

The idea that you "Need" access is a myth, very few businesses "Need" unlimited web access, but few are willing to understand that.

Reply to
Leythos

Its not a matter of that, its a matter of how much work IT is willing to do. It is far easier to slap WebSense, Cyblock, etc, etc, on the network, select the site categories they want to block and be done with it. These programs require far less work than setting up a whitelist.

Reply to
Charles Newman

While one requires more work, they do not result in the same level of protection nor the same level of access.

With most quality firewalls and a web-blocking service, I can eliminate IM, WebMail, use of Proxy services, and connections to most sites that would allow people to reach home/their computers. The problem is that people expect their work to provide them play time while at work, which is not ethical. Many businesses are moving to no-internet access except for those that have a real business need and then it's based on a white list.

It's not more work, as there are a limited number of sites for most businesses that they need to approve.

One of these days, Charles, you will understand how easy it is to protect a network, and not using the toys you know about.

Reply to
Leythos

IF I were building the ideal secure network from scratch, whose only goal was protection, without the need to work with or accommodate the business or its users, then this "whitelist" discussion would have some merit.... except that I already knew all that anyway--it just wasn't what I was asking about.

What I expect I'll end up doing is just what I started to do before contacting this group. I'll analyze the remote-access sites I'm able to find, and build the best blacklist I'm able to in the time available. This will take FAR less time than any attempt to query nearly a thousand established users to determine their real "needs" in order to build & maintain the whitelist you suggest. After all, we don't have unlimited resources--one network engineer and one network security admin, and we both have plenty of other responsibilities beyond this issue.

I keep forgetting, this is Usenet. People never answer the question you actually asked; they simply repeat the answers they've already got. I'll take that as a "Sorry, none of us have seen such a list," and move on.

Reply to
Mike Dorn

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.