[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] gotomypc blocking
 Date:  Tue, 15 Feb 2005 09:42:32 -0500
On Mon, 14 Feb 2005 19:36:46 -0800, Jeffrey Goldberg
<jeffrey at goldmark dot org> wrote:
>   Both controlled and controlling computers receive all communications
> through an
>   outgoing TCP connection using protocols and ports that can
> transparently transit
>   almost all firewalls.
>   No firewall changes are required, and you do not have to bypass or
> compromise your
>   corporate or branch office firewall.
> It looks like they are "marketing" to end users who would install this
> on their work machines to ask like a VPN to a particular machine.
> So here are a few of my questions for the m0n0 crowd.
> (1) Is this thing as evil as it looks?

That was my first thought when I first saw it.  Sounds like a good way
to bypass corporate security measures.  Citrix bought them though, and
having a trustworthy name behind it made me somewhat change my opinion
of it.  (whether rightfully or not. ;)  Still seems like a good way
for unauthorized users to bypass corporate security measures though.

Some of my clients are using it for remote access.  They love it.  I
haven't really dug into the technical details, but it requires no open
ports from the internet, and all runs over HTTPS I believe.  Basically
the agent on your machine keeps a connection to their system so when
you log into their website you can log into your PC.

> (3) How could one control such a thing?

Not very easily.  Blocking HTTPS, if that indeed is what it uses, is
one way, but probably not feasible for most.  Lock down machines so
users can't install things, but again difficult in many environments. 
Block access to the entire gotomypc.com domain, and any others it
uses, if it relies upon DNS.  Audit what is installed on your machines
using some sort of automated asset management system.

Not really a good answer...  but I don't think there is one.