What are the dangers of Web-based remote access systems?

What are the dangers of Web-based remote access systems?

Do you know why LogMeIn might be considered a security risk? Could GoToMyPC, which is very similar to LogMeIn, be considered less risky because it's a Citrix system?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The fundamental issue with both of these remote access systems is that as Web-based services, they have the potential to expose your internal corporate network on the Web. Now, that may be a bit of a simplification, since both products come with a number of security controls, like SSL logins, data encryption capabilities and multiple layers of firewalls and gateways. However, they're still basically Web applications running as Web services, featuring of all of a Web service's security vulnerabilities.

Both products provide a hassle-free Web-based login to a remote host, all without the overhead of hardware or software required for VPNs or products like pcAnywhere. Users can then access their office desktop from any Web browser.

Both Citrix's GoToMyPC and the free LogMeIn require you first to register online at their site and to do so from your host computer. After that, both services will require the download of some software (LogMeIn uses an applet). If the host is your office computer, so you can use the services to work from home, this downloading of external software on your desktop might make your IT security department nervous.

For GoToMyPC, users enter the email associated with the account and two passwords. They then pick the registered host and have to enter another password and the computer's unique access code. The code is stored on the computer and is never transmitted or stored on Citrix servers.

LogMeIn also requires a user ID and password, plus a one-time password that it generates. It supports RSA SecurID for true two-factor authentication.

One difference between LogMeIn and GoToMyPC is how they route traffic between the host and the remote computers. GoToMyPC directs traffic through centralized servers, preventing a direct connection between the two computers. LogMeIn, on the other hand, authenticates through its own servers in a peer-to-peer type connection, providing each computer with an encryption key valid only for that session.

This peer-to-peer connection might worry your company's IT department. GoToMyPC offers a service to corporate customers, both large and small, that includes a Web-based centralized management console for setting up security and access to particular machines and users.

But, as you correctly note, both systems are similar, and without inside knowledge of your security procedures or IT architecture, it's difficult to provide a more precise answer.

For more information:

  • In this SearchSecurity.com Q&A, security expert Joel Dubin discusses whether or not remote access tools have negative effects.
  • Learn the potential risks involved with providing remote access to a third-party service provider.

    • This was first published in October 2007