What are the dangers of Web-based remote access systems?

BROWSE BY TAG Identity Management and Access Control,   NAC and Endpoint Security Management,   Enterprise Network Security,   Secure Remote Access,   Expert Archive: Identity Management and Access Control,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Secure Remote Access Endpoint protection best practices manual: Combating issues, problems Best Mobile Data Security Products Perimeter defense in the era of the perimeterless network Securing the intranet with remote access VPN security What security software should be installed on Internet café computers? Information security book excerpts and reviews Diverse mobile devices changing security paradigm Cisco warns of security appliance flaws How to configure NAP for Windows Server 2008 Can home PCs provide a way for viruses and spyware to enter a corporate LAN? Expert Archive: Identity Management and Access Control Enterprise password management policy: Finding the balance How to conduct a periodic user access review for account privileges Options for a mechanical door security system on a server room door Comparing access control mechanisms and identity management techniques User provisioning and SSO for PeopleSoft- and Unix-based products Could someone place a rootkit on an internal network through a router? Should a new user have to confirm an email address to gain access? Can home PCs provide a way for viruses and spyware to enter a corporate LAN? What should an enterprise look for in a password token and a vendor? Using batch files for temporary user access to the local admin group

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication  (SearchSecurity.com) RADIUS  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The fundamental issue with both of these remote access systems is that as Web-based services, they have the potential to expose your internal corporate network on the Web. Now, that may be a bit of a simplification, since both products come with a number of security controls, like SSL logins, data encryption capabilities and multiple layers of firewalls and gateways. However, they're still basically Web applications running as Web services, featuring of all of a Web service's security vulnerabilities.

Both products provide a hassle-free Web-based login to a remote host, all without the overhead of hardware or software required for VPNs or products like pcAnywhere. Users can then access their office desktop from any Web browser.

Both Citrix's GoToMyPC and the free LogMeIn require you first to register online at their site and to do so from your host computer. After that, both services will require the download of some software (LogMeIn uses an applet). If the host is your office computer, so you can use the services to work from home, this downloading of external software on your desktop might make your IT security department nervous.

For GoToMyPC, users enter the email associated with the account and two passwords. They then pick the registered host and have to enter another password and the computer's unique access code. The code is stored on the computer and is never transmitted or stored on Citrix servers.

LogMeIn also requires a user ID and password, plus a one-time password that it generates. It supports RSA SecurID for true two-factor authentication.

One difference between LogMeIn and GoToMyPC is how they route traffic between the host and the remote computers. GoToMyPC directs traffic through centralized servers, preventing a direct connection between the two computers. LogMeIn, on the other hand, authenticates through its own servers in a peer-to-peer type connection, providing each computer with an encryption key valid only for that session.

This peer-to-peer connection might worry your company's IT department. GoToMyPC offers a service to corporate customers, both large and small, that includes a Web-based centralized management console for setting up security and access to particular machines and users.

But, as you correctly note, both systems are similar, and without inside knowledge of your security procedures or IT architecture, it's difficult to provide a more precise answer.

For more information: