Subscriber Discussion

Is It Safe To Allow Remote Access?

Avatar
Josh Hendricks
Jan 28, 2017
Milestone Systems

I have been on many thousands of remote sessions over the last decade. For software support, remote desktop tools like TeamViewer are indespensible. But I also recognize the security risks customers accept when they allow vendors to access their systems remotely.

I have remoted into police department servers, but been denied access to shopping centers.

Do you consider it safe to allow attended remote access? Is there some qualification on whether you consider it safe? For example, I have been denied access specifically because the customer had customer billing information on the same network. While that presented a technical hurdle, I thought it was a responsible decision by the IT/network security team.

Some customers don't allow tools like TeamViewer but will provide VPN software and credentials. I think this is a good way to ensure you always know who could possibly remote into the network at any given time, but does not reduce the likelihood of infection or data exfiltration.

GM
Garrett McWilliams
Jan 30, 2017

No.  Unless it's via a VPN.

(2)
Avatar
Josh Hendricks
Jan 30, 2017
Milestone Systems

If you would not allow remote access via applications like TeamViewer, LogMeIn, Gotomeeting, etc, is there something about them that bothers you other than maybe not knowing specifically who might be inviting connections into the network and when (which is a big enough reason in itself to be sure)?

(1)
Avatar
Josh Hendricks
Jan 30, 2017
Milestone Systems

This question came to mind when I saw the thread about the DC police "hack" here:

https://ipvm.com/forums/video-surveillance/topics/hackers-hit-d-c-police-closed-circuit-camera-network-city-officials-disclose

Seems likely to be a common malware infection which could have been the result of careless exposure to outside networks or infected systems/thumb drives/laptops used for service etc.

GM
Garrett McWilliams
Jan 30, 2017

Teamviewer has been hacked several times that have been publicized (google it).

Logmein is the best of the bunch (they have reset passwords for accounts hacked on other services proactively)

The Internet should be considered a hostile environment at this point.  Anything cloud-based where there's an intermediary providing the service can be compromised, and occasionally does get compromised.  It's our policy that the convenience of using these services is not worth the risk to our clients and our reputation.  And I just don't want to have to deal with the fallout and cleanup.  It's perfectly straighforward to VPN in to the site and remote desktop to a machine, and it removes the third party access risk.  It doesn't eliminate all risk of course, but what I would consider a good bit of it.

(1)
(2)
Avatar
Kevin Bennett
Feb 06, 2017

From a security perspective, I second the VPN only option for remote access.  You can still use tools such as LogMeIn with a VPN and have the benefit of an added layer of security. 

In order to be effective, though, the VPN option does require that the network owner restrict RDP and other such access to only be allowed through the VPN.

UM
Undisclosed Manufacturer #1
Feb 06, 2017

Why not VPN first and then running RDP for its natural feel?

Avatar
Jon Dillabaugh
Feb 06, 2017
Pro Focus LLC

I use Splashtop with two factor authentication. For the second layer, I use Google Authenticator. It is much less expensive than LMI and offers most of the features of the Central account that I used to purchase for 10 times the cost of my Splashtop Business account.

(1)
Avatar
Josh Hendricks
Feb 06, 2017
Milestone Systems

First time I've heard of Splashtop. Looks like a good option and I appreciate Google Authenticator integration. Their pricing is interesting - $299/year for unlimited "on demand computers" and unlimited technicians etc. But our support model is closer to their SOS product which is $100/year per user. For us (I think) that would cost us almost double what we pay for TeamViewer.

Avatar
Jon Dillabaugh
Feb 06, 2017
Pro Focus LLC

I'm almost embarrassed to admit I only pay $60/yr for Splashtop Business. I generally only need their installed, constant product. I don't have much need for on-demand services. I am not usually taking support calls for system I didn't deploy. If I do manage to take on an existing system, I will install Splashtop ASAP.

UM
Undisclosed Manufacturer #2
Feb 06, 2017

Hardening is really up to the end user/AE/Integrator relationship and deployment.

      Over my career, I have been to Federal Reserve Banks where the they will not allow IP based cameras outside of the building due to hacking concerns. That is spot on as the FRB will send a picture to the FBI if someone stares (Studies?) at the building too long.

      I was also at a meeting at one of the worlds largest airports where during a meeting, the Consultant wanted to prove me wrong on a H.264 issue. OK, lets login and take a look. The Consultant who designed the entire security CCTV system could not login over and over again. As a joke, I suggested Admin/1234. Sure enough we got in. 

Lesson learned, start with admin and passwords first! Too many people overlook this basic componant.

(2)
(1)
Avatar
Gert Molkens
Feb 08, 2017
IPVMU Certified

There's VPN's and VPN's. Not all VPN's are setup in a secure way and/or use (strong) encryption.

Knowing what you're doing looks like a good starting point as  UM2's post shows

UI
Undisclosed Integrator #3
Feb 08, 2017

Remote Access is just a necessary evil in today's technology driven world. I use remote applications several times daily without issue, some VPN, some Teamviewer or LogMeIn, it's usually what the customer prefers. As far as "safe remote access" I don't know if that truly exists. As soon as you plug that black box in the wall, you can bet someone is going to try and exploit it.

UI
Undisclosed Integrator #4
Mar 20, 2017

With the use of remote access applications as mentioned above, what kind of disclosure agreement is signed by the end user and who is the authorized user at the customer site that is required to sign this?  When accessing, what are the guidelines to notify the customer or end-user (server/workstation) that you are accessing?  Aren't cloud access products (and integrator created VPNs) a form of surveillance (possibly illegal), with guidelines under the CSPCA (Computer Software Privacy Control Act) and other federal/state regulations?

With a customer provided VPN, this provides events, logs, and access by the customer and owner of the system/network, so I assume that this will assume consent.  This may not be the case if you are accessing a client workstation or server connected to a live monitor in use.  With a cloud/vpa (integrator created) based solution, it is possible that authorization came from someone with no competency to make this decision (facility mangers, public safety).  Also, the customer does not have audit logs of access and who accessed (is the member of your organization cleared through security checks?). 

I am curious to legal methods other integrators/providers use as policy to eliminate potential legal implications.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions