Blocking unauthorized remote access

Giganews Newsgroups
Subject: Blocking unauthorized remote access
Posted by:  Mike Dorn (mrdo…@visi.com)
Date: Sun, 24 Sep 2006

Has anybody seen a comprehensive list of addresses used by the various
"services" that allow unauthorized users to remote into their work computers
from home, bypassing corporate security?  These things work by making an
outbound connection from the target PC to a fixed external site.  The user then
contacts the external site from their home PC or traveling laptop, and the site
uses the previously-opened connection to create a remote session for them.  It's
not caught by normal firewall config, because the outbound ssl connection
appears to be legal.

I'm sure this is a valuable tool for some folks, but it breaks security policy
by allowing unauthorized remote access, so my client wants the ability to shut
it down.  (They have a secure VPN solution for those with legitimate need; these
rogue connections are being used by folks without authorization.)  Because of
the size and complexity of the business, it's really not practical to use a
"whitelist" approach to outbound connections.  There are also several
mission-critical apps that depend on long-term connections, so limiting the
connection lifetime or access hours is out as well.  It makes sense to me to
just block outbound connections to the specific IP addresses of these external
services, but that means I need to know where all of them are.  I've got the
info for gotomypc.com and logmein.com, but there's at least half a dozen others
out there commonly in use, probably a lot more.  Most of them provide no useful
tech information on their websites, as they're in the business of selling access
services to the users, not helping network admins enforce corporate policy.
Anybody dealt with this before, or know of a good resource?

Thanks!

Replies