More thoughts on LogMeIn
Last week we posted in response to this Download.com article about LogMeIn - a remote access utility that the author claims could replace his VPN. We decided to pose the question to industry peers using LinkedIn's Q&A feature. We asked:
Anyone using LogMeIn for Windows and Mac? CNET writer, Seth, posted something on his experience with it and sounds intriguing.
Marcin Antkiewicz wrote:
Using LogMeIn, or any other remote access relay service creates a few issues for us, the security folks. Such services extend the network perimeter to unknown locations, and sneak unknown and untested software to the service portfolio. The important change is not just minor administrative nuisance, but arbitrary changes to the risk profile.
From a user's perspective, LogMeIn is just an easy way to log in to their email, to me it means corporate secrets accessible on airports and coffee shops. In addition to exposing screen in strange places, such software might not conform to various security best practices with regard to privacy, implementation, and vendor security. Risk management issue again.
While those standards might be restrictive and arbitrary, circumventing controls is a bad idea. You should request an easy remote control access instead, and IT Sec folks should be able to accommodate your request as it's in their best interest.
Quite a few nasty break-ins happened due to bridged security domains (desktop compromised while running admin/root sessions in screen/vmware console/rdp). You do not want such event to be traced to you machine, while running rogue software...
Caveat - my experience is from the Security side of IT, and my answer assumes a user working for a large corporation with sizable IT. Small shops might easily afford use of software that could cause problems in big enterprises. I am _not_ trying to say using LogMeIn is inappropriate, only that it might be.
Adrian Vianna wrote:
Logmein is great!. I actually use it for both work and pleasure. It's pretty secure and if you need to handle computer in remote locations it will definitely beat the headaches of VPN's and all that.
Its a cool feature to have if you need access to a computer from the "Cloud"
Peter Gregory, CISA, CISSP wrote:
I have to agree with Marcin Antkiewicz. While such a product may be *convenient*, tools like GoToMyPC and LogMeIn are essentially covert channels that are difficult to control. The use of such products should be a violation of most organizations' security policy.
Functionally, these products are no different than an unauthorized dial-in modem or access point inside the enterprise network. Recall that many organizations spend considerable effort rooting out unauthorized modems and access points, and so should we be blocking and/or removing these tools. Organizations should do the best they can to block all such covert access.
Maury Blair, MCP wrote:
LogmeIn or GoToMyPC are great for small shops who don't have a dedicated IT staff and don't want to hire a consultant to implement a low cost VPN. The Achilles' heel of these services is that you are connecting to a PC under the assumption that 1) the pc is turned on (i.e. there were no power issues at the office, the cleaning lady didn't accidentally unplug the computer, etc. . .) and 2) the computer is functioning correctly. For true remote access you can deploy an affordable VPN for your small office for probably alot less than you think. There are several easy to configure routers for small offices with built in VPN technology for under $200. I once deployed a site to site VPN for my dentist using a couple Netgear FVS318 routers. At the time, each router came with one licensed copy of Netgear's VPN client for PCs. All in all, they spent about $1000 on the routers and my labor and they were able to eliminate a costly leased line between the offices as well as gain remote access to their network from home. Avoiding VPN altogether Pros: Cheap, no IT consultant necessary to setup and configure, easy to use. Cons: does not account for power outages or malfunctions on the host pc.
Anthony Maughan wrote:
While I think overall LogMeIn is a rather insecure solution, once again ease of use trumps heavy security. The company I'm currently with offers a two-factor solution for LogMeIn (mentioned previously) using your cell-phone. It adds a modicum of safetly for remote login vulnerabilities, but doesn't resolve the "viewing remote computer" issue. Traditional VPN's like Cisco, Juniper and such typically use stronger encryption than SSL, which is what you get from LogMeIn. They also allow for some better auditing tools etc. UltraVNC OneClick is an interesting free solution that has some of the same functionality, but not quite as easy to setup or use.
Eric Humphries wrote:
LogMeIn also has an added bonus of allowing two-factor authentication and notifications when someone successfully logs into your account. Now this is all well and good for remote access to a PC or network, but if you have existing infrastructure that needs access to the network these solutions will not work. You'll never avoid VPN's altogether if you're doing any type of automated processes.