April 7th, 2005, 11:59 AM
Anyone have any experience of this product?
Some of our suppliers are trying to insist that we allow them to use Webex to provide support for their applications.
We don't like the idea of this software allowing the suppliers access to our network through our firewalls. The program uses standard internet protocols and ports. The suppliers are telling us that the link has to be initiated from our end and we can watch what they do. The product information from Webex themselves is aimed at the support provider rather than the supported customer and boasts of going through most firewalls seamlessly (we don't like that bit) and that THEY can initiate the link into our network (we really don't like that).
Webex themselves act as an intermediary between us and the support providers (we don't like that much either).
Are we being overly suspicious of the webex products or does it have security issues we should be concerned with?
April 7th, 2005, 01:19 PM
I have a contractor using it at one of the domains I act as ISP for. The first time I saw Snort alert I went ballistic
I know which machine it is being used from and when the contact occurs. It's really no different from allowing the contractor to sit at the box since the connection needs to be made from the eventual host first, they can't just drill in from the outside.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
April 8th, 2005, 01:45 AM
I have to attend WebExes all the time...
Let's put it this way, the companies that I've been in webex are worth billions, and they won't purchase a piece of software without auditing the company providing it. I work for a really small supplier for one of those companies and it was basically forced on us.
I wish I had known when this program was going to kick off, if the company that sells webex was publicly traded, I would have made a significant investment...
But then, I've only dealt with the Meeting software, so that presentations can be shown while on teleconferences...
I didn't realize that they also have a PcAnywhere-esque application as well call MyWebEx PC. Though I can say anything about that specifically, if it is anything like the WebEx stuff I've dealt with, when you kill the program, the link is dead.
So, I don't know what application of their's you're using, but I'm pretty sure that WebEx is't the people that you should mistrust...
If your suppliers cause you that much worry, perhaps you should find someone else...
The owl of Minerva spreads its wings only with the falling of dusk. -Hegel
April 14th, 2005, 11:03 AM
We try to make most of our application suppliers use our RAS to carry out remote access for support. With it we can control when they are able to enter the network and we have knowledge of when they will be in.
Webex would take away the control Infosec have on when a supplier enters. The clients (users or departments) would be able to initiate a remote session without having to inform Infosec or even IT.
My manager has blocked Webex.com at the moment to try to stop any unauthorised accesses.
Is this the correct domain from which the Webex client would be downloaded from?
Simply blocking/unblocking the correct domain would probably give us enough control. It would force the users to inform us of when they wanted to initiate a session and we could unblock for a specified time much in the was the RAS works.
April 14th, 2005, 02:10 PM
Since it is software based and you are concerned with them initiating a session, you can simply have the program/service be stopped on the machines that they would try to connect to. With the software turned off on your end, they will have no way to connect to those machines. When you need them to connect to those machines, you can just start the software back up.
If you have not already, I would bring your concerns to the company that wants remote access. Don't be afraid to tell them you are paranoid about security (since you are responsible).
April 14th, 2005, 07:51 PM
It doesn't even run software on the local machine other than when you authorize the remote control.
I use webex all of the time to let our main software vendor debug extremely large memory dumps. It is much quicker to have them webex and use windbg than to try and ftp a 4 gig memory file.
Usually they send me an email that has the webex meeting information. You then go to the server that they want to control and connect to the meeting using Internet Explorer. Once you have logged into the meeting you have to specifically give them access to the console. There is no way that this can be initiated from the outside because you cannot pass port80 traffic through most firewalls to internal machines that are not web servers. If you can, then you have some serious firewall issues.
You might want to try the product out and evaluate your concerns before you get to worked up over it. Marketing literature is not the proper source of data to use to confirm the security merits of a product.
You also have to take into consideration what type of DCA and ND agreements you have with the vendor in question. I would never let a vendor that I don't have a DCA or ND with look at any of my data regardless of what kind of support I needed from them.
April 15th, 2005, 11:53 AM
I get what you're saying. The more I'm learning about Webex the less owrrying it appears.
The issues I've got with it now are not really related to network security rather it is the ability of Webex to remove myself from the loop.
At the moment remote access through the RAS has to be authorised by myself, Infrastructure will create an account for the RAS which is activiated (for a set time) by formal requests to the helpdesk. This give us an audit trail of who is coming in, who authorised it, what are they doing and when they were cut off. I pick a few at random each week and check the helpdesk have up to date records that match the RAS logs.
Webex gives the user (and if I don't trust suppliers I really don't trust users) a way to circumvent the audit trail. As you point out they can be emailed download the application and then the support provider can come in and do what needs to be done. We don't want that to happen without a proper request for access (just like the RAS) and the establishment of an audit trail.
Also as you mention I'm not aware of any DCA agreement with the supplier and it's something I'd need to ask about.
Do you know what domain the Webex emails (for starting a session) are from. If I can be sure I can block that domain to stop the application downloading I can control access through the web filter which may be an acceptable compromise. We've got Webex.com blocked at the moment but I'm not sure if that is the correct or only domain the download can be located.