On 20 Dec 2001, at 13:58, Barak Engel wrote: > I do want to address another comment about WebEx being a trojan > (you knew I would :-). Basically, this is like saying that any > sharing feature is like a trojan. WebEx isnt any worse - and is > indeed better in some senses - than a host of programs, such as PCA > and VNC which have been mentioned in this thread. I would argue > that calling it a trojan is stretching the imagination somewhat - >> after all, WebEx cannot be installed on your system without your >> approval, nor can it be triggerred without you asking for it, nor > will it open any backdoors of any sort for somebody to abuse, and > the online support feature only works in specific, well-defined > circumstances. I just cant understand the reference to a trojan > (unless you refer to the "webex trojan", a well known trojan that > has been out there even before Webex became a company - I think its > currently in version 1.4). Webex is a meeting client, and most users > won't ever use the support feature, since it is not the main purpose > of the product.
I think WebEx's assumption is that anyone with physical access to the machine has authorization to permit arbitrary connections between it and other networks. This is probably a pretty reasonable assumption in the "home user" space. But in a corporate environment of network security boundaries and trusted computing bases, that falls apart. If the corporate network configuration allows internal machines to connect to port 80 of external servers, this is almost certainly intended to permit browsing of the web as an information source for knowledge workers, not as a back door to permit users to invite outsiders onto the trusted network without troubling those overworked folks in Network Security who always seem to be finding ways to stop the users from putting the company's systems and data at unnecessary risk. Webex *can* be installed and enabled on "my" network without "my" approval, because it assumes that any user on my network can give that approval. About the only tool it leaves me, if local policy says users don't have that authority, is to make an exception to the "allow port 80" configuration to block users from connecting to WebEx's servers. (VNC and pcA, whatever their other issues, at least use distinguished ports that make it easy for my perimeter security configuration to directly reflect local policy.) WebEx's design is convenient for users. I think the concern here, though, is that it conveniently lets them bypass some inconvenient corporate network policies without those responsible for enacting and monitoring compliance with those policies ever knowing they've been bypassed. It's convenient for users, but it makes the lives of responsible admins scarier and more complicated. David Gillett _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
