I had an interesting incident with this a few years back. If you start up pcAnywhere as a client, without specifying a host, it will scan the Class C block you're on (*) for pcAnywhere-enabled hosts.
* - Unless they've since fixed it, it doesn't look at the net mask, it just blindly assumes that everyone is on a Class C subnet. Clueless. Now what happened was that one of our employees was connected to our office VPN from home, and fired up pcAnywhere to talk to a server he was working on. pcA took his home IP address, "deduced" the Class C block, and proceeded to port scan the block. Now, because he was connected to our VPN, the scan requests travelled via the VPN to our office network, and tried to go out to the Internet via our NATting firewall.... So IF we had allowed outgoing pcA, potentially about 250 hosts, probably belonging to customers of the ISP he used, would have seen OUR OFFICE FIREWALL port-scanning them to see if they'd accept pcA connections. Any of them might have reported this to our ISP as an attack or hack attempt. My recommendation is that if you allow pcA outbound, you allow it ONLY to specific hosts. David Gillett > -----Original Message----- > From: Chris Berry [mailto:[EMAIL PROTECTED]] > Sent: January 28, 2003 13:33 > To: [EMAIL PROTECTED] > Subject: Re: pcAnywhere...Outbound Only. > > > >From: "tony toni" <[EMAIL PROTECTED]> > >We have a rule on our firewall that allows all employees to > use pcAnywhere > >to connect to a host OUTSIDE of our network. It is in one > >direction...that is from inside our network to an outside > host and not vise > >versa. Our firewall administrator, came to me and asks me > if I had any > >security issues with this. He does not want the hassle of > maintaining a > >list of employees that can do this. > >I do not see any glaring problems doing this....what do you think? > > As long as you are using a VPN this should be ok from a > security point of > view. If you're not using a VPN, try and get them to set > both ends to at > least symmetric encryption, preferably PKI, in the PC > Anywhere settings. > You wouldn't want those login passwords transmitted in the > clear would you? > > >From a management point of view, just realize that people > could use this to > violate your company policies by taking control of their home > computer and > going to denied websites, playing video games, etc. > > Other than that, should be fine. > > Chris Berry > [EMAIL PROTECTED] > Systems Administrator > JM Associates > > "For Sys Admins paranoia isn't a mental health problem, its a > marketable job > skill." > > _________________________________________________________________ > Tired of spam? Get advanced junk mail protection with MSN 8. > http://join.msn.com/?page=features/junkmail >
