7

Our IT department uses TeamViewer to provide support to users at remote locations. More recently we've noticed that users are using TeamViewer to get support for their lab equipment from vendors.

Though I support the idea, it does bug me a little bit that someone could either accidentally or maliciously leave a session open, even though they're no local administrator, and thus create a hole in the firewall. In other words, this seems like a mayor security issue to me.

So my question is how do other organizations handle these type of tunneling applications (e.g. TeamViewer, WebEx, GoToMeeting, and TOR)? And has anyone suggestions as how one can regulate/govern these applications and still continue to use it for proper scenario's?

SilverViper
  • 171
  • 3

1 Answers1

4

The most common solution I see is to have the firewalls at each location set up to only allow the tunnel to connect to specified endpoints. This means it can still be used for the purposes intended, but can't be used to access other locations.

A pre-requisite is that you maintain centralised control over firewalls and endpoints, so there is no way to avoid access control.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • I agree that your answer would work with most software. However, we use a firewall solution which doesn't allow easy on-the-fly ACL adjustments. Second problem is that the tunneling software mentioned tunnels over HTTP, which makes it even more difficult to limit connectivity to certain endpoints; the firewall doesn't have any notable proxy capabilty. – SilverViper Oct 06 '11 at 00:08
  • I know it's unclean but place a physical firewall that is only for the tunnel server that *can* allow ACL adjustments? Shouldn't matter if it's HTTP or what then, can just restrict the IPs the tunnel server is allowed to connect to. Make sure it supports firewalling IPv6 too (some just pass-through). – Matthew1471 Jan 19 '17 at 13:29