Client risk to corporate network?

  • Thread starter Thread starter CSharpner
  • Start date Start date
C

CSharpner

Is what I'm asking the risk they think it is?

I've asked our network guys at my company to turn on outbound port
3389 to allow me to be a client from within the corporate network to
get to and remote control my home PC.

The request was denied because they're afraid that "that port is a
bulls eye for hackers and will create a serious security risk".

Our small IT team is somewhat new at this and I think they
misunderstood what I was asking. They're probably thinking I'm asking
for INBOUND port 3389 to be opened so people from the OUTSIDE can get
IN. I'm asking for the reverse: So I can get out... they block all
outbound ports except 80.

My understanding is that if they open an OUTBOUND port, so that I can
go out through 3389 to my home PC, that it does not increase risk from
outside. Obviously, openning port 3389 to the outside world would be
risky and I would not ask them to do that.

Is my understanding correct? I want to make sure I'm right before I
talk to them again about it. What is the risk of openning 3389 from
the inside out?

TIA
 
For an rdp connection to work, you need traffic through port 3389
in 2 directions. You send signals to your home PC, but the home PC
sends traffic to your corporate PC as well.
So I think that your IT department is doing the right thing.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---

(e-mail address removed) (CSharpner) wrote in
 
Have you considered a VPN connection to your home PC? You
could accomplish the same thing with IPSec pass-thru.
 
But they only need to open an outbound port, not an inbound... yes
traffic comes back in, but no one can initiate a connection from the
outside. It's not the same as openning on inbound port, which would
definitely be a security risk.

For example, it's entirely possible to open outbound port 80 for
internal users to browse the web, but that does not expose port 80
from external, inbound traffic... in other words, someone from the
outside can't gain access to port 80.

If I'm incorrect, please correct me. This is just my understanding of
it and I don't claim to be an authority on this.
 
Thanks. That's what I thought. So, is openning this any more
dangerous than openning outbound port 80 for web browsing?

Thanks for the response!
 
Yes. I already have VPN access but there are several problems with
this solution:

1. I'm not at home so I can't initiate the connection. While sitting
at my desk at work, I need to initiate a connection to my home
computer.
2. Our VPN is extremely flaky. It's rare to hold a connection for
more than 5 minutes, so even if I left it on when I left for work in
the morning, by the time I got to work, the connection would have
already been lost and I could not re-initiate it.
3. The VPN blocks my home PC from accessing the internet (other than
the VPN tunnel, of course), so there are lots of things I could not
do.
4. If I did #2 (left home PC connected to VPN), then all the
processes I have running at home that need an internet connection
would be hosed (I'm running the cancer research distributed program, I
have monitering software running that checks the health of my web
sites, as well as services on that need to be accessed by other
users).

My only real option is be able to initiate the connection from work to
home.
 
Back
Top