Security and PCAnywhere using TCPIP

I plan to use PCAnywhere v10.5 for remote access from home, to connect to and remotely control a Win98 PC in an office. The office has a small network with a DSL internet connection. The DSL modem connects to a Linksys router. The router provides a firewall and Network Address Translation is setup in the office behind the router. I setup port forwarding from the router to the PCAnywhere host PC. I have tested the connection from my home (remote) PC, which is also behind a router and a Cable Modem. The PCAnywhere remote connection from home my home PC to the office PC (host) works fine.

My question is about security. I have read elsewhere that the only secure way to use the internet for remote access is with a VPN connection. However, the setup and testing for several home based remote client PCs to support VPN is time consuming. I am using the security features of PCAnywhere, which requires knowledge of the account name and password to connect to the host PC. PCAnywhere's native encryption is also setup.

The Port Forwarding at the router is using the default PCAnywhere ports, ports 5631 (TCP) and 5632 (UDP). Only these ports are forwarded by the router, and only to the host PC's private IP address.

I need to know what risk is involved using PCAnywhere across the internet without a VPN. Is it possible for someone hacking or sniffing to find the host PC and gain access to the host PC, using the two open ports? Or worse, access to other PCs or the Netware server in the office? The Netware 5.1 server requires NDS login for access, but it is possible that someone in the office may login the host PC and leave it running while logged into the server. Short of a VPN, is there anything else that should be setup to provide better security? Should I be running a product like ZoneAlarm on the host PC?

Any feedback or advice is appreciated, thanks.

 

The only other thing I'd recommend is to not only run a firewall but to make sure it is a "stateful" one. Those examine packets in to the ports you have open to see if the packets seem appropriate. Not fool proof by any means but if you are pushing encrypted PCAW packets thru a port and a hacker tries to sneak other stuff thru, it should be noticed and either blocked or a warning given.

Granted - not hack proof by any means but about the only thing you can reasonably do is make it more effort than the gain would be worth. Take it as a given that if you have systems connected to the internet and if a hacker with enough expertise wants in badly enough, he will manage to get in.

By the same token, having locks on your windows & doors plus a good alarm system at your house will keep out most would-be burglers but if an expert really wants in, he will get in and you'll never know it.

So it boils down to how much money and effort you want to put into protection.

 

I am not much of an expert when it comes to port forwarding but I am in a similar situation with my network. I have used PC Anywhere in the past to remote access PC's on my Novell Network but it was via ISDN using a dial up server. Now that I have a (nearly) 24/7 128K ISDN Router connection with static IP, I could access PC's via the web. The firewall I use is a software version called Smoothwall which I highly recommend. It does not however recommend forwarding ports to PC's in the green, protected zone.

If your router supports it, you could specify the source port of your dsl connection (if you have a static IP), or the pool range and allow only these to forward to the workstation.

Any other comments about PC Anywhere security??

 

Hi Sandy,

In addition to posting my security questions here, I also sent in the same questions to tech support at Symantec, regarding PCAnywhere, and more specifically, the potential risk of opening its default ports (port 5631 and port 5632) to the internet. The response I received is:

"The only way that anyone could hack in on these ports, is if you have applications waiting on these specific ports they can attach to. As for pcAnywhere, they would need a remote, and would need to know your password. If you are still concerned, then you can set the firewall in most cases, to only allow specific IP addresses, or ranges through the firewall on these ports. "

Your question is essentially the same as the last suggestion from Symantec, to only allow a specified IP address to enter the office LAN through the firewall (via port forwarding). I have a Linksys BEFSX41 router at the office location. I am not sure if this router supports that kind of filtering, but when I am next in the office I will check.

I also ran across a suggestion that a software router product called WinRoute has good support for PCAnywhere. WinRoute apparently does support the specification of certain outside IP address with permission to contact the host computer, see http://www.kerio.co.uk/manual/wrp/en/152.htm.

In addition to the very specific port forwarding at the router, I think the other standard security from PCAnywhere needs to be in place, including the loginID and password, encryption, port cloaking, and reboot the host PC when the PCAnywhere session terminates.