LogMeIn is not a viable VPN alternative

Posted: August 13, 2008 in Posts, Rethink Remote Access

Saw a post recent on Download.com about LogMeIn, a web-based remote access utility that the author claims “makes an excellent case for ditching the VPN entirely.”

Truly, LogMeIn is not really a VPN… it’s a (fancy) remote desktop by the looks of it. It’d never fly with customers who require security, as it requires a third party to be involved.   A convenience solution surely; but not “network” connectivity. 

 

If you have a SSL VPN Gateway (with remote desktop component, or screen-scraping possibilities like AEP has [translating the remote desktop app. to a browser capable app. – very neat technology) you can do the same thing without the middleman!  You basically can do the same with Remote Desktop directly if you know how to configure your router correctly to do so.  We wouldn’t like to use a solution like this, as one is entrusting others with access to our machine ‘at home’ or wherever.  It’s an ‘oursourced’ screenscraping solution by the looks of it.

 

“Essentially, I was using my work computer through a secure, encrypted connection, but without any of the obnoxious failures and hassles that come with running a VPN that affects my entire system,” writes Seth.

 

This argument is weak.  But from an administrator’s standpoint, or security officer’s standpoint this would NOT be a good idea, as the “hassles” referred to there are security policies!

 

You even see it’s being used to circumvent security policies as one of the responses says: “I’ve been using LogMeIn for a year or so now. I’m a student at a high school with a lot of blocked proxies, so I connect to my computer at home through log me in and surf away.”

 

Convenient? Certainly. But not a viable alternative to a VPN.

Comments
  1. […] By vpnhaus 0 Comments Categories: Posts A while back we wrote a post about LogMeIn—a web-based remote access utility, which has been claimed to be sufficient enough to replace VPN […]

  2. javi says:

    Thanks for this. Any specifics as to why we should not use this over VPN? It is my understanding that on a corporate network you need to first have local admin rights to install logmein. Once installed, when connecting remotely, the user would need to authenticate to the network when connected to the computer. And if the computer is locked they would need to unlock it.
    Also all traffic is captured using the internal proxy and firewalls. So what I am getting at here is, why is this not secure? Is it because its using a 3rd party as a middle man (logmein)?
    Thanks I am just trying to understand the specifics.

  3. VPN Install says:

    I really liked your work, VPN Haus

  4. Alejandro says:

    Someone sitting in America, Canada or United Kingdon can not realize what it mean to use internet without all the blessings like facebook, twitter, flicker, and youtube e.t.c. But it was mty fate, till I discovered this amazing VPN service called Astrill. Now I can Bypass all international IP restrictions and finaly I feels like a frree man.
    I advise all my chinse friends to use Astrill, the best use of your 19$, for 90 days of clearity.
    http://www.astrill.com/

  5. Larry V. says:

    One thing to keep in mind with VPN, a VPN connection exposes the corporate network to the remote network. So all the of the security weaknesses or malicious software on the remote/home network is invited into the corporate network. With remote control tools like LogMeIn (or brokered RDP), it is a mostly one way transaction. While file transferring options are available – these features are sandboxed into the software itself and likely tested for security risks.

    One you have a virtual LAN cable out of the corporate network, the possible ways that the corporate network could be compromised grow exponentially.

    While many of you might be great network admins at home, most corporate users (and most of the top level people who get to use remote access) have very insecure networks at home and value convenience over security.

    While this like many areas of IT can be debated, an audited, controllable solution like LogMeIn has more check points that can be easily reviewed than a VPN solution. So in some ways is more secure. This is similar to the SaaS vs. in-house Apps debate.

    • VPN Haus says:

      Thanks for your comment, Larry – we really appreciate your perspective.There are a few things that we think should be taken into consideration when using applications, like LogMeIn. First of all, these applications have the same security issues as SSL VPN. Secondly, the applications run inside a Web browser, so all the security vulnerabilities of that Web browser can potentially impact the security of the connection. Unfortunately, this is often overlooked or forgotten. Plus, users can access the remote server from any third party computer or terminal, which then could be used by non-privileged users if the session is not terminated properly. A particular concern in the case of LogMeIn, is that all communication is transacted via a third party LogMeIn Gateway system. As we know, with SSL it is surprisingly easy to hijack sessions and intercept and decrypt SSL traffic.

      A common myth about Layer 3 VPNs is that they are exposing the corporate network in an uncontrolled way. However, this isn’t the case if this is implemented correctly, as for example with the NCP Secure Enterprise VPN solution* that combines the IPsec tunnel with a managed client device firewall and managed endpoint protection component that ensures proper security control on the edge of the network. As NCP demonstrates, there are secure and robust VPN solutions available that surpass the security and functionality of SSL VPN solutions, such as LogMeIn.

      Thanks again for your comment, Larry. We’re looking forward to hearing from you again.

      *NCP engineering manages this blog.

      • Will G says:

        My experience with VPN clients is that they are installed on computers that once they are out of the corporate environment can be accessed or used by others and laptops can be “misplaced”
        Once you are on the desktop of said laptop you can easily connect using the VPN and as pointed out above – your network is exposed. I like the double authentication of the LogMeIn Business account that allows me to give small clients a secure remote connection that is tied to their business email. I give them access only to the system they need access to instead of exposing the whole network. Sure the network can be accessed once they have logged on using their Windows username & password. But they have to know that first – through LogMeIn Central you can disable one click authentication – So it is double authentication.
        When management tells me to remove someone’s remote access – I can do it quickly through LogMeIn Central.
        Anytime I can avoid creating a rule that allows outside traffic from accessing the network, I think that is a good thing.
        Installing, setting up a VPN client when computer is not on LAN – a pain.
        Cost of higher end firewalls, VPN clients and Vendor lock in and upgrades vs LogMeIn – no competition.

      • Sr says:

        To the uneducated, logmein looks more secure. I do miss the days where professionals who went to college for their education used to be valued.

        Logmein looks very attractive to the Admins out of crash courses. Because it requires a lot less effort on their part. Everything that log me in does can be implemented in an SSL VPN with the same convenience with the right SSL VPN solution (Read Juniper). Same effort required on the user end. The admin will have to spend more time configuring the SSL VPN and less time installing logmein on each desktop. If the admin is more browser-addicted, ifcourse he/she will prefer logmein.

        Whats more is that a properly implemented SSL VPN can even tie down the access to a single application and allow nothing more, which is infinitely more secure and convenient.

        It’s amusing to see someone pitching in that multiple logins on logmein makes it more secure. Thats laughable at best. So, first you pitch in logmein as convenience and then throw in the multiple logins as a security measure. With SSL VPN you can configure only one login to laught the RDP.

        One place the logmein excels for remote desktop area only is when there are MACs in the mix. They are notoriously unbehaved machines as far as good networks are considered. SSL VPN is slightly involved on these due to the fact that MACs have bad remote connectivity and bad interoperability with the Windows machines.

      • Larry V. says:

        Sr,

        Not sure what education has to do with it but for what it is worth I went to the best High School in the world (Bronx Science) and a top University as well (NYU) and I find LogMeIn attractive. I will tell you why. Because from a business stand point there is a cost to deliver a certain functionality to an employee. This could be email or “Remote Access to Data”. This cost is significantly increased if in order to deliver the functionality a team of highly-trained, highly-paid experts is needed on staff by the company. So while yes, custom IPSec setups on Enterprise Class Cisco gear is theoretically more secure – security is not the entire budget for delivering this functionality. Support and ease of use are equally important. So while a remote access tool like LogMeIn or GoToMyPC might be less secure in lab conditions, the security is to the level where a business person reviewing its total cost of ownership can be comfortable they can move onto the other parts of the equation like support costs and ease of use.

        In the end these SaaS services are a much lower cost to support, evolve much faster than internal custom IPSec setups and can be more flexible in an increasingly mobile world (ever try to setup an IPSec VPN on an Ipad?)

        All that being said, IPSec has its place in the Enterprise with million dollar IT budgets, but for the other 95% of companies out there – they need simpler solutions that are ‘secure enough’.

        So I guess my point is that for companies of less than 1000 employees, IPSec and similar VPN technologies are not a good fit for their budget.

        -Larry

  6. vpn gratuit says:

    I must thank you for the efforts you have put in writing this site.
    I am hoping to view the same high-grade blog posts by you in the future as well.

    In fact, your creative writing abilities has motivated me to get my very own site now
    😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s