Symantec Security Assessment: The Bomgar Box

PDF Version (61KB)   Email This Item

Bomgar Security Architecture

3. Communications Encryption

The architecture of the Bomgar application environment relies on the Bomgar Box™ application as a centralized routing point for all communications between application components. All Bomgar Box™ sessions between representatives and remote customers occur through the server components that run on the Bomgar Box™ appliance. Data transmitted during these sessions includes customer screen data back to the representative and, in some cases, commands from the representative that result in remote control of the customer's workstation.

To protect the integrity of the customer's screen data and prevent unauthorized eavesdropping and/or modification of application data in transit, Bomgar uses 256 bit SSL to encrypt all application communications in transit. The default installation of an application server contains a pre-generated SSL server certificate to support data encryption upon initial use. However, administrators of a Bomgar application may also create and deploy their own certificates. It is strongly recommended that customers generate and install a verifiable certificate in order to establish a valid trust relationship with clients. The security of the system, from the client perspective, is predicated on the integrity of the downloaded and installed Customer Client binary. For a client to assign appropriate trust to the binary, it has to be downloaded from a trusted source. A verifiable certificate, signed by a trusted authority, authenticates the server to the client and allows the client to make that reasonable trust assignment.

In addition to encrypting data in transit, the 256 bit SSL architecture also protects application users against the threat of a man-in-the-middle attack or the deployment of a rogue application server. In a normal configuration, application clients validate the certificate presented by the server during SSL negotiation. Symantec observed that the presence of an invalid or untrusted certificate on the server will cause the Customer Client to terminate the connection and report an error to the user.

The Bomgar Box™ ships with SSL version 2 disabled by default and provides an administrative interface to optionally enable it. The SSLv2 protocol contains design flaws and is generally considered insecure. Modern browsers support SSLv3 and TLSv1 and will not be adversely affected by the absence of SSLv2.

The Adobe® logo is a registered trademark of Adobe Systems Incorporated in the United States and/or other countries.