Bridging the distance

Murphy's Law dictates that when a soldier needs a computer for a critical task, the machine will crash or a file will go AWOL. Usually, a call to the information technology department's help desk will fix the problem. But what happens when the help desk isn't right around the corner?

In such circumstances, remote-control software is a handy way to take care of the problem.

The latest crop of remote-control packages allows help-desk staff to take control of remote computers to reconfigure them or show end users how to perform operations. These programs also can be used for fast and efficient file transfers.

The latest versions of remote- control programs have improved on two previous drawbacks — slow performance and questionable security — due to the prevalence of high-speed connections and better program design. Additionally, we found that the current generation of products offers security authentication and authorization tools robust enough to secure communications involving most noncritical systems.

In this comparison, we take a look at three software packages that have survived market battles to become leaders in the remote-control arena: Danware Data A/S' NetOp 7.6, LapLink Software Inc.'s LapLink Gold 11.5 and Symantec Corp.'s pcAnywhere 11.

They each extend the reach of support personnel and have their differences, but overall, they are very similar. Each offers a solid set of tools for remote control of desktops and servers and strong utilities for transferring files and synchronizing directories.

Danware Data A/S' NetOp 7.6

NetOp was originally a utility used to manage the remote control of machines for a Danish stock market application. Because of that environment's strict security and reliability requirements, security and robustness are designed into the product from the ground up.

This focus on security and detail was evident in each phase of our testing. We installed the software on our help-desk and user machines. NetOp has two components for remote-control sessions: guest and host. We installed the guest on the help-desk computer where we were working and the host on the computers we wanted to control remotely.

Installation went smoothly, and we were surprised to see that the product supports seven languages. We also noted that Danware has separate products for IBM Corp.'s OS/2 and DOS. (Although the latter OS should be extinct, according to Microsoft Corp., it is still used for many vertical applications, and we were glad to have this option.)

NetOp supports an array of clients, including Microsoft Windows, Windows CE and ActiveX (guest only); Linux; Sun Microsystems Inc.'s Solaris; Apple Computer Inc.'s Mac OS X (host only) and Symbian Ltd.'s Symbian OS (guest only). We liked the flexibility of managing every OS we could think of. It was the only product we tested with such a diverse repertoire.

During installation, we could choose to optimize the product for fast or slow connections (fast being anything above 4 megabits/sec), and we had to indicate whether we would be using a modem.

There are three other modules that come with NetOp to increase its functionality: the Gateway, Name Server and Security Server. The Gateway is used primarily to secure communications to host machines and acts as a router and a firewall for NetOp communications. It also supports secure dial-in and dial-out or secure TCP/IP communications for up to 200 simultaneous sessions. The module allows NetOp to get around having a Web component. It will serve agencies well that need to have access to internal resources from external locations without having sensitive information pass through an intermediate Internet-based service.

The Name Server takes queries from other NetOp modules about NetOp names — such as user log-in names or log server group names — and converts them to IP addresses.

The Security Server is used for centralized authentication of guest and host machines with logging of NetOp session activity. After creating an Open DataBase Connectivity database of users and their access rights, this server is queried to verify a guest's access rights and privileges on a host machine.

NetOp has well-designed, strong authentication and authorization methods to ensure that only trusted help-desk workers have access to users' machines via Microsoft Security Management (including Lightweight Directory Access Protocol [LDAP]) or its Security Server. The product can encrypt the traffic in a remote-control session via either 256-bit Advanced Encryption Standard or its own proprietary encryption. We found that sessions running with encryption were still exceptionally fast.

The guest interface is streamlined and offers well-designed access to a strong set of communications tools. One of the more interesting tabs is for help requests generated by host machines.

We found this a novel approach to remote control and well suited for a help-desk environment. Although it can undermine the flow of an enterprise-scale product, it could integrate well with a more informal help-request system. It works by having users on host machines click the life preserver icon, generating a request in the NetOp guest's help- request tab. Help-desk workers can then click on the request on their computers and be in control of the host system.

Guests or hosts can initiate a text or voice chat session. For sensitive registry edits or other complicated tasks, guests can opt to black out the host screen until repairs are made. One thing we found disconcerting: When we initiated a text chat session, we could see both the guest and host chat windows pop up simultaneously because we were looking at a remote-control version on the host computer. Unlike pcAnywhere, which has a more refined chat window, we had to focus on the correct chat window to continue our conversation.

The guest interface has several other interesting tabs: Phone Book enables a quick lookup of available hosts, Recordings offers access to recorded remote-control sessions, and Script provides a listing of scripts for repeated tasks (such as file transfers or backups). The Inventory tab is useful for getting a picture of a host's software and hardware configuration.

We also liked NetOp's Marker mode, a tool that allows you to annotate remote screens, and the powerful file-transfer utility. Also, the ability to install the product without updating the video, keyboard or mouse driver means it can be installed on a running server without rebooting the machine after installation is complete.

LapLink Software's LapLink Gold 11.5

For more than a decade, we have used LapLink as the quintessential tool for moving and synchronizing files among machines. During this time, it has progressed from a simple file-transfer product (with its ubiquitous serial and parallel cables) to a solid remote-control solution. The latest version has an updated user interface for file transfers that resembles Microsoft Windows Explorer.

During our installation, we noticed that the product we received included USB cables, because LapLink has completely rewritten its cable drivers for this version, which uses a direct connection for USB 1.1 and 2.0. This is a nice feature when you want to transfer files to a machine that is not yet connected to the network.

In contrast to NetOp and pcAnywhere, which have two separate components for a typical installation, LapLink is bidirectional; each installation has both the client and host components in a single interface. For large installations, a help desk would use the standard LapLink and user machines would run LapLink Host. We did not have the host product in time to test it for this comparison.

Like Symantec's pcAnywhere, LapLink supports only a Microsoft environment for remote control. But unlike pcAnywhere, it supports a wider variety of Windows versions, including 95, 98, Me, NT 4, XP, 2003 Server and DOS (as a separate product).

LapLink does not natively support Linux, Solaris or any Mac OS, but it uses the free and insecure ATT WinVNC remote-control product to support these operating systems. LapLink Software engineered an open-source product called Secure WinVNC and has added the feature as a subscription component to LapLink, called LapLink Everywhere, that is used for Web-based remote control, file transfer and e-mail.

We did note that LapLink, because it was a file-transfer product from its inception, boasts several methods to accelerate file-transfer speeds among machines. SmartXchange, which is more advanced than folder synchronization, is a tool used to optimize the exchange of files among folders. When dealing with files in two folders, it copies files in one location but not the other, overwrites older files with newer copies and leaves identical files in both folders alone.

LapLink has several methods for securing a machine, though the program has no centralized authentication support. Using log-in name and password authentication, we were able to select the services we wanted to grant or deny a remote user, including: file transfer, remote control, print redirection, text chat and voice chat. We also had the ability to filter access to drives and folders.

Encryption was straightforward in this version of LapLink, with the ability to use either its own encryption or Microsoft's Crypto API.

Of all the products we tested, we liked LapLink's straightforward documentation the best.

Unfortunately, LapLink requires a reboot after installation, which can cause disruptive problems.

The product can't compete with the full functionality of NetOp and pcAnywhere when it comes to managing multiple servers. LapLink lacks hardware or software inventory support, and it has no advanced administrative tools, unlike pcAnywhere. Likewise, the product is missing the native multiple OS support found in NetOp and offers no centralized authentication options or logging.

Symantec's pcAnywhere 11

PcAnywhere is commonly known as the 800-pound gorilla of the remote-control community. With more than 50 percent of the worldwide remote-control market and more than 90 percent of the domestic market, Symantec must be doing something right.

And that is readily apparent in pcAnywhere 11, its newest version of the product. Among the major improvements are a revamped and improved user interface that has the look and feel of Windows XP and significant improvements in file-transfer performance over previous versions. Additionally, we found that pcAnywhere now has more functionality for remote management of servers and users than ever before.

We installed pcAnywhere on both our help-desk and end-user machines. The software has two components to allow a remote-control session to take place: the host and the remote.

PcAnywhere is focused on the Windows platform, supporting Windows 98, Me, NT, 2000, XP Home and XP Professional. An unsupported Java-based product called Express is the only way pcAnywhere supports operating systems such as Linux, Unix and Mac.

Installation was generally easy, and we especially liked its new Quick Deploy and Connect component. While browsing the network, if we came across a user machine that didn't have pcAnywhere installed, we installed a thin host. Using the thin-host wizard, we could set the encryption level for communications (including none, pcAnywhere encoding and symmetric) and the authentication method (pcAnywhere, Windows NT or Microsoft LDAP).

We also liked the ability to serialize the host and create a custom installation with an embedded security code. This ensures that only authorized remote computers can access host systems.

We were impressed with most of the functionality in this version of pcAnywhere. The biggest visual difference is that it looks like it's an application written for Windows XP, with a smooth, colorful user interface and a logical tools layout on the left side of the management console.

The ability to transfer files to multiple hosts in the background while we worked on other tasks is a useful enhancement. PcAnywhere also has enhanced queuing, called Command Queue, which we used to queue multiple DOS and Windows administrative commands (log-off, reboot), and even to synchronize files and folders.

Of the three remote-control products we tested, pcAnywhere tops the list with 13 authentication methods for connectivity among host and remote computers. The newest in pcAnywhere's arsenal is support for two-factor SecureID token authentication, along with its traditional Windows NT authentication, LDAP and Active Directory Service. Also supported are Novell Inc.'s Bindery, NetWare Directory Services and LDAP, among others.

Also strong in this version is encryption of the remote-control tunnel. Tunnels can be encrypted with pcAnywhere's encoding, with symmetric encryption via Microsoft's Crypto API or with a public key. On top of this security, we could also set access time limits and access permissions.

Two of the most interesting additions to pcAnywhere's security arsenal are the ability to assess host security and the ability to scan an agency's network for unauthorized copies of remote-control and remote-access products (such as Citrix Systems Inc. WinFrame, Microsoft Terminal Services Carbon Copy, LapLink, and WinVNC) with Symantec's Remote Access Perimeter Scanner (RAPS). The scanner looks for unauthorized remote-control products that may be running on an agency's network and notifies the IT department — although to run RAPS, we were required to rerun and customize the installation process and specifically select the RAPS component.

When it comes to security assessment of the host component, we thought RAPS was a welcome addition to the overall product, though it is limited to detecting vulnerabilities that could affect pcAnywhere operations rather than the network as a whole.

One thing we found peculiar was that with all the comprehensive security options that pcAnywhere has, it isn't able to blank the host screen during a remote-control session like the other two products we tested. Nor does pcAnywhere offer support for audio chat sessions, although it does have nice text chat functionality.

Conclusion

Not surprisingly, given their long success, each of the three products we tested has something to offer certain groups of users. If you have an environment with mixed operating systems, for example, NetOp is the strongest choice. LapLink's simplicity and ease of use make it a strong choice for smaller networks and individuals. If limited platform support isn't a problem, pcAnywhere offers the broadest functionality of any of the programs we tested, and its interface is slick and easy to use.

Garza is a freelance author and network security consultant in Silicon Valley, Calif. He can be reached at vgarzasprint@ earthlink.net.

***

Buying tips

Apart from basic remote-control and file- transfer functionality, here are a few features to consider when choosing a remote-control program:

* Options for centralized authentication and security support at the user, folder and file levels.

* The ability to install programs without having to reboot afterward.

* Options for centralized logging.

* The ability to inventory hardware and software.

* Session tunnel encryption.

* Support for scripting and scheduling.

* Text chat.

***

Test bed

We performed compatibility testing on a Hewlett-Packard Co. Compaq ProLiant ML350 with dual Intel Corp. Xeon 2.2 GHz processors and 256M of system memory running Microsoft Corp. Windows 2000 Server. We tested host software on a variety of clients, including an HP Workstation xw5000 with 1G of memory, a Compaq Evo desktop, a Dell Computer Corp. Latitude C640 with 265M memory and a Latitude C840 with 1G of memory. Primary operating systems included Microsoft's Windows XP and Red Hat Inc.'s Linux 8.0.