Hello,
I know nothing about Hamachi (though it looks interesting), so I can't
comment about it specifically. I have used OpenVPN which is kind of a
b*tch to setup (though better than many alternatives!) and it works
well.
I do fully agree that using a VPN to connect to a work network is in
general very secure, and probably better than exposing random ports to
the outside world.
However, whenever you run a web server or any public facing server,
there is a chance of exploit. I'm not so sure the risk is so severe.
If you take precautions--randomized ports, a good firewall, always
encrypted, strong passwords, etc, you're a lot better off. I
personally feel that a VPN is overkill just to connect to VNC/RDP--
easier and still secure options like SSH port forwarding are simple to
setup.
Scott
On Oct 2, 2008, at 6:55 PM, Brian Weeden wrote:
Google VNC vulnerabilities, there have been a bunch in the past and
still
some open:
http://www.realvnc.com/pipermail/vnc-list/2006-May/054854.html
http://isc.sans.org/diary.html?storyid=1331
http://www.intelliadmin.com/blog/2006/05/vnc-flaw-proof-of-
concept.html
There are two different types of "secure" we are talking about
here. One is
the encryption of the packets. That's fairly easy to do. But the
other is
much harder. By running a service - any service - and opening a
port in
your firewall, you are exposing yourself to outside penetration.
There are
bugs in everything and nothing is completely bulletproof. Most
often times
all it takes is to get a buffer overflow from specially crafted
packets
aimed at the service port and voila, an attack is in (I'm
simplifying of
course).
That's the beauty of running it through Hamachi - only packets
coming from
the other machines in your personal hamachi network would be able to
use it
and those packets can't be spoofed or routed through a man in the
middle
attack. VNC/RDP whatever isn't exposed to the general internet this
way.
---------------------------
Brian Weeden
Technical Consultant
Secure World Foundation <http://www.secureworldfoundtion.org>
+1 (514) 466-2756 Canada
+1 (202) 683-8534 US
On Thu, Oct 2, 2008 at 5:11 PM, Scott Sipe <[EMAIL PROTECTED]> wrote:
On Oct 2, 2008, at 10:10 PM, Soren wrote:
In your shoes, I would not bet my dimes on VNC alone. If a
security breach
happens because of VNC (it does from time to time, and VNC scans/
exploits
are automatic!), your client might become 'slightly upset'.
But, hey, it's your nuts ;)
I'd go GTA and VPN, and under no circumstances use VNC without VPN
in
*any* production environment (great for home use, though). By
tunneling VNC
in an encrypted VPN, you should be pretty safe.
Sorry to say this, but there's no easy way around a minor PITA if
you also
want high security. These tend to stick close together ;)
Setting up a test system at your clients office, and running a few
vulnerability scanners against it before the final implementation,
may be
useful in keeping things tight and crispy.
HTH.
Could you expand on any of this? I've had VNC ports open for years
and no
security issues. I do use UltraVNC and encryption plugins, along with
password authenticated domain login. What kind of security breach
are you
foreseeing?
Additionally, with MS RDP, you're fully encrypted and using normal
domain
login.
I have an IPSEC VPN setup between remote locations and the main
office, but
for employees on the road who just want to access their desktop,
RDP is
perfect.
Is there more to say, do you disagree?
Scott
