Some quick feedback to the security-conscious hyperbole
about VNC that's flown across the list recently. In my experience,
it's not exactly true that VNC has "very little" in the way of
security. Some features it has (and I've used):
1. Via AuthHosts, you can specify which IP addresses are allowed and
not allowed to connect.
2. Via QuerySetting, you can require that explicit permission be
granted by someone sitting in front of the server for every
connection attempt that passes AuthHosts.
3. Unlike telnet and others, the connection password is not sent
entirely in clear text.
4. Once a user does connect, they have the exact same permissions
that the currently-logged-in user on the server has. If you
run the VNC server while logged in as "guest", then you're
visiting VNC connections are "guest" as well. Not "admin".
5. Finally, AFAIK, there are no buffer overflow vulnerabilities
to the VNC service. PCAnywhere, Citrix MetaFrame, WinXP TermServ
can say the same thing, sure, but the comfort of open-source
community review in this case...
I *of course* agree that tunneling VNC through SSH is
much more secure than running naked VNC. However, there are good
and worthwhile steps a new VNC user can take to create security
layers *before* they add the SSH finishing touch. Is my point.
Furthermore, at the end of the day, it *is* a remote-control
application after all: any successful connection gets remote access
to the server. I think this, to some degree, makes VNC *appear* to
be less secure than, say, running a web-service. That is, the worst
case scenario of running any service behind your firewall is that
a black-hat could exploit it to get VNC-like access to one of your
machines. With VNC on the other hand, installed without any
precautions, a black-hat is just one password away from exactly
that.
With precautions, though, I'd argue you're in better shape
that someone using an IE browser with ActiveX enabled. Anyhow, just
my opinion; I'm just one for keeping the baby after the bath. :)
cheers,
Scott
> "Henning, Brian" <[EMAIL PROTECTED]> wrote:
>
> My disclaimer: I have not done this but I can give you some tips. I am
> concerned about the current security of your vnc configuration.
>
> > Hello-
> > I am using LEAF with the echowall firewall package on a pentium 1. This
> > router/firewall serves my two windows machines. I set up echowall to access
> > a vnc server on one of my local machines but,
>
>
> vnc is not a secure protocol. If I am reading what you said correctly,
> then you have introduced significate security concerns for your windows
> PC. Bad people will want to abuse you. Please see
> http://www.uk.research.att.com/vnc/faq.html#q52. It also talks about
> some of the ports to forward. See also
> http://www.uk.research.att.com/vnc/faq.html#q53.
>
>
> >I am not sure how set up the
> > router/firewall to allow vnc to be accessable on multiple local machines. I
> > am pretty sure I have to have separate ports for each, but I am not sure how
> http://www.uk.research.att.com/vnc/faq.html#q55
> http://www.uk.research.att.com/vnc/sshvnc.html
>
>
> > I go about the setup. Can anyone give me a hand? Thanks!
> >
>
> For your safety, please stop what you are doing now. I would recommend
> setting up secure shell port on port 22 and, say, port 23 of your
> firewall. You will need to locate the latest secure ssh package, there
> is a bug. Pick port 22 and portforward it to one windows PC. Map port
> 22 to one of the 5900 VNC ports. Pick port 23 and portforward it to the
> other windows PC. Likewise, map port 23 to one of the 590x VNC ports.
> Depending on your source machine, you may need to setup putty or ssh
> there. Then you might do something like this ssh -L 5902:myfirewall:5901
> myfirewall Read http://www.uk.research.att.com/vnc/sshvnc.html and look
> at the pictures. Give yourself sometime to comprehend what is being
> said.
>
> I hope this gets you pointed in the right direction. By the way did I
> tell you that I was concerned about the security of your current
> configuration?
>
> Greg
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
