In message
<[EMAIL PROTECTED]>, mbrown
<[EMAIL PROTECTED]> writes
We are behind a firewall, but want to get VNC to allow consultants we
trust to have remote access to our computers (and vice versa). Past
posts to this list convinced me that opening a port in the firewall for
specific users is a secure activity, but our IT guys are now saying that
it doesn't necessarily protect our systems from worms or viruses that
may already inhabit the trusted user's computers.
That's correct, in that if there was a weakness in VNC it could be
exploited through the open port. There are ways of reducing the risk
though. The firewall can be configured to only forward packets coming
from a specific IP address. That limits the risk. Anyone probing the
port from a different address wouldn't be able to tell that there was a
VNC server there. To find that out they would need to sniff all of the
network traffic to see what addresses were in use. If they succeeded in
doing that they would also harvest the password.
Alternatively it's possible to configure VNC to only accept connections
from localhost. This requires a VPN to be set up between the remote and
local machines. That can use any type of encryption your IT guys think
is required. Even if the blackhats sniff the network traffic it won't
get them in. As a former IT guy I prefer this approach.
But you also have to decide whether your IT guy's objection is just a
subtle way of saying "we're busy, and we have better things to do with
our time." If that's so then you need to establish a compelling business
case that justifies the extra effort required to configure and maintain
a link. If you can't do that then expect the next objection from the IT
guys to be less subtle. Bear in mind that every extra service across the
firewall increases the risk to a greater or lesser degree, and they are
the ones that get the pink slip if it goes wrong.
Does anyone have a response to this? It seems logical. Would we want
to require that any remote user that traverses our firewall via VNC have
an acceptable virus scan before doing so? Are there particular VNC
products that would be best for both us and our clients? Can our
clients use the free version?
The free version will work over a VPN. If you are going to set up a VPN
then your IT guys should talk to their IT guys and make sure that both
sides can trust each other's security precautions.
--
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
