[In a message on Tue, 19 Apr 2005 21:14:50 EDT,
"Steve Bostedor" wrote:]
>I am wondering why expose VNC over the internet in the first place, really.
Exactly what I said. VNC should *NOT* be exposed to the internet.
>It's my opinion that VNC is really only good for LAN's. Why not use VPN to sec
>ure your connection to the remote network before starting VNC sessions? It's
>much easier to set up on a LAN where you need VNC access to 200 computers than
> setting up SSH over the Internet!
Uh. . . OK, the REALLY nice thing about VNC is that it beats LBX (Low
Bandwidth X) as a means of displaying applications remotely. In fact,
having tried raw X, LBX, Serial Xpress, Timbuktu and VNC, I can safely
say it is the BEST to use over 28K dialup lines. ;-)
When you tunnel with SSH, you in effect are creating a VPN to your
remote network, only without all the hassled of setting up VPNs. At
OsCon this year, they apparently (accidently?) blocked GRE traffic off
the wireless network -- of the three people from my (ex) company, I
was the only one who could still connect back to the office and fix
things. :-)
If you REALLY think it's easier to set up VNC to access 200 computers
(insane, if you ask me. By the time you get to the high 10s of
computers, you had really better have set up alternative
administration mechanisms -- which is not to say that using VNC as a
diagnostic tool on those same 200 machines isn't a good idea) than
setting up an SSH tunnel, well, then, either you just have no
experience with SSH or you didn't read the docs well enough. This too
can be automated. :-)
Of course, if you're implying I set up a VNC connection over SSH for
each of 200 computers, yeah, you're right, that's insane. But VNC is
MOSTLY good for spot-maintenance. If you want to graphically control
200 machines simultaneously, no, SSH isn't a good fit.
>I can concede that VNC data should be encrypted in some way when traveling the
> Internet but why do people set up VNC over SSH on local networks? That reall
>y makes very little sense to me. If your network is so insecure that you're w
>orried about your VNC traffic being hacked, you've got some pretty big problem
>s!
OK, let's look at this statement. You work for a large multinational
organization, with REAL privacy concerns (HIPPA anyone? Banking?
Sarbanes-Oxley?). You have people VNC'ing all over the place. And
you have PC's indiscriminately running services on PC's acting as
servers that really shouldn't be. Now you have PC's on server
networks that can be hacked. You have people running sniffers on
their desktops. You have basically *who knows what* between you and
the VNC desktop you're controlling.
Now, do you NEED encryption? No. Do you REALLY trust the routers and
switches to not have their buffers fill up and start broadcasting all
packets to every interface? If so, you drank Cisco's Kool-Aid(tm).
Just like we completely phased out telnet and rsh (in favor of SSH),
why not phase out non-encrypted VNC connections? Frankly, I have to
admit, I REALLY don't understand why RealVNC hasn't added either a
STARTTLS option to VNC, or otherwise added TLS a an option (OK, yeah,
it's a certificate problem, but still, you could incorporate your own
CA in your viewer).
Basically, if 80% of intrusions come from inside your network (and
they do, from your so-called "trusted" employees) why not do what you
can to prevent over-the-wire attacks? It's cheap and easy.
>I connect to a network via VPN and others I connect using encrypted RDP sessio
>ns. Once I've made those connections, I can safely use VNC on the remote netw
>orks. Why waste all of this time with SSH on Windows computers all over the n
>etwork when VPN and RDP is so easy to set up?
Because some of us avoid Windows with a ferver you can only imagine.
I don't (I have a mild aversion to Microsoft, thought I abhore all
forms of Windows). But I *DO* have to support Suns and Macs and a
bunch of other things. And screwing around with a VPN connection from
my friends Mac when I'm playing with my band on Tuesday night just
doesn't cut it ("Hay, dude, can I load this stupid Cisco VNC client on
your Mac? Don't worry, it will only take 5 minutes to download, about
10 to set up, about 2 to do what I need, and another 10 or so to
remove it"). Typing "ssh remotehost" in the terminal cuts it.
And, keep in mind, you can SSH to one host and forward to another.
So, you don't need to set up SSH on a Windows computer (Putty on the
client is all your need, if you're running Windows -- or, if you don't
want that, try MindTerm -- works great from internet cafes ;-)). One
unix box on the remote end, and you can connect to anything on the
other side. :-)
Note, I'm not trying to be snippy here. I know I might sound like
it. It's just that I fought (and lost, which is why it's my *ex*
company) for allowing SSH in remotely to my company. They idiotically
expected every person to have a PC running Windows to connect
remotely. I explained I had sun workstations and a Mac at home. They
said "We have clients for those". I pointed out that the Mac needed
to have local network access, and not capture all traffic out the
internet, and that the Suns run OpenBSD. They said "Have your manager
buy you a PC". I said "What about when I'm away from home without my
computer". They said "Ummmmmm. But you have to use the VPN client,
it's more secure." Someone pointed out it's so they can see what
you're doing. I said "OK, set up a VPN client, and ssh after the
connection is made". It's not more secure, it's not more
transparent. It's just stupid.
Having said all that, VPNs *DO* have their place, and I've set up a
lot of them. It's just that it's NOT the only solution, and sometimes
(often, for me) not the *RIGHT* solution.
OK, I'm done ranting.
Sean
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
