James ''Wez'' Weatherall wrote:
>
> > James Weatherall asked "Why do people want to move the VNC port under 100"
> >
> > Because many of us behind corporate firewall's and Proxy's are only
> allowed
> > to talk to the outside world on port 80.
>
> This worries me. Sending VNC through your firewall in this manner is
> equivalent in security terms to using telnet through it. You may as well
> enable the telnet and VNC ports, or just remove the firewall entirely.
>
> The fact that only port 80 is available is in some sense a red herring. In
> reality, it should be the case that the only *protocol* available is HTTP,
> since any other (telnet or VNC) is likely to have security vulnerabilities.
>
> Ideally, in addition to HTTP, the SSH (Secure SHell) port should be open and
> secure shell services should be running inside your company. This allows
> almost any other protocol, including VNC, to be used without needing to
> change the ports it uses, and with the same degree of security your
> sysadmins are really trying to maintain by using the firewall in the first
> place.
>
> The problem you are seeing when you connect to your VNC server, by the way,
> is that you are connecting to the port on which the VNC protocol runs, not
> the HTTP part of the VNC server. This means you should be connecting to the
> target machine with a native VNC viewer.
>
> Sorry if the above sounds like a rant but it's extremely important to
> remember the *intended* effect of imposing a firewall, not just the
> resulting limitations.
<...>
You make some good points. So maybe AT&T should remove me from the VNC
contributed section?
http://www.uk.research.att.com/vnc/extras.html#firewalls
http://www.workspot.net/~harmen/vnc/readme.html
On the other hand: restrictive firewalls make it very hard to apply
normal TCP/IP networking nowadays, so http as a transport layer
naturally comes into the picture for many networking apps. This doc
discusses some pros and cons:
http://www.ietf.org/internet-drafts/draft-moore-using-http-01.txt
You can argue that connecting out with a vncviewer is pretty harmless,
since VNC doesn't do file transfers. Putting the viewer in listening
mode, and having the server connect out of a secured LAN is an entirely
different story, and I wonder why AT&T added that feature, but that's
probably due to my lack of imagination.
--
Harmen
http://www1.tip.nl/~t515027/
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
