Using Cygwin's 'sshd' for Windows takes care of 85% of the issues
you raised about VNC's insecure ways. 10% of your issues could be
fixed with simple hacks to either the VNC client or server and the
5% balance would probably (but not necessarily) require some
protocol enhancements.
My point is: If you can trust using 'sshd' over the Internet
then you should be able to trust using VNC over 'sshd'.
I personally have multiple VNC connections tunneled over Openssh
and Zebedee running over the general Internet 24x7. It performs
great and I am comfortable with the security.
VNC's simplicity is sometimes its worst enemy when it comes to
security. However, that same simplicity makes it easy to combine
with other security systems to give very adequate protection.
<march>
> No.
>
> VNC client to/from server traffic is not encrypted and can be intercepted
> and replayed. VNC has very weak authentication (it's reversible), and the NT
> 4.0 registry permissions are atrocious. VNC uses well known ports. It
> doesn't log adequately. It is not possible to determine who is using the VNC
> connection as there's one password for all users on Win32, therefore
> auditing. It doesn't indicate via a audio or other method (a small change in
> systray color on Win32 hosts is all) that remote activity is going on.
>
> There is the VNC-SEC-L that was announced here the other day that is working
> on some of these issues. It may be a while before all the issues are
> addressed. Some can't be fixed easily and may take a fair amount of time.
> Some issues require a small rev in the RFB protocol. Some efforts are not
> worth pursuing, with the inclusion of TermSrv by default in >=Pro in Windows
> XP, which is far more secure and faster than VNC.
>
> Now... if you establish a strongly authenticated encrypting VPN (ie IPsec,
> established using SecurID or similar) to the perimeter of your network, and
> you are the only one with the VNC administrator password, then this is fine.
> Otherwise, I'll strongly advise against using VNC over the Internet.
>
> Andrew
>
> ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, July 03, 2001 4:40 PM
> Subject: Secure VNC sessions
>
>
> > Hi all,
> >
> > I'm new to VNC and need a little input from all you experienced guys (and
> girls)
> > out there:
> >
> > My scenario: Large corporate network behind Firewall-1, lots of NT4
> servers (and
> > W2K servers in the near future), VPN and RAS authenticated by SecureID.
> >
> > Is it possible to establish secure VNC sessions from the outside in order
> to
> > remotely administer the servers without compromising network security? I
> would
> > love to be able to use eg. the Nokia 9110/9210 Communicator for this
> purpose.
> >
> > -Jens Bruun ([EMAIL PROTECTED])
> > ---------------------------------------------------------------------
> > To unsubscribe, send a message with the line: unsubscribe vnc-list
> > to [EMAIL PROTECTED]
> > See also: http://www.uk.research.att.com/vnc/intouch.html
> > ---------------------------------------------------------------------
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to [EMAIL PROTECTED]
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
