Remote access and security

Hello Charlie,

Charlie Bullen wrote:
> On a scale of 1 to 10 with 1 being totally insecure and 10 being totally
> secure, how would you rate the following

I will take a shot at rating your options, but I will weigh the pros and cons
more. Also, I should mention, I don't believe in total security, because you
can never prove security. So nothing will receive a 10.

> 1. Using VNC from a computer anywhere on the internet connecting to a
> computer sitting behind a firewall. The firewall passes traffic on port
> 5900 to a specific computer on the LAN.



Rated 3 - The VNC password is encrypted so it wouldn't be the worst thing in the
world, however all of the resulting traffic will be unencrypted ... which could
be very bad if you open an ssh connection from your VNCed desktop. Given that I
would rate this relatively insecure because it requires the user to remember not
to do stupid things (which will happen, not because users are stupid, just that
they aren't perfect). I would avoid this myself just because I wouldn't trust
myself not to botch it.

> 2. The same basic setup as above, except using ssh to forward port 5900
> to the specific machine behind the firewall.

Rated 9 - If using SSH to do port forwarding is an option, I would definately
choose that. With ssh-agent and public key authentication it's not tough to
write a little wrapper script to setup your VNC connection automatically through
ssh. SSH is pretty well scrutinized by the security community and will continue
to do so. Any time you can close a port on your firewall and replace it with
the service tunneled through ssh I would suggest it. This will reduce the
number of exposed services and transfer the risk to a better known risk. Of
course there are still the unknowns.

Good Luck

Austin