Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Remote access solution

From: Danny <Danny () drexel edu>
Date: Thu, 30 Jan 2003 16:31:02 -0500
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It all depends on who will be accessing the services and how. If you
mean open VNC, Terminal services etc up to the internet and the rest
of the world, then I cant stress enough how bad of an idea this is.
The amount of VNC and terminal services issues that have been
released recently would make me think twice about running them on a
closed LAN let alone the internet.

Having said that if you plan on having your users VPN into your
network and THEN allowing them access to VNC, terminal services etc.
That's probably the easiest way to admin Windows servers remotely and
reasonably securely and it shouldn't hurt the users on dialup too
much.

So basically the ideal setup I would recommend would be this

Users establish a VPN connection to your site using either a VPN
device like Cisco's concentrator 3000 series or even a UNIX box with
IPSec. 
Once they are authenticated into your network they are assigned an IP
local to your network from a pool of IP's with restricted access (
restricted to what you want to allow the remote people to do ).

- From there setup firewall/router ACL's to allow these IP's ( and only
these IP's ) to the machines running VNC, Terminal services etc.

Alternatively you could look into some KVM over IP products. We use
Avocent http://www.avocent.com/web/en.nsf for all of our NT Boxes.
The client is a bit of a bandwidth hog though so using remotely may
be out of the question for dial up users, however having a single VNC
box on your network with the DSView client on it may make the
situation more manageable for you.
 
This email was just a quick very rough idea outline, if you need/want
a more clear image of what I was thinking just let me know.

Danny

- -----Original Message-----
From: Orlando J. Cano [mailto:ojcano () scif com] 
Sent: Wednesday, January 29, 2003 7:58 PM
To: security-basics () securityfocus com
Subject: Remote access solution

I have recently been assigned to join efforts with our Network group
in coming up with a secure  remote access solution for our Network.
This will involve accessing servers in our DMZ. I was wondering if
this securityfocus community could elaborate on how secure VNC,
Freevision or Terminal Services are or better yet recommend another
solution. 
Any comments would be greatly appreciated.

Thanks

oc


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPjmZsmb1zPz07fHgEQLgzgCfTyl/tvlX5WurA8L5yFj+Er7COa4AnR5M
dpZa/votAix4nTTmAli72/3q
=gVvI
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: