Security Basics mailing list archives

Re: VNC

From: Glen Mehn <glen () myvest com>
Date: Fri, 31 Jan 2003 10:47:24 -0800

Megan Golding wrote:

On Wed, 2003-01-29 at 13:08, Marty wrote:

My question is simple is the latest version of VNC better than the
previous ones and should we allow our tech group to use it to take
control of our machines (servers and workstations)...


I highly suggest running VNC over an SSH tunnel -- it doesn't noticeably
degrade VNC performance and adds the security element VNC seems lacking.

When run this way, VNC is no riskier than SSH...in which case I would
have no problem with a tech group using it for remote administration.

Well, enforcing the VNC-over-ssh with port filtering would definitelyfit the bill, IMO, but that adds a (small) layer of work on top of it.The issues with VNC seem to mostly be:


--trivially encoded passwords, with a well-known/reversible hash and salt
--the simple ability to brute-force the password

In investigating VNC, I also found that you can (somewhat) mitigate thelatter problem by enforcing a "lockout after $num failed attempts.


-g

--
Glen Mehn               glen () myvest com
Systems Administrator   MyVest, LLC

Current thread:

Re: VNC Glen Mehn (Jan 31)
- <Possible follow-ups>
- RE: VNC Danny (Jan 31)
- Re: VNC Mike Dresser (Feb 03)
- Re: VNC Joshua J . Kugler (Feb 03)
- RE: VNC Spencer D'oro (Feb 05)
- Re: VNC David Moisan (Feb 05)