Security Basics mailing list archives

RE: Remote Desktop vs VPN on Windows 2003

From: "Nero, Nick" <Nick.Nero () disney com>
Date: Wed, 19 Jan 2005 16:01:59 -0500

 Unfortunately the phrase "weak encryption algorithm" is only slightly
less subjective than the terms, "too much money".  For what purpose?
The default on 2000 and XP is 128bit RC4 which does seem dated but this
is a pretty popular algorithm for symmetric encryption.  Sure we could
all use key pairs to encrypt everything to have "strong encrytion" but
the cost in performance for the amount of security it provides isn't
worth it for the large majority of applications.

Furthermore in Windows 2003 you have the option of FIPS 140-1/FIPS 140-2
compliant algorithms for encrypting RDP sessions.  This can even be set
via a GPO to your entire environment.  Doesn't get much easier than
that.  Is it secure enough to transfer missle launch codes?  I probably
wouldn't.  Is it good enough to secure a user remotely accessing their
desktops - you betcha.  Also, bear in mind these encyption keys are per
session so once you find one it isn't as easy as just listening to all
the new sessions.  

At the same time 128bit SSL isn't as secure as 1024bit but it is secure
enough for the overwhelming majority of uses.  And SSH has had lots of
holes in the past 2 years.  Bashing RDP is just baseless MS bashing
without concern for the facts.


-----Original Message-----
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: Wednesday, January 19, 2005 2:52 PM
To: security-basics () securityfocus com
Subject: Re: Remote Desktop vs VPN on Windows 2003

On 2005-01-19 Roger A. Grimes wrote:

On 2005-01-19 Ansgar -59cobalt- Wiechers wrote:

On 2005-01-18 Roger A. Grimes wrote:

but if the Windows tool can do the same or better job, why not use 
the free tools in the system?


Because it can't.


SSH multiple hacks...RDP one in 2002.  How is RDP the worse tool?  I 
keep waiting for facts?


*sigh*

Like I already said: because its encryption algorithm is weak. Thus it
simply cannot do a better job than tools which provide strong encryption
(like SSH or VPNs). Period.

Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety deserve
neither liberty nor safety, and will lose both."
--Benjamin Franklin

Current thread:

RE: Remote Desktop vs VPN on Windows 2003, (continued)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
  - RE: Remote Desktop vs VPN on Windows 2003 Frank Hamersley (Jan 20)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
  - Re: Remote Desktop vs VPN on Windows 2003 Ansgar -59cobalt- Wiechers (Jan 19)
  - Re: Remote Desktop vs VPN on Windows 2003 Michael Gale (Jan 20)
- RE: Remote Desktop vs VPN on Windows 2003 Conlan Adams (Jan 20)
  - heroes Dave Aronson (Jan 24)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 20)
- RE: Remote Desktop vs VPN on Windows 2003 Nero, Nick (Jan 20)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 20)