I concur, with one MAJOR caveat:
> It's recommended (by AT&T Research UK) that people running VNC
> tunnel it over either SSH or SSL.
You can tunnel *lots* of things over SSH -- including PPP, which
gets you back to the "remote node" risk Paul is concerned about. And
the firewalls I've worked with (an incomplete sampling of the
industry, of course) will only ever see it as an SSH session,
permitted or denied depending on policy.
[The fact that VNC lets you drop a session from one node and resume
it from another, without a fresh host login, gives me the willies.
It would take some effort to persuade me that it is acceptably
secure.]
Dave Gillett
On 9 May 2001, at 6:17, Paul D. Robertson wrote:
> On Tue, 8 May 2001, Eric Johnson wrote:
>
> > Our outside network expert thinks that Microsoft's PPTP is
>
> There are certainly a number of arguments supporting that assertion.
>
> > extraordinarily insecure. Yet, he uses VNC extensively to monitor
> > systems. I found out today that he has installed it on at least one
> > of our computers.
>
> That's not a directly comparable product (remote access vs. remote node is
> a fiarly lengthly argument, but I think you'll find remote node falling
> on the bad side of that equation.)
>
> > I tried VNC a couple of years ago and concluded that it did not
> > seem secure enough to use and so I haven't done anything with it
> > since then.
>
> It's recommended (by AT&T Research UK) that people running VNC tunnel it
> over either SSH or SSL. The initial authentication is challenge/response,
> but everything subsequent is just in-the-clear.
>
> > I'm not saying that PPTP is safe, but that the vulnerabilities are
> > fairly limited as far as I can tell and that to me, it certainly appears
> > safer (and more useful) than VNC.
>
> Safer? While it depends a lot on deployment, I wouldn't go with safer as
> a rule of thumb, it's historically been broken and it allows remote node
> access to the network, which brings along a great deal of baggage. that a
> remote display type product doesn't have. Remote node products enable
> entire classes of generic attack that remote display products would
> generally need a targeted attack to compare to and probably malicious code
> exectuted at both ends. "More useful" generally means "Less secure."
>
> > Does anyone know the relative safety of VNC and PPTP? Or is
> > there any way to adequately compare them?
>
> It's an apples and kumquats comparison. Personally I'd allow
> strongly authenticated VNC over SSH well before I'd allow PPTP, but I've
> never been overly enamoured with either solution. If I had to choose
> between non-encrypted VNC and PPTP, I'd pick neither one and go on happily
> with life feeling much more secure.
>
> You're kind of trying to pick between "horible disaster" and "attrocious
> disaster" here- while it may be possible to reduce the risk in PPTP to a
> manageable level, it's certainly not trivial, and there still seem to be
> quesitons with the latest version of the protocol, let alone the
> implementation.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
