At 5:09 pm +1100 7/3/07, Greg Twyford wrote:
Ian Cheong wrote:
The SSH RDP access PeteM setup for us works well. (I think this has
been well covered in past discussions some time back.) Gives us
complete access to all surgery computers remotely if needed.
Prevents the security headaches with VPNs. Main worry for me with
VPN is ensuring security of the remote network who has ready access
to insecure wireless hardware.
It became abundantly clear trying to write the security policy that
the number of constraints required to ensure security of the remote
VPN site was more hassle than it was worth.
Ian.
Ian,
How is the problem of insecure remote networks any better with SSH
RDP, as you call it?
If someone can get control of your remote PC via an insecure
wireless network, and you are running SSH to the surgery, couldn't
they wreak as much havoc as the two-year old playing with the remote
PC when its in VPN mode?
Greg
To get control of an ssh connection at the remote computer, they would have to:
a. figure out how to log in to any enabled remote access software
running on the remote machine (eg remote access, vnc, etc)
(so yes, we do need to make sure that remote access software is not
running an windows firewall is open for than. The default status is
for remote access to be off and windows firewall to be on - as
opposed to wireless networks which are insecure by default)
+
b. figure out how to ssh to the surgery
+
c. figure out the surgery ssh access id/password
+
d. run Remote Desktop Connection
+
e. figure out the user id/password at the surgery server
Or else they would have to capture my screen while I am looking at it
- unlikely.
Or else they may have a window of time to use my open connection if I
was silly enough to leave it open an unattended - they have a 5
minute window until the activity timeout closes the connection.
On the other hand anyone can poke around an insecure wireless network
and lots of people know how many there are out there in the 'burbs
open to warchalking and wardriving.
In the vicinity of my place, there are 4 wireless networks in range,
two of which are insecure. Another broadcasts its Id but is somehow
otherwise secured.
Ian.
--
Dr Ian R Cheong, BMedSc, FRACGP, GradDipCompSc, MBA(Exec)
Health Informatics Consultant, Brisbane, Australia
Internet: [EMAIL PROTECTED]
(for urgent matters, please send a copy to my practice email as well:
[EMAIL PROTECTED])
PRIVACY NOTE
I am happy for others to forward on email sent by me to public email lists.
Please ask my permission first if you wish to forward private email
to other parties.
_______________________________________________
Gpcg_talk mailing list
[email protected]
http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
