On 12/2/10 10:06 AM, Leland Jackson wrote: > On 12/02/2010 11:17 AM, Paul McNett wrote: >> You already open a security hole by putting remote systems on vpn. Properly >> mitigated, I don't see how not redirecting the default route is any less >> secure. > > If you're connecting to the client's network using vpn, then you should > be part of the client local network, just like everyone else in the > local network.
Yes, the remote has an ip on the same subnet as those computers in the corporate network. > If you're just another computer in the client's local > network, then it seems you should be able to vnc to any desktop within > the local network without regards to the router's/gateway's incoming or > outgoing rules. In other words, once you connect over a vpn tunnel, the > router/gateway firewall become irrelevant. No, the perimeter firewall should still control traffic in and out, whether or not it is over the vpn. > I don't know what vnc server and client you're using, but you might try TightVNC or UltraVNC running as a service on every Windows workstation I administer. Client is whatever vncviewer I happen to have running on my Ubuntu Linux system. > using vnc just like any other nodes in the local network can connect > between and local vnc server and local vnc client. Yes, but not over the vpn unless I specifically enable it in the firewall. > I'm using TigerVNC, which works great within the local network using > Windows or Linux, but I don't have a remote computer out in the internet > to connect to my router's vpn, so I can't test whether TirgerVNC works > over a vpn connected computer. It would depend on the configuration of the VPN and/or perimeter firewall. Don't rely on VNC (or any other client/server application) to provide all the security! Paul _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
