On 12/02/2010 01:12 PM, Paul McNett wrote: > On 12/2/10 10:06 AM, Leland Jackson wrote: >> On 12/02/2010 11:17 AM, Paul McNett wrote: >>> You already open a security hole by putting remote systems on vpn. Properly >>> mitigated, I don't see how not redirecting the default route is any less >>> secure. >> If you're connecting to the client's network using vpn, then you should >> be part of the client local network, just like everyone else in the >> local network. > Yes, the remote has an ip on the same subnet as those computers in the > corporate network. > >> If you're just another computer in the client's local >> network, then it seems you should be able to vnc to any desktop within >> the local network without regards to the router's/gateway's incoming or >> outgoing rules. In other words, once you connect over a vpn tunnel, the >> router/gateway firewall become irrelevant. > No, the perimeter firewall should still control traffic in and out, whether > or not it > is over the vpn.
This is true, but only from the standpoint of computers in the local network, of which the vpn connected computer is a part. I'm looking at it from that point of view. Connecting a remote computer via vpn work just like connecting a local computer to the router by plugging in the two RJ45 ends of a cat 6 cable between the computer and router, but a vpn connection uses the internet infrastructure. Also a vpn connection requires some additional headers to the IP packets, and there is usually some encryption built into the router and its vpn client software, so the encryption between the two endpoints are on the same page. >> I don't know what vnc server and client you're using, but you might try > TightVNC or UltraVNC running as a service on every Windows workstation I > administer. > Client is whatever vncviewer I happen to have running on my Ubuntu Linux > system. > Right. >> using vnc just like any other nodes in the local network can connect >> between and local vnc server and local vnc client. > Yes, but not over the vpn unless I specifically enable it in the firewall. OK most vnc servers listens to a port in the 5900-5909 range, so if you have a firewall on the local server box, those port would need to be open. If you elect to trust the local network, and have no firewall running within the local network, no ports need to be open for a local vnc client computer to connect to the local vnc server, including a vpn connected box. The WAN firewall would need to forward ports 5901-5909 for anyone trying to connect to a vnc server from out in the internet, but remember; a vpn connected computer is local, and already behind the WAN. >> I'm using TigerVNC, which works great within the local network using >> Windows or Linux, but I don't have a remote computer out in the internet >> to connect to my router's vpn, so I can't test whether TirgerVNC works >> over a vpn connected computer. > It would depend on the configuration of the VPN and/or perimeter firewall. > Don't rely > on VNC (or any other client/server application) to provide all the security! This is a complex subject, especially as there as so many classifications, implementations, and uses for VPNs and VNCs. LOL http://kb.realvnc.com/questions/58/Notes+on+using+VNC+over+a+VPN+connection. http://www.realvnc.com/pipermail/vnc-list/2004-November/048143.html http://en.wikipedia.org/wiki/Virtual_private_network Regards, LelandJ > Paul > > > [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
