VNC access not by me - Should I be concerned?

[Otacon]

Well, feel happy if you want, but it isnt Authentication aside, VNC (the protocol) has a bad history when it comes to security. It's fine for local use, or for use through some other secure means (VPN/SSH/whatever), but you're taking a risk exposing to to the big wide world. Almost like the phpbb or remote access.

Remote desktop is a lot better but still not ideal, personally I shove everything through a VPN tunnel.

 

[NeilF]

Well, feel happy if you want, but it isnt Authentication aside, VNC (the protocol) has a bad history when it comes to security. It's fine for local use, or for use through some other secure means (VPN/SSH/whatever), but you're taking a risk exposing to to the big wide world. Almost like the phpbb or remote access.

Remote desktop is a lot better but still not ideal, personally I shove everything through a VPN tunnel.

You said the words 'bad history', but I believe VNC 4 now has 128bit encryption!? It's like the previous poster said it only has 8 character logon identification, which of course is rubbish as it has 256 characters for the username & password.

Anyway, given that what security issues do I have?
1) Someone logging on? They would have to get through the NT authorisation for that surely? And this is protect by 5 invalid logons and you're out!
2) Someone happening to see my (128bit encrypted traffic) VNC traffic, most of which is me just doing nonsy stuff like checking on torrents running etc. Or copy/pasting files backwards/forwards.

I imagine someone using google mail is more open to people knicking their details/communications surely?!

 

[Otacon]

You said the words 'bad history'

Yep, and it's yet to really prove itself

but I believe VNC 4 now has 128bit encryption!?

Great for stopping people sniffing stuff straight off the wire, but that's never been its main problem.

Anyway, given that what security issues do I have?
1) Someone logging on? They would have to get through the NT authorisation for that surely?

Not neccesarily no. All it'll take is someone to find an exploit in the protocol to bypass the authentication in some way (which has happened before) and that's that.

2) Someone happening to see my (128bit encrypted traffic) VNC traffic, most of which is me just doing nonsy stuff like checking on torrents running etc. Or copy/pasting files backwards/forwards.

Encrypting the actual traffic is only half the story though - and the second half at that. Anybody can establish a connection to your VNC service and start throwing packets at it for the code to handle. Similar to the differences between PPTP and IPSEC VPN's - Generally speaking, without firewall rules and such, anybody can connect to the PPTP service and attempt to authenticate (or even exploit/attack the service). With IPSEC you can configure it to require authentication (certificates/smart cards/PSK) to even access the service at all, let alone attempt to authenticate/attack/whatever.

Nicking traffic off the wire has never really been VNC's biggest problem - it's vulnerabilities in the code that render it highly vulnerable to attack, be that to gain control of the target machine, execute code under the VNC servers credentials or plain old denial of service. While the later revisions are unarguable better, it's still a long way off being a proven secure protocol, and that's not just simply clearing bugs from codes, it's entire authorisation/authentication methodologies that need addressing.

By exposing the service to the web you're opening yourself up to that risk.

 

[NeilF]

You mentioned piping it thru VPN. Now I've never touched VPN, but surely if you use VPN you're just moving the goal posts? ie: Instead of NT security for VPN, now it's NT security for VPN?

Excuse my ignorance on this!

 

[Fr0dders]

the issue isnt the authentication or encryption level

the issue is the fact that VNC as a protocol isnt a secure one. You can have encryped traffic, but as i understand, it doesnt close off the non-encryped part of the system. Its still there accepting non encrypted connections. So anybody can just throw malformed packets etc.. at the service and attempt to bypass it.

Encrypting your traffic only prevents somebody hooking onto your connection, it doesnt force them to be properly encrypted to make new connections

as Otacon said, its similar to the difference between PPTP and IPSEC VPN's. PPTP has the traffic going over the VPN secured, but its not a protocol that requires authentication encryption. It does have a non encrypted option, but with it not being an encrypted protocol at heart, it still talks to non encrypted traffic.

IPsec on the other hand refuses to talk to anything thats non encrypted to the proper standard. It just shuts off and doesnt talk back. making it far more secure.

I had this when i set up a test W2k3 box. I set it to be on IPsec link by accident (dont know how) and at startup, it detected the lack of IPsec and just shut off the LAN interface and refused to respond to any web traffic. To all intents and purposes it looked as though the LAN card was dead. This is why IPSEC VPNs are much more secure than PPTP ones (as i understand it ?)

as for the differences between RDP and VNC, ive never had them fully explained.

 

[Berserker]

One of the other benefits of RDP over VNC - though not a security-related one - is that the protocol is generally much more efficient. VNC has no knowledge of what is being updated on the screen, so it just sends bitmap copies of portions of the desktop. On the other hand RDP intercepts and sends the specific updates - in graphics terms, consider the difference between bitmap and vector graphics.

From a security point-of-view, both RDP and VNC have protocol security issues. VNC moreso than RDP though, certainly in the past.

Like Otacon, I wouldn't expose either to the internet personally. While it's more of a pain to set up, the security benefits of encapsulating either protocol inside VPN or SSH seem undeniable.

 

[Talbs13]

Another vote for LogMeIn here.

Simple, easy to use and install

Another vote. Easy to use, great features, secure

 

[Clarkey]

Indeed! The problem with the internet is it's easy for people to sound as if they know what they're talking about, where infact they're raising questions rather than stating facts.

Of course, don't mind me I know nothing, only got the one BSc degree in Computing

 

[NathanE]

Use RDP, it's much more secure. Especially RDP 6.0 which has transport layer encryption.

OR... just lock down your VNC port using a rules firewall. I.e. "only allow connections from 123.456.789.012", or whatever your work IP/range is.

Or use a private VPN like Hamachi. And then you don't even have to allow external incoming connections to VNC or whatever.

Personally I use latter. Hamachi is better than sliced bread IMO. Soooo many uses for it.

 

[NeilF]

Of course, don't mind me I know nothing, only got the one BSc degree in Computing

You could have a PHD... Still doesn't prevent someone from spouting unfounded claims...
8 character password limitation - Incorrect
weak password encryption - Incorrect
no data encryption - Incorrect

 

[NeilF]

Use RDP, it's much more secure. Especially RDP 6.0 which has transport layer encryption.

OR... just lock down your VNC port using a rules firewall. I.e. "only allow connections from 123.456.789.012", or whatever your work IP/range is.

Or use a private VPN like Hamachi. And then you don't even have to allow external incoming connections to VNC or whatever.

Personally I use latter. Hamachi is better than sliced bread IMO. Soooo many uses for it.

Point taken - I'll look at the port forwarding rules as it will be the easiest to apply/setup I suspect

 

[bledd]

Or use a private VPN like Hamachi. And then you don't even have to allow external incoming connections to VNC or whatever.

Personally I use latter. Hamachi is better than sliced bread IMO. Soooo many uses for it.

exactly, like i've said twice

Point taken - I'll look at the port forwarding rules as it will be the easiest to apply/setup I suspect

-stop ignoring what we're suggesting! hamachi is dead easy to use, it's got the same learning curve that msn messenger has

 

[NeilF]

-stop ignoring what we're suggesting! hamachi is dead easy to use, it's got the same learning curve that msn messenger has

Okay! I'll put phobia of all things networky aside and have a look at it

 

[bledd]

http://en.wikipedia.org/wiki/Hamachi

looks like that

basically you click the kind of triangle icon, 'create network' choose a network name & a password, then on the other machine, do 'join network' type in the username & password..

job done! -don't tick 'disable services' during setup.. it's just things like file sharing etc

in 99% of cases, no need to forward any ports

 

[NeilF]

http://en.wikipedia.org/wiki/Hamachi

looks like that

basically you click the kind of triangle icon, 'create network' choose a network name & a password, then on the other machine, do 'join network' type in the username & password..

job done! -don't tick 'disable services' during setup.. it's just things like file sharing etc

in 99% of cases, no need to forward any ports

And then how does VNC get to the other machine? ie: What 'address' is the other machine?

ps: Sorry for my utter noob'ness on this!

 

[bledd]

address is either the ip of the machine in hamachi (always 5.xx) or the pcname

 

[NeilF]

address is either the ip of the machine in hamachi (always 5.xx) or the pcname

pcname didn't work...

Also going thru Hamachi seems a fair bit slower than via going to VNC directly over the internet

Still usuable, but clunky in comparison! Enough to put me off using it though when a direct link is so smooth...

 

[bringans]

I like Teamview

http://www.teamviewer.com/index.aspx

works a dream.

 

[Dracata]

the issue isnt the authentication or encryption level

the issue is the fact that VNC as a protocol isnt a secure one. You can have encryped traffic, but as i understand, it doesnt close off the non-encryped part of the system. Its still there accepting non encrypted connections. So anybody can just throw malformed packets etc.. at the service and attempt to bypass it.

Encrypting your traffic only prevents somebody hooking onto your connection, it doesnt force them to be properly encrypted to make new connections

People really need to start differentiating when they say 'VNC this' and 'VNC that'. VNC refers to both the version 3/4 protocols, and there are many different third-party VNC products, aswell as the continued official development.

Yes, if you are talking about legacy VNC (3.3 protocol) and VNC Free Edition 4.1.2 then all of this is true.

The same can't be said for VNC Enterprise Edition though.. in which by default encryption is set to always on. Unencrypted connections are automatically refused when they attempt to negotiate with the listening VNC Server.

 

[Dracata]

Of course, don't mind me I know nothing, only got the one BSc degree in Computing

Sorry, but when someone says something like this, my automatic response is "Shove it up yourself" what does that prove? especially when that comment does nothing to dispell the point that Neil was trying to make..