1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VNC access not by me - Should I be concerned?

Discussion in 'Windows & Other Software' started by NeilF, Jan 10, 2008.

  1. Otacon

    Capodecina

    Joined: Jan 10, 2004

    Posts: 21,923

    Location: All over

    Well, feel happy if you want, but it isnt :) Authentication aside, VNC (the protocol) has a bad history when it comes to security. It's fine for local use, or for use through some other secure means (VPN/SSH/whatever), but you're taking a risk exposing to to the big wide world. Almost like the phpbb or remote access.

    Remote desktop is a lot better but still not ideal, personally I shove everything through a VPN tunnel.
     
  2. NeilF

    Capodecina

    Joined: Nov 15, 2003

    Posts: 13,651

    Location: Marlow

    You said the words 'bad history', but I believe VNC 4 now has 128bit encryption!? It's like the previous poster said it only has 8 character logon identification, which of course is rubbish as it has 256 characters for the username & password.

    Anyway, given that what security issues do I have?
    1) Someone logging on? They would have to get through the NT authorisation for that surely? And this is protect by 5 invalid logons and you're out!
    2) Someone happening to see my (128bit encrypted traffic) VNC traffic, most of which is me just doing nonsy stuff like checking on torrents running etc. Or copy/pasting files backwards/forwards.

    I imagine someone using google mail is more open to people knicking their details/communications surely?!
     
  3. Otacon

    Capodecina

    Joined: Jan 10, 2004

    Posts: 21,923

    Location: All over

    Yep, and it's yet to really prove itself

    Great for stopping people sniffing stuff straight off the wire, but that's never been its main problem.

    Not neccesarily no. All it'll take is someone to find an exploit in the protocol to bypass the authentication in some way (which has happened before) and that's that.

    Encrypting the actual traffic is only half the story though - and the second half at that. Anybody can establish a connection to your VNC service and start throwing packets at it for the code to handle. Similar to the differences between PPTP and IPSEC VPN's - Generally speaking, without firewall rules and such, anybody can connect to the PPTP service and attempt to authenticate (or even exploit/attack the service). With IPSEC you can configure it to require authentication (certificates/smart cards/PSK) to even access the service at all, let alone attempt to authenticate/attack/whatever.

    Nicking traffic off the wire has never really been VNC's biggest problem - it's vulnerabilities in the code that render it highly vulnerable to attack, be that to gain control of the target machine, execute code under the VNC servers credentials or plain old denial of service. While the later revisions are unarguable better, it's still a long way off being a proven secure protocol, and that's not just simply clearing bugs from codes, it's entire authorisation/authentication methodologies that need addressing.

    By exposing the service to the web you're opening yourself up to that risk.
     
  4. NeilF

    Capodecina

    Joined: Nov 15, 2003

    Posts: 13,651

    Location: Marlow

    You mentioned piping it thru VPN. Now I've never touched VPN, but surely if you use VPN you're just moving the goal posts? ie: Instead of NT security for VPN, now it's NT security for VPN?

    Excuse my ignorance on this!
     
  5. Fr0dders

    Caporegime

    Joined: Oct 18, 2002

    Posts: 33,274

    Location: West Yorks

    the issue isnt the authentication or encryption level

    the issue is the fact that VNC as a protocol isnt a secure one. You can have encryped traffic, but as i understand, it doesnt close off the non-encryped part of the system. Its still there accepting non encrypted connections. So anybody can just throw malformed packets etc.. at the service and attempt to bypass it.

    Encrypting your traffic only prevents somebody hooking onto your connection, it doesnt force them to be properly encrypted to make new connections

    as Otacon said, its similar to the difference between PPTP and IPSEC VPN's. PPTP has the traffic going over the VPN secured, but its not a protocol that requires authentication encryption. It does have a non encrypted option, but with it not being an encrypted protocol at heart, it still talks to non encrypted traffic.

    IPsec on the other hand refuses to talk to anything thats non encrypted to the proper standard. It just shuts off and doesnt talk back. making it far more secure.

    I had this when i set up a test W2k3 box. I set it to be on IPsec link by accident (dont know how) and at startup, it detected the lack of IPsec and just shut off the LAN interface and refused to respond to any web traffic. To all intents and purposes it looked as though the LAN card was dead. This is why IPSEC VPNs are much more secure than PPTP ones (as i understand it ?)

    as for the differences between RDP and VNC, ive never had them fully explained.
     
    Last edited: Feb 1, 2008
  6. Berserker

    Man of Honour

    Joined: Nov 4, 2002

    Posts: 15,431

    Location: West Berkshire

    One of the other benefits of RDP over VNC - though not a security-related one - is that the protocol is generally much more efficient. VNC has no knowledge of what is being updated on the screen, so it just sends bitmap copies of portions of the desktop. On the other hand RDP intercepts and sends the specific updates - in graphics terms, consider the difference between bitmap and vector graphics.

    From a security point-of-view, both RDP and VNC have protocol security issues. VNC moreso than RDP though, certainly in the past.

    Like Otacon, I wouldn't expose either to the internet personally. While it's more of a pain to set up, the security benefits of encapsulating either protocol inside VPN or SSH seem undeniable.
     
  7. Talbs13

    Mobster

    Joined: Sep 17, 2005

    Posts: 2,983

    Location: Everywhere

    Another vote. Easy to use, great features, secure :)
     
  8. Clarkey

    Capodecina

    Joined: Oct 18, 2002

    Posts: 18,045

    Of course, don't mind me I know nothing, only got the one BSc degree in Computing ;)
     
  9. NathanE

    Capodecina

    Joined: Oct 21, 2002

    Posts: 18,022

    Location: London & Singapore

    Use RDP, it's much more secure. Especially RDP 6.0 which has transport layer encryption.

    OR... just lock down your VNC port using a rules firewall. I.e. "only allow connections from 123.456.789.012", or whatever your work IP/range is.

    Or use a private VPN like Hamachi. And then you don't even have to allow external incoming connections to VNC or whatever.

    Personally I use latter. Hamachi is better than sliced bread IMO. Soooo many uses for it.
     
  10. NeilF

    Capodecina

    Joined: Nov 15, 2003

    Posts: 13,651

    Location: Marlow

    You could have a PHD... Still doesn't prevent someone from spouting unfounded claims...
    8 character password limitation - Incorrect
    weak password encryption - Incorrect
    no data encryption - Incorrect
     
  11. NeilF

    Capodecina

    Joined: Nov 15, 2003

    Posts: 13,651

    Location: Marlow

    Point taken - I'll look at the port forwarding rules as it will be the easiest to apply/setup I suspect :)
     
  12. bledd

    Don

    Joined: Oct 21, 2002

    Posts: 46,674

    Location: Parts Unknown

    exactly, like i've said twice :)

    -stop ignoring what we're suggesting! hamachi is dead easy to use, it's got the same learning curve that msn messenger has ;)
     
  13. NeilF

    Capodecina

    Joined: Nov 15, 2003

    Posts: 13,651

    Location: Marlow

    Okay! I'll put phobia of all things networky aside and have a look at it :)
     
  14. bledd

    Don

    Joined: Oct 21, 2002

    Posts: 46,674

    Location: Parts Unknown

    http://en.wikipedia.org/wiki/Hamachi

    looks like that

    basically you click the kind of triangle icon, 'create network' choose a network name & a password, then on the other machine, do 'join network' type in the username & password..

    job done! -don't tick 'disable services' during setup.. it's just things like file sharing etc

    in 99% of cases, no need to forward any ports :)
     
  15. NeilF

    Capodecina

    Joined: Nov 15, 2003

    Posts: 13,651

    Location: Marlow

    And then how does VNC get to the other machine? ie: What 'address' is the other machine?

    ps: Sorry for my utter noob'ness on this!
     
  16. bledd

    Don

    Joined: Oct 21, 2002

    Posts: 46,674

    Location: Parts Unknown

    address is either the ip of the machine in hamachi (always 5.xx) or the pcname :)
     
  17. NeilF

    Capodecina

    Joined: Nov 15, 2003

    Posts: 13,651

    Location: Marlow

    pcname didn't work...

    Also going thru Hamachi seems a fair bit slower than via going to VNC directly over the internet :(

    Still usuable, but clunky in comparison! Enough to put me off using it though when a direct link is so smooth...
     
  18. bringans

    Gangster

    Joined: Jul 3, 2004

    Posts: 267

  19. Dracata

    Wise Guy

    Joined: Oct 21, 2006

    Posts: 1,614

    Location: Cambridge

    People really need to start differentiating when they say 'VNC this' and 'VNC that'. VNC refers to both the version 3/4 protocols, and there are many different third-party VNC products, aswell as the continued official development.

    Yes, if you are talking about legacy VNC (3.3 protocol) and VNC Free Edition 4.1.2 then all of this is true.

    The same can't be said for VNC Enterprise Edition though.. in which by default encryption is set to always on. Unencrypted connections are automatically refused when they attempt to negotiate with the listening VNC Server.
     
  20. Dracata

    Wise Guy

    Joined: Oct 21, 2006

    Posts: 1,614

    Location: Cambridge

    Sorry, but when someone says something like this, my automatic response is "Shove it up yourself" what does that prove? especially when that comment does nothing to dispell the point that Neil was trying to make..