Hello folks,
I am promoting remote desktop access for support services to a couple of small companies I am working for. I can use the linux VNC client to connect to the XP machines and help them when they have problems, I tested it at home and it works great, I am setting up their on site firewall to use static real IP addresses from the ISP and to do the routing etc, I have this sorted. I am recommending the Free Edition of VNC (I will ensure the company makes a donation to the developers for each licence) because it is simple and fast. I have a few questions you may be able to answer:
a) Free edition - The password challenge response is encrypted using DES but all other traffic is not. I will not be sending any critical data over the link but how is the data represented? I am guessing it does not send the text that is visible on the screen on the remote system as plain text etc rather that it uses some kind of framing technology. If I am seeing all of the data on their screen I take it that their VNC server is not sending all of the data as is back to me.
b) Personal edition - I could buy them this version as it is only about £15 per licence and it does support full encryption but I am concerned about the speed (I am 120 miles away) and it does not have a Linux version which means I would either have to use an XP machine to provide support, I could instead buy the over-the-top enterprise edition or settle for the unencrypted Free Edition.
I have considered the security implications. To make things safer with the Free Edition I could just put an icon on their desktop and ask them to run the user mode app whenever they want me to connect, this would mean the server is only running when they want stuff fixed, they could close it when stuff is done, very safe. I would of course have the "ask for permission" option enabled on VNC for security reasons.
Do you folks have any views on this?
Cheers
David Cooper
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
David Simon Cooper david.cooper@uea.ac.uk wrote: <snippity />
I have considered the security implications. To make things safer with the Free Edition I could just put an icon on their desktop and ask them to run the user mode app whenever they want me to connect, this would mean the server is only running when they want stuff fixed, they could close it when stuff is done, very safe. I would of course have the "ask for permission" option enabled on VNC for security reasons.
Do you folks have any views on this?
Right - does what you're doing need to be visible to the customer? If you're just fixing things, it may be better to use rdesktop to connect to Win XPs terminal services. It tends to be a little quicker than VNC, and, from what I can remember it is encrypted. So, a small bit of Free Software (http://www.rdesktop.org/) for the client on the Linux box, and then just enabling Terminal Services on the server box.
Cheers, - -- Brett Parker web: http://www.sommitrealweird.co.uk/ email: iDunno@sommitrealweird.co.uk
Thanks Brett.
I intend to use the remote access as guidance also i.e. telling the user over the phone and then showing with the mouse etc so it will need to be visible to the customer.
The setup is basic and will consist of 3 XP boxes protected by a netgear ADSL firewall router that does DHCP, NAT etc. I am upgrading the BT account so I can have three static IP addresses and create static routes using the netgear box. They do not have any other servers and stuff, I like to keep the setup simple as this reduces support overheads.
I read up a little on VNC, the data it sends for updates etc is unencrypted but would need a very sophisticated eavesdropper to reassemble the mangled frame buffer update data, the only useful data for a cracker would be the keystrokes I would be sending as they are all unencrypted. As long as I am aware of the data I send I think I may be able to make the Free Edition work quite well, at least until RealVNC Personal for Linux is released!
Brett Parker wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
David Simon Cooper david.cooper@uea.ac.uk wrote:
<snippity />
I have considered the security implications. To make things safer with the Free Edition I could just put an icon on their desktop and ask them to run the user mode app whenever they want me to connect, this would mean the server is only running when they want stuff fixed, they could close it when stuff is done, very safe. I would of course have the "ask for permission" option enabled on VNC for security reasons.
Do you folks have any views on this?
Right - does what you're doing need to be visible to the customer? If you're just fixing things, it may be better to use rdesktop to connect to Win XPs terminal services. It tends to be a little quicker than VNC, and, from what I can remember it is encrypted. So, a small bit of Free Software (http://www.rdesktop.org/) for the client on the Linux box, and then just enabling Terminal Services on the server box.
Cheers,
Brett Parker web: http://www.sommitrealweird.co.uk/ email: iDunno@sommitrealweird.co.uk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDBugeEh8oWxevnjQRAtG0AJ0d3R3rq0CZdM0/cOjQcR5WPmKahQCePOMj gFV+0izTvDwCrlmrHHpL7kI= =RzOH -----END PGP SIGNATURE-----
main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!
I intend to use the remote access as guidance also i.e. telling the user over the phone and then showing with the mouse etc so it will need to be visible to the customer.
I'm not overly familiar with RealVNC or VNC in general on Linux. I do however use VNC alternatives extensively on Windows (usually Ultra VNC).
Therefore what follows may or may not be 100% suitable for your environment but might at least give some pointers.
First: We almost always run the vnc viewer in listen mode at our end, and get our client to connect to that. In other words, we forward the relevant ports at our end, and the person requiring support gets the server to connect to us, not the other way around. This is more secure since we don't need to mess with their firewalls, and if anyone tries to connect to us while we have the viewer running they can't really achieve a lot (they could potentially give us access to their PC, but barring any bugs in VNC they shouldn't have access to ours).
Second: Ultra VNC has a little applet which can automate the customer end of the above into a nice click-to-connect applet. This makes the whole process painless.
Third: (This may be an advantage or a disadvantage depending on your point of view): We cannot connect to them, only they to us. So they feel more secure knowing we can't get in and play with their PCs while they're not looking. Everything stays completely in their control.
I'm pretty sure that all of this is possible in Real VNC with the exception of the connection applet; a simple script could replace that.
UltraVNC is not available for Linux but the different VNC versions are usually pretty good at intercommunication so this should all work to a Linux client - I just haven't tried it.
Mark Rogers, More Solutions Ltd
On Sun, 2005-08-21 at 15:47 +0100, Mark Rogers wrote:
UltraVNC is not available for Linux but the different VNC versions are usually pretty good at intercommunication so this should all work to a Linux client - I just haven't tried it.
The reverse connection trick is a really good idea....didn't think of that but it may fit David's needs pretty well.
I've done the reverse connection thing (putting the standard Linux vncviewer client into listen mode) before and it worked fine...often I will do this if I am using ssh to tunnel a VNC connection (not recommended...as it's very slow)
The main issue is that your key presses will be travelling across an untrusted network un-encrypted. So if you have to provide further login credentials post logging into VNC then those credentials could be compromised.
"I am setting up their on site firewall to use static real IP addresses from the ISP"
Do you mean you are going to set their firewall to only accept a VNC connection from your address ? That's about the only way I'd even start to feel safe running VNC in the wild.
Why are you not using XP's built in RDP server ? There are some perfectly good RDP clients for Linux and in my experience it is better over limited bandwidth than VNC.
But personally I would consider setting up a VPN, that's how I support most of my clients...also if there is more than one machine to support at each site then opening separate ports on the gateway for each machine becomes a bit of an admin nightmare.
Good point about the further login credentials Wayne. The system is basic and has a hardware firewall router and three XP boxes. They have no other services except WEB and POP3 mail. As long as I do not browse
What I meant about the static IP's was this. I get three static IP addresses assigned, create static routes on the router then connect straight through to the boxes individually just using the static IP's and static NAT. I would of course only allow in the VNC ports. I thought this combined with the user app being loaded and unloaded on request would mean a fairly secure and simple solution. I have never used a VPN and do not know what it is, I may read up on it and learn the functionality before making a decision.
Allowing only my IP address to connect would be good, but it is very easy to spoof a source address as we know. I do not intend to connect t these machines very often, possibley only once of twice a week.
As for using Windows RDP server, I am not a keen fan of using any Windows services if I can help it as I am at the mercy of MS security, as this is the service that is most likely to be used for remote access I thought it would be safer not to use this service, security through obscurity!
I shall look into VPN's....
Wayne Stallwood wrote:
The main issue is that your key presses will be travelling across an untrusted network un-encrypted. So if you have to provide further login credentials post logging into VNC then those credentials could be compromised.
"I am setting up their on site firewall to use static real IP addresses from the ISP"
Do you mean you are going to set their firewall to only accept a VNC connection from your address ? That's about the only way I'd even start to feel safe running VNC in the wild.
Why are you not using XP's built in RDP server ? There are some perfectly good RDP clients for Linux and in my experience it is better over limited bandwidth than VNC.
But personally I would consider setting up a VPN, that's how I support most of my clients...also if there is more than one machine to support at each site then opening separate ports on the gateway for each machine becomes a bit of an admin nightmare.
main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!
On Sun, 2005-08-21 at 00:58 +0100, David Simon Cooper wrote:
What I meant about the static IP's was this. I get three static IP addresses assigned, create static routes on the router then connect straight through to the boxes individually just using the static IP's and static NAT. I would of course only allow in the VNC ports. I thought this combined with the user app being loaded and unloaded on request would mean a fairly secure and simple solution. I have never used a VPN and do not know what it is, I may read up on it and learn the functionality before making a decision.
Rather than doing that I would go with NAT and Port Forwarding.
i.e You have an internal address range of say 192.168.0.1-255.255.255.0 You then set up your router to forward a different port to each machine so 5901 goes to a machine on 192.168.0.2 5902 goes to 192.168.0.3 and so on.
On Netgear's I don't think you can do a port redirection at the same time as port forwarding (you can't on our one at work anyway) so you would have to set the vnc server on each machine to run on the correct port for that machine (so machine 192.168.0.3 would need the vnc server running on 5902.)
With this way you would connect to a single fixed ip address but have different machines available in the same way that user sessions are on a Linux VNC host. i.e. customeripaddrees:1 would be machine 1 customeripaddress:2 would be machine 2
This works because without the :number vnc assumes port 5900 (default for Windows because there is only one session) and the bit after the colon defines the session specific port hence you get 5901 5902 etc.
The advantage of doing it this way is that it is more scalable because you don't have to ask the ISP for another address every time you add a machine (also I seem to remember BT charging monthly for extra fixed IP addresses)
But I'd still look into the VPN option, it may be overkill for your current needs..but they are still very useful things to understand.
Cheers Wayne, I was interested in using the single IP address and doing port forwarding but I was not sure if I could change the VNC viewer target port address as I could not see it in the options pane on the version running on my Linux box. If it is a command line switch then that would be great, I could even write a shell script that takes names as a parameter and does the port numbers for me i.e.
./vncview.sh "username"
I refer to the users mostly by name. This script could then execute vncviewer with the correct port switch and then solve my problem.
BT does charge an extra £10 per month for the addresses (up to 5). At the moment the client has network 1000 which is overkill as it comes with it's own router and up to 5 static IP's, I could downgrade the package and make them some savings as they only really need one static IP address if I use the above solution. The problem I have is that the contract is up soon and I think they only allow downgrading at end of contract, this is fine except that I go on holiday on Tues for two weeks and the contract gets renewed on 2nd September which means I will still be away.
The network 1000 has some 8hr service level guarantee which for the sake of £30 may not be sacrificing. hmmm....
But then again....The next package down is only £30 and after the upgrade of the hardware with a newer netgear router/modem they will not be using the BT supplied router anyway so perhaps the 8hr reponse will be wasted as this is mainly used to replace the hardware. The 2mb £30 business broadband package can have static IP address too, if I use NAT and port forwarding I could save them £35 each month and give them a better soution at the same time, I could use the surplus to buy a backup netgear router and configure and keep ready to swap out incase of a hardware failure. I am thinking I could up the consultancy fee here......savings and that!
Wayne Stallwood wrote:
On Sun, 2005-08-21 at 00:58 +0100, David Simon Cooper wrote:
What I meant about the static IP's was this. I get three static IP addresses assigned, create static routes on the router then connect straight through to the boxes individually just using the static IP's and static NAT. I would of course only allow in the VNC ports. I thought this combined with the user app being loaded and unloaded on request would mean a fairly secure and simple solution. I have never used a VPN and do not know what it is, I may read up on it and learn the functionality before making a decision.
Rather than doing that I would go with NAT and Port Forwarding.
i.e You have an internal address range of say 192.168.0.1-255.255.255.0 You then set up your router to forward a different port to each machine so 5901 goes to a machine on 192.168.0.2 5902 goes to 192.168.0.3 and so on.
On Netgear's I don't think you can do a port redirection at the same time as port forwarding (you can't on our one at work anyway) so you would have to set the vnc server on each machine to run on the correct port for that machine (so machine 192.168.0.3 would need the vnc server running on 5902.)
With this way you would connect to a single fixed ip address but have different machines available in the same way that user sessions are on a Linux VNC host. i.e. customeripaddrees:1 would be machine 1 customeripaddress:2 would be machine 2
This works because without the :number vnc assumes port 5900 (default for Windows because there is only one session) and the bit after the colon defines the session specific port hence you get 5901 5902 etc.
The advantage of doing it this way is that it is more scalable because you don't have to ask the ISP for another address every time you add a machine (also I seem to remember BT charging monthly for extra fixed IP addresses)
But I'd still look into the VPN option, it may be overkill for your current needs..but they are still very useful things to understand.
main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!
On Sun, 2005-08-21 at 14:37 +0100, David Simon Cooper wrote:
But then again....The next package down is only £30 and after the upgrade of the hardware with a newer netgear router/modem they will not be using the BT supplied router anyway so perhaps the 8hr reponse will be wasted as this is mainly used to replace the hardware.
If you are going to buy a new router anyway I'd take a look at the Draytec ones...in my experience they are far less likely to crash than the Netgear ones and have advanced port forwarding/Port redirection and (if you decide to go that route) and an excellent VPN server built in....they are more expensive than the Netgear's but for a business requirement I feel that they are more suitable.
The VPN server supports a few protocols and pretty much anything can connect to it. I've had both Windows machines and Mac's calling one using their standard built in VPN clients (you have to tell the Windows one not to use MS Chap before it will connect) and I am sure a linux client would be no problem.
David Simon Cooper wrote:
Hello folks,
I am promoting remote desktop access for support services to a couple of small companies I am working for. I can use the linux VNC client to connect to the XP machines and help them when they have problems, I tested it at home and it works great, I am setting up their on site firewall to use static real IP addresses from the ISP and to do the routing etc, I have this sorted. I am recommending the Free Edition of VNC (I will ensure the company makes a donation to the developers for each licence) because it is simple and fast. I have a few questions you may be able to answer:
a) Free edition - The password challenge response is encrypted using DES but all other traffic is not. I will not be sending any critical data over the link but how is the data represented? I am guessing it does not send the text that is visible on the screen on the remote system as plain text etc rather that it uses some kind of framing technology. If I am seeing all of the data on their screen I take it that their VNC server is not sending all of the data as is back to me.
b) Personal edition - I could buy them this version as it is only about £15 per licence and it does support full encryption but I am concerned about the speed (I am 120 miles away) and it does not have a Linux version which means I would either have to use an XP machine to provide support, I could instead buy the over-the-top enterprise edition or settle for the unencrypted Free Edition.
I have considered the security implications. To make things safer with the Free Edition I could just put an icon on their desktop and ask them to run the user mode app whenever they want me to connect, this would mean the server is only running when they want stuff fixed, they could close it when stuff is done, very safe. I would of course have the "ask for permission" option enabled on VNC for security reasons.
Do you folks have any views on this?
I've come to this thread somewhat late so I'll make the reply very brief. I use VNC in a similar situation, although I've not actually used it in anger over the internet yet. Personally I use TightVNC which has a number of optimisations and feature improvements (although I've not checked to see if any of the others match them - I wouldn't expect these things to stand still!). There are two key advantages of this version for me:
1. it comes straight out of the Debian sources 2. it has a built in parameter to tunnel over SSH
The first is a minor benefit, but the second saves a lot of hassle with security issues - particularly as each of my customers has a Linux server on site (needed for the SSH tunnel).
-
Brett Parker -
David Simon Cooper -
Mark Rogers -
Paul Tansom -
Wayne Stallwood