Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Security Implications of using VNC Viewer /WinVNC

To: [email protected]
Subject: Re: [FW1] Security Implications of using VNC Viewer /WinVNC
From: [email protected]
Date: Mon, 25 Sep 2000 16:31:47 -0700
Sender: [email protected]

Hi,

Check out the VNC faqs; they show you how to use VNC in conjunction with
SSH to accomplish an encrypted channel.

Kevin

[email protected] (Carl E. Mankinen) on 09/25/2000 04:17:29 PM

To:   [email protected]
cc:   "Checkpoint Mailinglist" <[email protected]>
      (bcc: Kevin J Adams/PA/PUSA)

Subject:  Re: [FW1] Security Implications of using VNC Viewer /WinVNC

yeah, disable remote registry access PERIOD.
Set ACL's on registry keys to prevent any outside access.
If they are reading your registry, you have pretty much lost the battle
already.

What concerns me the MOST about VNC is having CLEARTEXT keystrokes
transmitted
across the wire...not good. You can set a rule to allow only one host to
use
VNC to control
the firewall, however that rule is not helping you when someone is sniffing
the passwords you type
over the network.

I have long considered developing a SIMPLE piece of crypto software that
would be
completely secure, very fast, works with every telnet implementation and
relatively easy to code.
If you read "Applied Crypto" (Schnier Red Book) you might remember the alg
developed by
AT&T (eons ago) called OTP "One Time Pad". It's been mathematically proven
to be 100%
secure (provided key is properly chosen and good physical security).

However, I had some friends with 30 years experience in the field that
advised me against it.

Hey, if anyone wants my Windows NT4 server lockdown/quarantine doc/script,
I
will post as requested.
It's based on a lot of years of experience with NT (Helen Custer book and
was my bible), and a lot
of experience with building servers which have been sitting in shark
infested waters.
(ever hang an NT box in a 24. network for 8500 hours straight without
rebooting or DoS ???)
I lock it down to an incredible level that I know I have not seen listed
anywhere else. I also
combine all the basics from the NSA guides, the Navy NISSO/SNAC Guides,
Espinola, Hedbom
and Lindskog, Puckett, Hewlett Packard/Norberg, SCE/SCM, etc etc...

If you want to go crazy, you can perform a final step the prevents a shell
from loading, no userinit,
no explorer, and no registry editing ability to change it back...it's a
one-way process and cannot be reversed.
You then image the firewall to a PXE boot server (Rembo etc) and set it to
suck down fresh disk
partitions every time it boots. (best to log to external logging device)

----- Original Message -----
From: "Bill Husler" <[email protected]>
Cc: "Checkpoint Mailinglist" <[email protected]>
Sent: Monday, September 25, 2000 2:03 PM
Subject: Re: [FW1] Security Implications of using VNC Viewer /WinVNC

>
> I have heard that the windows version of VNC stores the password in an
unprotected
> (by default) area of the registry using a simple hash and may be
exploitable. Does
> anyone care to speak to this?
> Bill
>
> [email protected] wrote:
>
> > On Wed, 13 Sep 2000, Aaron Turner wrote:
> >
> > > Not sure where I read/found this, but I remember hearing that people
> > > were tunnelling VNC over SSH.
> >
> > it is on the vnc website.
> >
> > http://www.uk.research.att.com/vnc/sshvnc.html
> >
> > - brett
> >
> >
===========================================================================
=
====
> >      To unsubscribe from this mailing list, please see the instructions
at
> >                http://www.checkpoint.com/services/mailing.html
> >
===========================================================================
=
====
>
>
>
>
===========================================================================
=
====
>      To unsubscribe from this mailing list, please see the instructions
at
>                http://www.checkpoint.com/services/mailing.html
>
===========================================================================
=
====
>

===========================================================================
=====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
===========================================================================
=====

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Sun Checkpoint Performance
Next by Date: RE: [FW1] Rainwall-E vs StoneBeat FullCluster
Previous by thread: RE: [FW1] Security Implications of using VNC Viewer /WinVNC
Next by thread: [FW1] Does ftp require rtelnet
Index(es):
- Date
- Thread