[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Security Implications of using VNC Viewer /WinVNC
Hi, Check out the VNC faqs; they show you how to use VNC in conjunction with SSH to accomplish an encrypted channel. Kevin [email protected] (Carl E. Mankinen) on 09/25/2000 04:17:29 PM To: [email protected] cc: "Checkpoint Mailinglist" <[email protected]> (bcc: Kevin J Adams/PA/PUSA) Subject: Re: [FW1] Security Implications of using VNC Viewer /WinVNC yeah, disable remote registry access PERIOD. Set ACL's on registry keys to prevent any outside access. If they are reading your registry, you have pretty much lost the battle already. What concerns me the MOST about VNC is having CLEARTEXT keystrokes transmitted across the wire...not good. You can set a rule to allow only one host to use VNC to control the firewall, however that rule is not helping you when someone is sniffing the passwords you type over the network. I have long considered developing a SIMPLE piece of crypto software that would be completely secure, very fast, works with every telnet implementation and relatively easy to code. If you read "Applied Crypto" (Schnier Red Book) you might remember the alg developed by AT&T (eons ago) called OTP "One Time Pad". It's been mathematically proven to be 100% secure (provided key is properly chosen and good physical security). However, I had some friends with 30 years experience in the field that advised me against it. Hey, if anyone wants my Windows NT4 server lockdown/quarantine doc/script, I will post as requested. It's based on a lot of years of experience with NT (Helen Custer book and was my bible), and a lot of experience with building servers which have been sitting in shark infested waters. (ever hang an NT box in a 24. network for 8500 hours straight without rebooting or DoS ???) I lock it down to an incredible level that I know I have not seen listed anywhere else. I also combine all the basics from the NSA guides, the Navy NISSO/SNAC Guides, Espinola, Hedbom and Lindskog, Puckett, Hewlett Packard/Norberg, SCE/SCM, etc etc... If you want to go crazy, you can perform a final step the prevents a shell from loading, no userinit, no explorer, and no registry editing ability to change it back...it's a one-way process and cannot be reversed. You then image the firewall to a PXE boot server (Rembo etc) and set it to suck down fresh disk partitions every time it boots. (best to log to external logging device) ----- Original Message ----- From: "Bill Husler" <[email protected]> Cc: "Checkpoint Mailinglist" <[email protected]> Sent: Monday, September 25, 2000 2:03 PM Subject: Re: [FW1] Security Implications of using VNC Viewer /WinVNC > > I have heard that the windows version of VNC stores the password in an unprotected > (by default) area of the registry using a simple hash and may be exploitable. Does > anyone care to speak to this? > Bill > > [email protected] wrote: > > > On Wed, 13 Sep 2000, Aaron Turner wrote: > > > > > Not sure where I read/found this, but I remember hearing that people > > > were tunnelling VNC over SSH. > > > > it is on the vnc website. > > > > http://www.uk.research.att.com/vnc/sshvnc.html > > > > - brett > > > > =========================================================================== = ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =========================================================================== = ==== > > > > =========================================================================== = ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > =========================================================================== = ==== > =========================================================================== ===== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =========================================================================== ===== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|