Restricting host accesses
anicolao@cgl.uwaterloo.ca
anicolao "at" cgl.uwaterloo.ca
Wed, 29 Apr 1998 23:31:38 -0400
This is a multi-part message in MIME format.
------=_NextPart_000_0003_01BD73C7.29944170
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
For a windows environment, the functionality you want can be achieved with a
combination of a proxy server and VNC servers. If the client's machines you
wish to remotely administer live behind a firewall (surely they do, or why
worry about one more little security hole?) then you can configure the
firewall proxy to connect to each machine behind the firewall on a different
VNC port; then if the firewall is named firewall.myclient.com you can
connect to the various machines via firewall.myclient.com:1
firewall.myclient.com:2, and so on. The firewall itself should reject
connections that are from unsafe IPs when it sets up the forwarding. Since
you plan to use IP as the security mechanism, I assume that you have a fixed
IP and aren't worried about IP spoofing.
alex
-----Original Message-----
From: Nick Kay [ mailto:nick "at" nexnix.co.uk]
Sent: Tuesday, April 28, 1998 10:20 AM
To: vnc-list "at" orl.co.uk
Subject: RE: Restricting host accesses
>>>>
From: Matthias Nott
To: VNC List
Subject: Restricting host accesses
Date: Thu, 30 Apr 1998 04:39:23 +0000
X-Original-Date: Tue, 28 Apr 1998 08:28:02 +0100
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
Sender: owner-vnc-list "at" orl.co.uk
Hello all,
I don't see the point: It is not difficult at all to include some code in
vncserver directly to restrict access from certain ip addresses, as long
as vncserver knows which ip address is trying to make a connection.
Just include some Listbox in the configuration dialog and store the
banned ip addresses in the registry (in order to avoid to have some
database handling) - for windoze95/nt, i mean.
Cheers
Matthias
<<<<
A better idea than the ".vncaccess" (was htaccess) method - as long as the
address list is retained during vncserver stop/start or Windows (95/NT)
reboot.
Until a security mechanism like this is in place I cannot install VNC on any
of my clients machines, which is a real shame because VNC is perfect for
the remote admin (ie over the Net) of NT servers.
I would like to emphasise that this function is _needed_ on the Windows
port,
the Unix port can be protected using tcpwrappers (as everyone kindly
suggested ;) )
Regards,
Nick Kay,
NexNix Ltd, 1 TriStar Business Centre, Star Road,
Partridge Green, West Sussex, England. RH13 8RY
mailto://nick@nexnix.co.uk, http://www.nexnix.co.uk
Voice: +44 (0) 1403-713131, Fax: +44 (0) 1403-713132
------=_NextPart_000_0003_01BD73C7.29944170
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR>
</HEAD>
<BODY>
<DIV><SPAN class=3D405172803-30041998><FONT color=3D#0000ff face=3DArial =
size=3D2>For a=20
windows environment, the functionality you want can be achieved with a=20
combination of a proxy server and VNC servers. If the client's machines =
you wish=20
to remotely administer live behind a firewall (surely they do, or why =
worry=20
about one more little security hole?) then you can configure the =
firewall proxy=20
to connect to each machine behind the firewall on a different VNC port; =
then if=20
the firewall is named firewall.myclient.com you can connect to the =
various=20
machines via firewall.myclient.com:1 firewall.myclient.com:2, and so on. =
The=20
firewall itself should reject connections that are from unsafe IPs when =
it sets=20
up the forwarding. Since you plan to use IP as the security mechanism, I =
assume=20
that you have a fixed IP and aren't worried about IP=20
spoofing.</FONT></SPAN></DIV>
<DIV><SPAN class=3D405172803-30041998><FONT color=3D#0000ff face=3DArial =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D405172803-30041998><FONT color=3D#0000ff face=3DArial =
size=3D2>alex</FONT></SPAN></DIV>
<BLOCKQUOTE=20
style=3D"BORDER-LEFT: #0000ff solid 2px; MARGIN-LEFT: 5px; PADDING-LEFT: =
5px">
<DIV class=3DOutlookMessageHeader><FONT face=3D"Times New Roman"=20
size=3D2>-----Original Message-----<BR><B>From:</B> Nick Kay [<A=20
=
href=3D"mailto:nick "at" nexnix.co.uk">mailto:nick "at" nexnix.co.uk</A>]<BR><B>Sen=
t:</B>=20
Tuesday, April 28, 1998 10:20 AM<BR><B>To:</B> <A=20
=
href=3D"mailto:vnc-list "at" orl.co.uk">vnc-list "at" orl.co.uk</A><BR><B>Subject:<=
/B>=20
RE: Restricting host accesses<BR><BR></FONT></DIV>
<P>>>>> </P>
<P>From: Matthias Nott </P>
<P>To: VNC List </P>
<P>Subject: Restricting host accesses </P>
<P>Date: Tue, 28 Apr 1998 08:28:02 +0100 </P>
<P>X-MSMail-Priority: Normal </P>
<P>X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 </P>
<P>Sender: <A=20
=
href=3D"mailto:owner-vnc-list "at" orl.co.uk">owner-vnc-list "at" orl.co.uk</A> =
</P><BR>
<P><FONT face=3DArial size=3D2>Hello all, </FONT></P>
<P></P>
<P><FONT face=3DArial size=3D2>I don't see the point: It is not =
difficult at all=20
to include some code in </FONT></P>
<P><FONT face=3DArial size=3D2>vncserver directly to restrict access =
from=20
certain ip addresses, as long </FONT></P>
<P><FONT face=3DArial size=3D2>as vncserver knows which ip address =
is trying to=20
make a connection. </FONT></P>
<P><FONT face=3DArial size=3D2>Just include some Listbox in the =
configuration=20
dialog and store the </FONT></P>
<P><FONT face=3DArial size=3D2>banned ip addresses in the registry =
(in order to=20
avoid to have some </FONT></P>
<P><FONT face=3DArial size=3D2>database handling) - for =
windoze95/nt, i mean.=20
</FONT></P>
<P></P>
<P><FONT face=3DArial size=3D2>Cheers </FONT></P>
<P></P>
<P><FONT face=3DArial size=3D2>Matthias </FONT></P>
<P></P>
<P><<<< </P>
<P>A better idea than the ".vncaccess" (was htaccess) =
method - as=20
long as the </P>
<P>address list is retained during vncserver stop/start or Windows =
(95/NT)=20
</P>
<P>reboot. </P><BR>
<P>Until a security mechanism like this is in place I cannot install =
VNC on=20
any </P>
<P>of my clients machines, which is a real shame because VNC is =
perfect for=20
</P>
<P>the remote admin (ie over the Net) of NT servers. </P><BR>
<P>I would like to emphasise that this function is _needed_ on the =
Windows=20
port, </P>
<P>the Unix port can be protected using tcpwrappers (as everyone =
kindly </P>
<P>suggested ;) ) </P><BR><BR><BR>
<P>Regards, </P>
<P>Nick Kay, </P><BR>
<P>NexNix Ltd, 1 TriStar Business Centre, Star Road, </P>
<P>Partridge Green, West Sussex, England. RH13 8RY </P>
<P><A =
href=3D"mailto://nick@nexnix.co.uk">mailto://nick@nexnix.co.uk</A>,=20
http://www.nexnix.co.uk </P>
<P>Voice: +44 (0) 1403-713131, Fax: +44 (0) 1403-713132 </P><BR><BR>
<P> =
</P></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0003_01BD73C7.29944170--