Restricting host accesses
Nick Kay
nick "at" nexnix.co.uk
Thu, 30 Apr 1998 11:57:37 +0000
At 11:31 PM 4/29/98 -0400, anicolao "at" mud.cgl.uwaterloo.ca wrote:
>>>>
Unfortunately, the systems are on the same local network. And even if
they were
behind a firewall, the user may not have access to the firewall
configuration.
The idea behind having the VNCserver controlling it's own accesses is do
away
with ant third party programs and the need to reconfigure the network.
Thanks for the input tho'
<excerpt><fontfamily><param>Arial</param><color><param>0000,0000,ffff</param><smaller>For
a windows environment, the functionality you want can be achieved with a
combination of a proxy server and VNC servers. If the client's machines
you wish to remotely administer live behind a firewall (surely they do,
or why worry about one more little security hole?) then you can configure
the firewall proxy to connect to each machine behind the firewall on a
different VNC port; then if the firewall is named firewall.myclient.com
you can connect to the various machines via firewall.myclient.com:1
firewall.myclient.com:2, and so on. The firewall itself should reject
connections that are from unsafe IPs when it sets up the forwarding.
Since you plan to use IP as the security mechanism, I assume that you
have a fixed IP and aren't worried about IP spoofing.
</smaller></color></fontfamily>
<fontfamily><param>Arial</param><color><param>0000,0000,ffff</param><smaller>alex
</smaller></color></fontfamily><excerpt> <fontfamily><param>Times New
Roman</param><smaller>-----Original Message-----
<bold>From:</bold> Nick Kay
[<<mailto:nick "at" nexnix.co.uk>mailto:nick "at" nexnix.co.uk]
<bold>Sent:</bold> Tuesday, April 28, 1998 10:20 AM
<bold>To:</bold> <<mailto:vnc-list "at" orl.co.uk>vnc-list "at" orl.co.uk
<bold>Subject:</bold> RE: Restricting host accesses
</smaller></fontfamily>
>>>>
From: Matthias Nott
To: VNC List
Subject: Restricting host accesses
Date: Tue, 28 Apr 1998 08:28:02 +0100
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
Sender: <<mailto:owner-vnc-list "at" orl.co.uk>owner-vnc-list "at" orl.co.uk
<fontfamily><param>Arial</param><smaller>Hello all,
</smaller></fontfamily>
<fontfamily><param>Arial</param><smaller>I don't see the point: It is not
difficult at all to include some code in
</smaller></fontfamily>
<fontfamily><param>Arial</param><smaller>vncserver directly to restrict
access from certain ip addresses, as long
</smaller></fontfamily>
<fontfamily><param>Arial</param><smaller>as vncserver knows which ip
address is trying to make a connection.
</smaller></fontfamily>
<fontfamily><param>Arial</param><smaller>Just include some Listbox in the
configuration dialog and store the
</smaller></fontfamily>
<fontfamily><param>Arial</param><smaller>banned ip addresses in the
registry (in order to avoid to have some
</smaller></fontfamily>
<fontfamily><param>Arial</param><smaller>database handling) - for
windoze95/nt, i mean.
</smaller></fontfamily>
<fontfamily><param>Arial</param><smaller>Cheers
</smaller></fontfamily>
<fontfamily><param>Arial</param><smaller>Matthias
</smaller></fontfamily>
<<<<<<<<
A better idea than the ".vncaccess" (was htaccess) method - as long as
the
address list is retained during vncserver stop/start or Windows (95/NT)
reboot.
Until a security mechanism like this is in place I cannot install VNC on
any
of my clients machines, which is a real shame because VNC is perfect for
the remote admin (ie over the Net) of NT servers.
I would like to emphasise that this function is _needed_ on the Windows
port,
the Unix port can be protected using tcpwrappers (as everyone kindly
suggested ;) )
Regards,
Nick Kay,
NexNix Ltd, 1 TriStar Business Centre, Star Road,
Partridge Green, West Sussex, England. RH13 8RY
<<mailto://nick@nexnix.co.uk>mailto://nick@nexnix.co.uk,
http://www.nexnix.co.uk
Voice: +44 (0) 1403-713131, Fax: +44 (0) 1403-713132
</excerpt>
</excerpt><<<<<<<<