Security behind a router?

myron_in_da_house@yahoo.co.uk myron_in_da_house "at" yahoo.co.uk
Sun Mar 21 12:20:01 2004 

In that case, as long as your router does not forward connections from the Internet that are VNC related then there is no need to set-up AuthHosts as any such attempted connections from the Internet will be blocked by your router.

This is the configuration I have set-up at the network I administer.  If I need access to any of the 20 VNC servers at the office I first have to connect to our network through a encrypted PPTP connection to the VPN server and the I have to use the corresponding password to the VNC server I'm connecting to, so I actually have two levels of security.

External connections to the network I look after are heavily authenticated and logged.  I actually locked myself out once and had to make the 8.5 mile trip to the office to finish off what I was doing at the time, and unlock the account used for the VPN connection.  I can't really go into any more details on the automated security mechanics I have put in place.

At the end of the day, how paranoid are you and how valuable is the network's health  to you?  Balance the two out.

At 11:52 21/03/2004, Jerome R. Westrick wrote:
>I assume that there is no snooping within the network....
>
>my reasoning goes as follows:
>In the networks I setup, the "physical" security is comparatively lax
>(i.e. it's quite easy to break into the offices).
>
>So I felt it was not worth the effort to secure in the internal network
>when anyone can walk up to the server and build the disk out!
>
>For me, anybody with physical access to the office does not need to be
>protected against active attacks. (Like snooping, burning CD's with
>sensitive data, walking out with physical disks).
>
>
>Acidental (errors like "format c:", are another matter)...
>
>Jerry
>
>
>On Sun, 2004-03-21 at 12:00, myron_in_da_house "at" yahoo.co.uk wrote:
>> If your router is not configured to forward connections into your LAN, or is configured to block the necessary ports then there is no need to set AuthHosts, but there is no harm is doing so.  As to setting up SSH on your LAN, or there a risk that a user on your LAN will conduct a bit of hacking?
>> 
>> At 05:14 21/03/2004, Gary Fritz wrote:
>> >I just installed VNC on several systems and, remarkably, it 
>> >worked quite well with almost no twiddling.
>> >
>> >I changed the AuthHosts value to permit only hosts on my local 
>> >LAN to connect.  (I.e. set it to "-:+192.168".)  I assume this 
>> >will prevent ALL connections from any outside hosts.
>> >
>> >Question:  All hosts on the LAN are behind a router.  In this 
>> >case, is it necessary to go through the pain of setting up SSH?  
>> >Or can I safely assume that all traffic between server & clients 
>> >will stay behind the router, so there's no way an unfriendly 
>> >could snoop them?
>> >
>> >Gary
>> _______________________________________________
>> VNC-List mailing list
>> VNC-List "at" realvnc.com
>> To remove yourself from the list visit:
>> http://www.realvnc.com/mailman/listinfo/vnc-list
>_______________________________________________
>VNC-List mailing list
>VNC-List "at" realvnc.com
>To remove yourself from the list visit:
>http://www.realvnc.com/mailman/listinfo/vnc-list