Security behind a router?

[Gary Fritz]

> In that case, as long as your router does not forward connections
> from the Internet that are VNC related then there is no need to
> set-up AuthHosts as any such attempted connections from the Internet
> will be blocked by your router. 

I believe that is the case.  I haven't explicitly opened any VNC 
ports on the router.  The test tools I know of (grc.com, 
dslreports.com) only check the first 1056 ports, but those ports 
are locked solid.  But I thought it was prudent to close down the 
AuthHosts just in case -- belt and suspenders.

> I assume that there is no snooping within the network....

Right.  This is a small private LAN in our house, with 5 
computers on it for our several businesses.  The only people with 
physical access to the computers are my wife and I.  The router 
is a Wifi access point but I've locked that down as securely as I 
can.  (No SSID broadcast, encrypted transmissions, connections 
limited to a specified set of MAC addresses, etc.)  I feel fairly 
safe from external attack.  I just wanted to make sure VNC 
wouldn't open up a new security hole.

If I understand the mechanics properly, VNC opens up ports on the 
server.  Behind the router, clients have no problem accessing 
those ports.  But unless I explicitly open up those ports in the 
router, those open server ports are absolutely invisible to the 
outside world.  Correct?

It's possible that at some point I may want to allow one or two 
outside hosts access to the VNC server.  That would require me to 
open up the ports on the router, which makes my network more 
visible than I like but it seems to be a necessary evil.  But 
even if the ports are open, no one can touch the VNC server 
unless they're included in the AuthHosts list.  So in theory, 
even if I opened the router ports, nobody could access my VNC 
server because my AuthHosts is "-:+192.168".  Right?

Thanks!
Gary