Security behind a router?
fritz "at" frii.com
Sun Mar 21 18:27:01 2004
> In that case, as long as your router does not forward connections
> from the Internet that are VNC related then there is no need to
> set-up AuthHosts as any such attempted connections from the Internet
> will be blocked by your router.
I believe that is the case. I haven't explicitly opened any VNC
ports on the router. The test tools I know of (grc.com,
dslreports.com) only check the first 1056 ports, but those ports
are locked solid. But I thought it was prudent to close down the
AuthHosts just in case -- belt and suspenders.
> I assume that there is no snooping within the network....
Right. This is a small private LAN in our house, with 5
computers on it for our several businesses. The only people with
physical access to the computers are my wife and I. The router
is a Wifi access point but I've locked that down as securely as I
can. (No SSID broadcast, encrypted transmissions, connections
limited to a specified set of MAC addresses, etc.) I feel fairly
safe from external attack. I just wanted to make sure VNC
wouldn't open up a new security hole.
If I understand the mechanics properly, VNC opens up ports on the
server. Behind the router, clients have no problem accessing
those ports. But unless I explicitly open up those ports in the
router, those open server ports are absolutely invisible to the
outside world. Correct?
It's possible that at some point I may want to allow one or two
outside hosts access to the VNC server. That would require me to
open up the ports on the router, which makes my network more
visible than I like but it seems to be a necessary evil. But
even if the ports are open, no one can touch the VNC server
unless they're included in the AuthHosts list. So in theory,
even if I opened the router ports, nobody could access my VNC
server because my AuthHosts is "-:+192.168". Right?