RE: Remote access solution

From: Danny (Danny@drexel.edu)
Date: 01/30/03

  • Next message: theog: "Re: Monitoring office web use"
    From: Danny <Danny@drexel.edu>
    To: "'Orlando J. Cano'" <ojcano@scif.com>, "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>
    Date: Thu, 30 Jan 2003 16:31:02 -0500
    
    

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    It all depends on who will be accessing the services and how. If you
    mean open VNC, Terminal services etc up to the internet and the rest
    of the world, then I cant stress enough how bad of an idea this is.
    The amount of VNC and terminal services issues that have been
    released recently would make me think twice about running them on a
    closed LAN let alone the internet.

    Having said that if you plan on having your users VPN into your
    network and THEN allowing them access to VNC, terminal services etc.
    That's probably the easiest way to admin Windows servers remotely and
    reasonably securely and it shouldn't hurt the users on dialup too
    much.

    So basically the ideal setup I would recommend would be this

    Users establish a VPN connection to your site using either a VPN
    device like Cisco's concentrator 3000 series or even a UNIX box with
    IPSec.
    Once they are authenticated into your network they are assigned an IP
    local to your network from a pool of IP's with restricted access (
    restricted to what you want to allow the remote people to do ).

    - From there setup firewall/router ACL's to allow these IP's ( and only
    these IP's ) to the machines running VNC, Terminal services etc.

    Alternatively you could look into some KVM over IP products. We use
    Avocent http://www.avocent.com/web/en.nsf for all of our NT Boxes.
    The client is a bit of a bandwidth hog though so using remotely may
    be out of the question for dial up users, however having a single VNC
    box on your network with the DSView client on it may make the
    situation more manageable for you.
     
    This email was just a quick very rough idea outline, if you need/want
    a more clear image of what I was thinking just let me know.

    Danny

    - -----Original Message-----
    From: Orlando J. Cano [mailto:ojcano@scif.com]
    Sent: Wednesday, January 29, 2003 7:58 PM
    To: security-basics@securityfocus.com
    Subject: Remote access solution

    I have recently been assigned to join efforts with our Network group
    in coming up with a secure remote access solution for our Network.
    This will involve accessing servers in our DMZ. I was wondering if
    this securityfocus community could elaborate on how secure VNC,
    Freevision or Terminal Services are or better yet recommend another
    solution.
    Any comments would be greatly appreciated.

    Thanks

    oc

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

    iQA/AwUBPjmZsmb1zPz07fHgEQLgzgCfTyl/tvlX5WurA8L5yFj+Er7COa4AnR5M
    dpZa/votAix4nTTmAli72/3q
    =gVvI
    -----END PGP SIGNATURE-----



    Relevant Pages

    • Re: Terminal Services Auditing?
      ... Zebedee adds another layer of encryption, authentication, and ... not the network IP address making the ... connection, in the terminal services manager for that connection. ...
      (Focus-Microsoft)
    • Re: Security Breached
      ... I have a typical home network that looks like this: ... on both the DMZ and port forward questions. ... I have the vnc port blocked at the router so I presumed it was safe to ... they done it port forwarding over SSH (if your assumption of only SSH ...
      (alt.computer.security)
    • Re: Security Breached
      ... I have a typical home network that looks like this: ... I have the vnc port blocked at the router so I presumed it was safe to ... they done it port forwarding over SSH (if your assumption of only SSH ...
      (alt.computer.security)
    • RE: Terminal Services Auditing?
      ... displaying them in 'Terminal Services Manager' snap-in. ... Better Management for Network Security ...
      (Focus-Microsoft)
    • Re: vpn to either xp pro or 2000 pro desktop
      ... drives/machines outside each network.. ... I can have her log into her machine with the same vnc viewer over the vpn.. ... have to install PRO on the laptop also or does that matter? ...
      (microsoft.public.windowsxp.work_remotely)