From: Robert J. <an...@gm...> - 2012-07-31 20:19:51
|
On 7/31/2012 2:02 PM, john s wolter wrote: > Is it advisable in all situations to use SSH and its port forwarding for > all TightVNC sessions? It's advisable to use some form of security, yes. SSH is usually recommended, as it is cheap, simple to implement, universally supported, and works well for most situations. > If so do the VNC portocols and standards include secured communications? No, they do not. Communication is done using plain text exchanges, and there is no encryption of any kind. (Unofficial) extensions have been made to implement encryption. UltraVNC, for instance, supports passing the VNC stream through the MS encryption stack for varying levels of security, but this then ties VNC to that particular encryption system, and prevents interoperability. Alternatives can be easily implemented with stunnel or encrypted VPNs, as well as (obviously) SSH. > If not included in VNC standards is TLC or SLL preferred and which > encryption standards are better? TLS/SSL can be implemented using a stunnel link, but is not supported by default (and still doesn't implement any particular kind of security, just encryption to prevent snooping/MitM attacks). > What are the expected percent performance penalties for secured access? Typically the performance of a VNC link is limited by the available bandwidth. While encryption and security can add an overhead, it's usually negligible. > What equipment or software would make secured access arrangements faster > or easier for single to tens of VNC sessions? If the VNC sessions are meant for access to several machines, then a VPN for remote access is probably the best option. If it's a classroom-like environment, something like stunnel would probably work best. But as VPNs are rather not-simple to set up, it's often easier to recommend a single SSH connection, with VNC data then tunneled over that link, which is considerably easier to set up. |