Re: To SSH or not, security is the question.

[Robert J. <an...@gm...>]

On 7/31/2012 2:02 PM, john s wolter wrote:
> Is it advisable in all situations to use SSH and its port forwarding for
> all TightVNC sessions?

It's advisable to use some form of security, yes. SSH is usually 
recommended, as it is cheap, simple to implement, universally supported, 
and works well for most situations.

> If so do the VNC portocols and standards include secured communications?

No, they do not. Communication is done using plain text exchanges, and 
there is no encryption of any kind. (Unofficial) extensions have been 
made to implement encryption. UltraVNC, for instance, supports passing 
the VNC stream through the MS encryption stack for varying levels of 
security, but this then ties VNC to that particular encryption system, 
and prevents interoperability. Alternatives can be easily implemented 
with stunnel or encrypted VPNs, as well as (obviously) SSH.

> If not included in VNC standards is TLC or SLL preferred and which
> encryption standards are better?

TLS/SSL can be implemented using a stunnel link, but is not supported by 
default (and still doesn't implement any particular kind of security, 
just encryption to prevent snooping/MitM attacks).

> What are the expected percent performance penalties for secured access?

Typically the performance of a VNC link is limited by the available 
bandwidth. While encryption and security can add an overhead, it's 
usually negligible.

> What equipment or software would make secured access arrangements faster
> or easier for single to tens of VNC sessions?

If the VNC sessions are meant for access to several machines, then a VPN 
for remote access is probably the best option. If it's a classroom-like 
environment, something like stunnel would probably work best. But as 
VPNs are rather not-simple to set up, it's often easier to recommend a 
single SSH connection, with VNC data then tunneled over that link, which 
is considerably easier to set up.