Solved

Real-VNC  Security Issues & General Info

Posted on 2003-10-28
6
2,185 Views
Last Modified: 2010-03-19
I am thinking of using RealVNC to remotely access computers.  However, what are the experts opinions regarding its security, is its use going to make users more vulnerable.

Also, what is the programs reliability like?

And finally, do hardware / software firewalls have to be configured for the use of RealVNC (and programs alike).

Thanks

(I will split points between the best responses).
0
Comment
Question by:semmes
  • 3
  • 2
6 Comments
 
LVL 31

Accepted Solution

by:
qwaletee earned 75 total points
ID: 9638317
First, I woud probably use TightVNC instead of realVNC.  It tends to perform better, while still beig compatible and OS.

Security:

RealVNC "out of the box" supports only a very basic authentication mechanism, a password, which is only hashed.  You can use it in conjunction with SSH for better security.

here are variant versions available that supoprt use of MS Windows authentication.

Reliability:

It tends to have some problems with screen painting, requiring you to request a full screen refresh manually to correct. It occassionally has problems with full page scrolling, also requireing manual refresh.  if you are trying to access a fast-switch XP box, forget it.  Multiple simultaneous logins will blow its mind.

Firewalls have to be configued to let the correct ports through; usually, 5900 is sufficient ina default setup.  As with any port listener, your software firewall will haveto be set to recognize teh VNC daemon as a legitimate object.

Unix server version does not give you access to teh current screen.  It has its own x-windows space.

Other:

No file transfer built in.

Certain keysroke combinaions difficult or impossible

Cannot trap system keystrokes

Screen scaling is terrible.
0
 
LVL 35

Assisted Solution

by:ShineOn
ShineOn earned 25 total points
ID: 9638544
I agree with qwaletee about tightvnc vs realvnc.

My overview of remote-control:

Regardless of how you go, almost any remote-control software is a vulnerability added to your system.  The questions you need to answer, and weight according to the relative importance to your organization, are

1)  Cost  - What is my exposure, dollars and cents, to get this working out of the box?

2)  Performance - How fast will this respond?  What kind of overhead will this add to my network?  How efficiently does it use the bandwidth I have available?

3)  Security - What methods can be used to secure remote-control?  Are there any known vulnerabilities or exploits?  Are there ways to avoid those vulnerabilities or exploits?

Only you can decide the cost/benefit of any solution in this area.  For my dollars, the price/performance of any VNC solution beats any commercial product.  If you want double-blind multiply-secured and encrypted remote control, you can pay for the GoToMyPC service, which is actually a tad better response-wise than VNC, but will have ongoing costs for the service.

There are specific firewall ports that VNC uses (I will not go into that here) but it is easier to use VNC over a firewall or through a VPN than many other remote-control packages.

If you need firewall transparency, high security and features like file transfer and remote reboot, you're better off paying for GoToMyPC, in my opinion.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9638569
Oh, also, GoToMyPC has remote print capability that is much easier to configure and use that that provided by pcAnywhere.   VNC doesn't do remote printing, AFAIK.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 3

Assisted Solution

by:cwp
cwp earned 25 total points
ID: 9644956
Most *VNC don't support file transfers, but TightVNC is developing one (although most of it is in the CVS), and UltraVNC has a limited working solution (limited that there's no deleting remotely or resuming yet).

It has the ability to use some plugins for encryption (but so far I haven't got any of them to work), and the MS Windows authentication sucks at the moment because I don't know how to get it to block incorrect/blank passwords. Falling back to the single password authentication is as secure as what qwaletee said.

As for the reliability of UltraVNC, it comes with a video hook driver that determines exactly which parts of the screen has changed so that the server can only send that particular part to the client. I haven't had any screen refresh problems with this setup, although the performance is very sluggish when accessing from the Internet. However, the developers claim that it feels like you're actually sitting at the computer's console with this driver.

The firewall port depends on what display number you're using and is always 5900 + display number. But like qwaletee said, the default setup is on 5900.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9645037
VNC is very reliable, and I have used it to remote-support desktops over a VPN WAN.  Depending on whose version you choose, it has moderate-to-good security.  If you don't need file transfer or remote print, I would have no problems recommending any VNC.  Performance only suffers, from my experience, when the host PC has high-graphics set (16-bit color or higher) and is running some photographic-type wallpaper like WebShots.  

Man, that really p'd me off when users ran WebShots.  But that's another topic...
0
 
LVL 3

Expert Comment

by:cwp
ID: 9645276
Now that would really suck.

However, I think all of them have the ability to not send the wallpaper info to the client, although it depends on which flavour of VNC for the accessibility of that option (only registry editing for the original VNC, I can't remember what TightVNC has, and UltraVNC has a checkbox right with the properties in the server config dialog box).

> Man, that really p'd me off when users ran WebShots.
If you leave the wallpaper on and tell the client to switch to 256 colors, you can see it turn ugly right before your very eyes. Now go get some revenge on it! ;)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now