I am trying to evaluate the use of VNC or tightvnc. In the following scenario I'd like to get some feedback of the potential risks before I ok the use.
The system on my lan will initiate a connection to a VNC server over the Internet to a trusted site to generate some data that will be used on our lan. Since the client on my lan and not the server I don't see a huge security risk except the following:
1. Traffic is unencrypted
2. Passwords used on most VNC servers are pretty week even though it is encrypted. Don't really see how that would be my problem though.
3. Requires opening a port at the server end, but again I don't see how that is a issue for the client lan.
4. Not sure, but if the client connects to a Linux VNC server and issues a su command and enters a password, that may be unencrypted. If the su password is the same as a system on my network (users like to use the same pass everywhere) I guess that could expose a password on my network.
5. Not knowing the security posture of the remote server could open up a client to compromise? If the remote server is compromised and our client connets to it, is it possible that the server end can do "something" to the client end?
Anything else to consider in this scenario? I know vnc can be tunneled through ssh, but I am not sure that this is a option for this particular server.