Can't connect via VNC from work to home - Network

This is a discussion on Can't connect via VNC from work to home - Network ; "Charles Newman" wrote: > She would not get out on any network that I ran, becuase I would have > ports 1000 through 5300 blocked, to block Kazaa, and AOL IM > and AOL for Broadband, at port 5190 would ...

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3
Results 41 to 58 of 58

Thread: Can't connect via VNC from work to home

  1. Re: Can't connect via VNC from work to home

    "Charles Newman"
    wrote:

    > She would not get out on any network that I ran, becuase I would have
    > ports 1000 through 5300 blocked, to block Kazaa, and AOL IM
    > and AOL for Broadband, at port 5190 would fall within that range.


    Even better, don't allow any outbound connections at all for client
    machines - only allow the proxy server to connect out.


    Juergen Nieveler
    --
    Sex on television can't hurt you unless you fall off

  2. Re: Can't connect via VNC from work to home


    "Juergen Nieveler" wrote in message
    news:Xns95FEC4633BCF2juergennieveler@nieveler.org. ..
    > "Charles Newman"
    > wrote:
    >
    >> She would not get out on any network that I ran, becuase I would have
    >> ports 1000 through 5300 blocked, to block Kazaa, and AOL IM
    >> and AOL for Broadband, at port 5190 would fall within that range.

    >
    > Even better, don't allow any outbound connections at all for client
    > machines - only allow the proxy server to connect out.


    That is exactly how my NAT/PFW solution is set up on my
    network. All outbound connections have to through either
    the HTTP or Socks proxy. I just simply tell the PFW not
    to let the program operating the Socks proxy to go out
    on port 80, or ports 1000-5300, and that shuts down
    Kazaa, as well as MSN, Yahoo, and AOL IM. A PFW
    solution on a NAT box can be superior to a hardware
    appliance, if configured right.



  3. Re: Can't connect via VNC from work to home

    Leythos wrote:

    > I look at it like this, as a business owner I pay my people to WORK
    > when they are at work, not to relax, play games, do personal email,
    > etc


    That's your policy. My employer's policy allows it, as I've stated.

    > Maybe you could answer this for the group: What's so important at home
    > that you're willing to subvert company policy to use?


    That's irrelevant. I just want to access my PC via a web browser as
    the policy allows. Whether that policy had the forethought to include
    the possibility of a remote desktop connection (via a web page) is the
    issue here. I'd rather not draw attention to it if it can be avoided.



  4. Re: Can't connect via VNC from work to home

    Grosby wrote:

    >> Maybe you could answer this for the group: What's so important at
    >> home that you're willing to subvert company policy to use?

    >
    > That's irrelevant.


    Just to clarify: when I say "irrelevant" I meant the relevancy of
    what I want to do with my PC. I am not subverting company policy
    as they do not oppose using the web during off-periods, as I've
    stated from the start.



  5. Re: Can't connect via VNC from work to home

    Juergen Nieveler wrote:
    > ejfudd820@hotmail.com wrote:
    >
    > > Also, you did not read the entire message. She is bring her OWN
    > > LAPTOP, and connecting it to the company's WIRELESS network.

    >
    > She might be violating company rules already simply by doing that.
    >
    > > It is becuase of this that they would have to bring in a spectrum >
    > > analyser in order to be able to trace the offending computer.

    >
    > Uh... nope. See below.
    >
    > > They can spot it on the firewall, but to find the offending

    computer
    > > would require a spectrum analyser and a tracking antenna.

    >
    > They can see the IP address. The DHCP server will tell them the MAC

    to
    > that IP. Then they check which access point the network card with

    that
    > MAC is connected to. That limits the search to the area covered by

    this
    > access point - with a usual corporate layout, they'll only have one
    > floor to search, possibly even as little as 2 or 3 offices.


    However, you can boost the range with quite a number of antenna
    designs. I have heard of a "stew can" antenna which is much more
    efficient radiatior than a Pringles can. Someone could be using one of
    these in a more distance part of the office. Some stew-can antennas
    can achieve a gain of 17db, considerably higher than the 12 to 15db
    gain of a Pringles can.
    This is why the company would probably need a spectrum analyser. If
    someone is using a high-gain antenna and coming from a more distance
    part
    of the building, they would need one of these to find the offending
    computer.
    At least one reporter I was chatting with at one time did use an
    antenna made from a used Nalley's Big Chunk(R) Beef Stew can (40 oz),
    and it increased the gain of her wireless card quite a bit. she claimed
    to get a 17db gain out of the thing, enough to hit any wireless access
    point up to 15 miles away (depding on atmospheric conditions). For
    a 17db gain antenna, it will increase the ERP by about 50. From her
    office in New York City, she could hit her WAP at her home, about 10
    miles away, quite easily with two Nalley's beef stew cans. With a
    1/2 watt signal going into the antennas, the made the ERP about 25
    watts.


  6. Re: Can't connect via VNC from work to home

    ejfudd820@hotmail.com wrote:

    > However, you can boost the range with quite a number of antenna
    > designs. I have heard of a "stew can" antenna which is much more
    > efficient radiatior than a Pringles can. Someone could be using one of
    > these in a more distance part of the office.


    While people would probably not notice somebody using a private laptop,
    there WOULD be comment if you start fiddling around with experimental
    antennas. Do you think Admins are that dumb? People talk, and talk like
    "$Foo has a can connected to her laptop" spreads very fast.

    > This is why the company would probably need a spectrum analyser. If
    > someone is using a high-gain antenna and coming from a more distance
    > part of the building, they would need one of these to find the offending
    > computer.


    Not even then. The Admin would still notice an unknown MAC in the
    network - or did your friend sneak the MAC of the WLAN-card into the
    asset database? In an ActiveDirectory, the Admin could also notice that
    a machine registered in DHCP was not a member of the domain. He could
    see a workgroup where only domain members should be. He could see a
    machine that doesn't have an SMS agent on it.

    Plenty of ways to detect machines around the network that don't belong
    there - and if you find an unknown machine connected to a WLAN, the
    worst case scenario kicks in immediately: Script Kiddie alert, a
    wardriver has infiltrated your net. The Admins would conduct a thorough
    search of the area, and any computer without asset tag would
    immediately be confiscated.

    Is it really worth all that trouble just to chat during work hours?

    Juergen Nieveler
    --
    There are two kinds of ships, submarines and targets. - Royal
    Netherlands Submarine Service

  7. Re: Can't connect via VNC from work to home


    "Charles Newman"
    wrote in message news:5NCdnZBEyd4Lqo_fRVn-tA@comcast.com...
    >


    >
    > She would not get out on any network that I ran, becuase I would have
    > ports 1000 through 5300 blocked, to block Kazaa, and AOL IM
    > and AOL for Broadband, at port 5190 would fall within that range.
    >
    > You and your online girlfriends can obviously get past hardware
    > appliances, but you would not get past my firewall setup. Hardware
    > firewalls dont offer the flexibility that software firewalls, such as
    > SyGate and Tiny offer. On my setup, Tiny can be modified to
    > block Kazaa on the Socks server, including port 80, while
    > allowing the HTTP proxy to get out on port 80. AOL, Yahoo,
    > and MSN IM can be blocked in the same way.


    Just so you're aware, Fortigate Hardware firewalls can do that also.

    -Russ.



  8. Re: Can't connect via VNC from work to home


    "Leythos" wrote in message
    newsan.2005.02.15.18.20.41.684595@nowhere.lan...
    > On Tue, 15 Feb 2005 12:52:42 -0500, Somebody wrote:
    > I look at it like this, as a business owner I pay my people to WORK when
    > they are at work, not to relax, play games, do personal email, etc... If
    > they want to use a PC to access personal stuff, well, that's what they


    That's a seperate and valid issue, from whether or not an outbound VNC
    connection is a security risk to the network.

    Productivity/HR issues are very complicated. I have no argument with any of
    your points in that regard.

    > have a home life for, and it can be done after hours. I allow a small
    > amount of personal email from the company addresses, but we actually
    > monitor it and when it gets out of hand or their spam level increases we
    > take measures to fix it. We don't allow free access to the web or any
    > other services. People have to get back into the frame of mind that they
    > OWE the company for what they are PAID, not the company owing them money
    > for showing up.
    >
    >
    > --
    > spam999free@rrohio.com
    > remove 999 in order to email me
    >




  9. Re: Can't connect via VNC from work to home


    "Leythos" wrote in message
    newsan.2005.02.15.18.22.12.898047@nowhere.lan...
    > On Tue, 15 Feb 2005 12:54:11 -0500, Somebody wrote:
    >
    > >
    > > "Leythos" wrote in message
    > > newsan.2005.02.15.16.55.20.399129@nowhere.lan...
    > >> On Tue, 15 Feb 2005 07:54:05 -0800, Elmer J Fudd wrote:
    > >>
    > >> > Another method, that one lady I was chatting with the other day

    was
    > > using,
    > >> > was to log onto AOL to chat from work. She uses AOL for broadband,

    signs
    > > onto
    > >> > AOL, and then comes onto the chat room. Her boss has no CLUE as to

    what
    > > she
    > >> > is up to. She also brings her own laptop, and connects to the

    company's
    > >> > wireless access point (WAP). The only way they could figure out where

    > > the
    > >> > connection was coming from would be to bring in a spectrum analyser

    and
    > >> > trace the connection that way.
    > >>

    > >
    > > Connections to a WAP are dead easy to trace/filter/block, just by
    > > configuring the WAP properly.
    > >
    > > Failing that, you DMZ it on a proper firewall and filter/block/analyse

    the
    > > traffic at that point.
    > >
    > > If you're doing neither of those things, then shame on you, take your

    lumps.
    >
    > Russ, just so you know, it was not me that advocated those things - it
    > looks like you quoted it to me. I agree, it's easy to detect and determine
    > who the thief is, and they should be reprimanded on the spot.


    No worries, I didn't mean to imply it was *you* specifically, it was a
    rhetorical "you". :-)

    -Russ.



  10. Re: Can't connect via VNC from work to home


    "Juergen Nieveler" wrote in message
    news:Xns95FEC40E371E3juergennieveler@nieveler.org. ..
    > "Somebody" wrote:
    >
    > >> As for back-ending the connection, there is more than one version of
    > >> VNC, and some versions allow file sharing, if you can share files
    > >> then you create a threat by that simple action alone.

    > >
    > > I'm not aware of that version of VNC.

    >
    > IIRC UltraVNC allows file transfers. Or was it TightVNC? So many
    > versions, I'm staying with RealVNC :-)


    That's too bad -- RealVNC is such a nice program, it's a shame to see it
    polluted by the others.

    -Russ.



  11. Re: Can't connect via VNC from work to home

    Taking a moment's reflection, Somebody mused:
    |
    | VNC does not open any new conduits *in to* the network. Hence it is not a
    | risk, outbound.

    It really depends on what the user is wanting to do, and what version of
    VNC he is using. UltraVNC adds file transfer capability. So, the user
    could transfer an infected file to the company network, or (by using VNC to
    connect) forward an infected email to his company account. So, the risk is
    from the actual user ... VNC is only the tool. But, considering he is
    unwilling to let his IT department know he wants to do this, I would have to
    assume the risk is increased ... as he likely has no good reason (in terms
    of the company) to be contacting his home computer. My guess is he wants to
    surf porn sites, and by surfing over VNC the nudies would be in his home
    temp file instead of on his work computer where they could be found.

    | Ok, I'll grant you that the tiny amount of bandwidth it uses is worth
    | something. Less than an average browsing session I'd say.

    Most of the restrictions are for this reason. Companies are growing
    less tolerant of employees wasting time surfing the internet, chatting with
    friends, or downloading MP3s when they should be working.




  12. Re: Can't connect via VNC from work to home

    Taking a moment's reflection, Somebody mused:
    |
    | He's using VNC, not RDP. No file xfer capability.

    http://ultravnc.sourceforge.net/



  13. Re: Can't connect via VNC from work to home

    In article , Juergen Nieveler
    wrote:

    >ejfudd820@hotmail.com wrote:


    Oh, our self proclaimed expert on circumventing security.

    >> However, you can boost the range with quite a number of antenna
    >> designs. I have heard of a "stew can" antenna which is much more
    >> efficient radiatior than a Pringles can. Someone could be using one of
    >> these in a more distance part of the office.


    who doesn't even understand the buzzwords - efficiency relates to losses
    due to reflection coefficients, mismatch loss, resistive loss, and the
    uniformity of the resulting pattern - generally speaking, how accurately
    the antenna was fabricated. The word he wants is 'gain'. His experts in
    the chatroom also don't understand the term 'wavelength' and how that
    relates to the dimensions of waveguide style antennas. I surprised one
    of the jerks hasn't spoken about the real killer antenna made out of a 33
    gallon trash can (roughly 50 cm diameter, 90 cm tall) - it's so big it must
    have a bazillion decibels of gain. Something like that gadget they advertise
    to "turn your house wiring into a Giant TV antenna" - you know, the one
    with a picture of a 100 meter radio telescope antenna in the background.

    >While people would probably not notice somebody using a private laptop,


    They would here.

    >> This is why the company would probably need a spectrum analyser. If
    >> someone is using a high-gain antenna and coming from a more distance
    >> part of the building, they would need one of these to find the offending
    >> computer.


    The expert also has no concept of what spectrum analyzers are, what the
    display of an 802.x link would look like on such a tool, nor how the signal
    even reaches the display. Antenna patterns? Wazzat? That s00p3r 31337
    toolz called 'NetStumbler'? Never heard of it.

    >Not even then. The Admin would still notice an unknown MAC in the
    >network - or did your friend sneak the MAC of the WLAN-card into the
    >asset database?


    Well, all of his buddies in that chatroom are really 31337 - so of course
    they hacked in. The even figured out what financial reporting center the
    hardware should be billed to. They learned that trick from Chris Stoll's
    book.

    >In an ActiveDirectory, the Admin could also notice that a machine
    >registered in DHCP was not a member of the domain. He could see a
    >workgroup where only domain members should be. He could see a machine
    >that doesn't have an SMS agent on it.


    We don't use DHCP, never mind windoze, but the passive fingerprinting tool
    that we use would notice the intruder before it completed it's first three-
    way-handshake.

    >Plenty of ways to detect machines around the network that don't belong
    >there - and if you find an unknown machine connected to a WLAN, the
    >worst case scenario kicks in immediately: Script Kiddie alert, a
    >wardriver has infiltrated your net. The Admins would conduct a thorough
    >search of the area, and any computer without asset tag would
    >immediately be confiscated.


    It's not just the admins - security would be with us. And yes, we also do
    an immediate autopsy on the confiscated box. Actually, last month we had
    three false alarms like that - one of the IT techs setting up new systems
    managed to typo the messages about new hardware. He no longer works here.

    Old guy


  14. Re: Can't connect via VNC from work to home

    ibuprofin@painkiller.example.tld (Moe Trin) wrote:

    > It's not just the admins - security would be with us. And yes, we also
    > do an immediate autopsy on the confiscated box. Actually, last month
    > we had three false alarms like that - one of the IT techs setting up
    > new systems managed to typo the messages about new hardware. He no
    > longer works here.


    Sounds like you either work for a large bank datacenter or an R&D
    facility. Either way, sounds like a nice place indeed :-)


    Juergen Nieveler
    --
    Man who drive like hell, bound to get there.

  15. Re: Can't connect via VNC from work to home


    "mhicaoidh" wrote in message
    news:KxLQd.7725$tl3.4313@attbi_s02...
    > Taking a moment's reflection, Somebody mused:
    > |
    > | He's using VNC, not RDP. No file xfer capability.
    >
    > http://ultravnc.sourceforge.net/


    Let me rephrase : Assuming RealVNC, no file xfer capability.



  16. Re: Can't connect via VNC from work to home

    On Thu, 17 Feb 2005 07:54:56 -0500, Somebody wrote:

    >
    > "mhicaoidh" wrote in message
    > news:KxLQd.7725$tl3.4313@attbi_s02...
    >> Taking a moment's reflection, Somebody mused:
    >> |
    >> | He's using VNC, not RDP. No file xfer capability.
    >>
    >> http://ultravnc.sourceforge.net/

    >
    > Let me rephrase : Assuming RealVNC, no file xfer capability.


    Without knowing what type of firewall is being used on the office, it's
    possible that something from the home computer could ride inbound on the
    connection to the office user.

    Also, once you let people start using VNC there is nothing to stop them
    from using TightVNC or other applications - it opens the proverbial
    pandora's box.

    --
    spam999free@rrohio.com
    remove 999 in order to email me


  17. Re: Can't connect via VNC from work to home


    "Leythos" wrote in message
    newsan.2005.02.17.14.22.30.984541@nowhere.lan...
    > On Thu, 17 Feb 2005 07:54:56 -0500, Somebody wrote:
    >
    > >
    > > "mhicaoidh" wrote in message
    > > news:KxLQd.7725$tl3.4313@attbi_s02...
    > >> Taking a moment's reflection, Somebody mused:
    > >> |
    > >> | He's using VNC, not RDP. No file xfer capability.
    > >>
    > >> http://ultravnc.sourceforge.net/

    > >
    > > Let me rephrase : Assuming RealVNC, no file xfer capability.

    >
    > Without knowing what type of firewall is being used on the office, it's
    > possible that something from the home computer could ride inbound on the
    > connection to the office user.
    >
    > Also, once you let people start using VNC there is nothing to stop them
    > from using TightVNC or other applications - it opens the proverbial
    > pandora's box.


    Not unless you have application level control on the PC, which I doubt in
    this instance.

    For that matter VNC can be re-assigned to another permitted port, and so can
    most other software that poses a security risk. That's where a greyware
    filtering firewall that looks at the data not just the packets, is very
    useful.

    -Russ.



  18. Re: Can't connect via VNC from work to home

    In article , Juergen Nieveler
    wrote:

    >Sounds like you either work for a large bank datacenter or an R&D
    >facility. Either way, sounds like a nice place indeed :-)


    R&D Usually it's pretty good, because the users are not quite as
    brain dead. But occasionally, they pull something (almost always
    innocent) that makes you want want to take a broadsword out and
    make some examples. But the company president says we can't put the
    hacked off heads on pikes out by the entrance - something about a
    bio-hazard (whatever that is). ;-)

    But he may be recalling his visit two years ago, when he brought his
    lap-top along, and then decided to check his mail at corporate headquarters
    across the country. "Intruder!!! Something running a 3Com NIC... and its
    on the mahogany row network" (meaning the VIP offices). We had our usual
    SWAT team reaction, meaning the thundering herd of sys-admins and guards.
    I don't know which look more intimidating - several of the sys-admins are
    2.00 meters and 100 kg and look _ugly_ when unhappy. There were some red
    faces, especially because we're enforcing a policy he signed a year or so
    earlier, but he's never brought a lap-top here since.

    Old guy


+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3