0

This is a very newbie question, but I would just like to make sure that I'm not missing anything: If I connect via VNC protocol to my various servers etc. inside my own LAN (home network), then should I consider hardening my VNC in any way? (E.g. VNC through SSH etc.). Or is it really pointless? I mean when initiating VNC connection inside the LAN means no traffic should be ever routed via public Internet anyway when I have my all VNC server applications installed locally in my servers, right? I'm using Remmina client in my Linuxs and UltraVNC servers and clients in Windows'.

I also use RDP in Windows, but RDP is already natively encrypted (though it's debatable whether enough for enterprise use), so I guess I really don't even need to worry about hardening RDP connections any further when connecting inside my LAN (I've also changed RDP default ports in my desktops).

Richie79
  • 11
  • 3
  • It fully depends if "your LAN" is really fully yours, i.e. all devices and all physical are virtual connections are fully controlled by you and not even the tiniest part might be controlled by somebody else. Are you this sure? – Steffen Ullrich Dec 19 '20 at 21:36
  • Hi, yes, I am very sure my whole network is controlled by myself only. – Richie79 Dec 20 '20 at 15:20
  • So, you don't visit any websites on the internet and you don't transfer mails? Because in this case the traffic flowing through your network is not fully controlled you but depends on someone outside your network, which might be a potential attacker. Just visiting websites can also cause activity against other systems in your network, since any website can trigger access to any other websites, even internal ones. And this access might also reach and confuse non-web services, like VNC and RDP. So are you still sure that you and only you fully control what happens in the network? – Steffen Ullrich Dec 20 '20 at 16:17
  • Thank you, but that sounds a bit far fetched. Of course there is no 100% security anywhere and there are risks everywhere in cyber space. However, my home network is strongly hardened (e.g. network FW, IPS, SIEM, AV etc.) and I was mainly looking for whether using non-hardened VNC protocol internally exposes my network to Internet in any reasonable way. – Richie79 Dec 20 '20 at 22:00
  • 1
    *"... my home network is strongly hardened ..."* - this statement kind of contradicts to me your statement of *"This is a very newbie question ...."*. Based on the last phrase it might just be that you overestimate what the security products you use are actually capable of. – Steffen Ullrich Dec 20 '20 at 22:23

2 Answers2

0

Even if the internal network seems to be under full control and the internal VNC or RDP services are not directly exposed to the internet, this does not mean that they cannot be accessed for sure by an attacker. Just by visiting a website controlled by an attacker the browser could be instrumented by this attacker to scan the local network, access internal services or even open arbitrary ports from the internet.

The latter was 2008 demonstrated with UPnP requests issued from a flash application and a few month ago with the most recent browsers at this time again, see NAT Slipstreaming. This way unsecured internal services could be made accessible from the internet.

Therefore internal services, including RDP and VNC should still be hardened, i.e. have latest patches and proper access control.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
0

The VNC protocol is not encrypted. So what does that mean?

Clearly the release level and patches should be kept up to date.

Certainly an unknown vulnerability could be a risk, but that applies to everything.

The primary known vulnerabilty is traffic sniffing because it's not encrypted. So within your internal LAN, how might that happen?

  • An unknown or untrusted user on your network.

Assuming you don't have kids, neighbors, friends on your network, then that leaves covert systems. Your Internet Of Things (IOT) is a possibility. Your smart TV, Refigerator, toaster, printer, etc could be running a sniffer, they'd also have to be poisoning your switch, but how likely is that? Unless you're a target of a Nation State, anything commercial like that would be a major product black eye in the press, however it's technically possible.

An accessible network port, such as an external camera connection, could provide sniffing capabilities.

A network extender that may not be up to snuff? I once mistakenly added a network extender that linked to the main router with WPA2, as advertised by the product, only to discover with horror the extension signal was WEP only.

So yes, there are technically possible risks but how realistic they are to your situation you have to decide. Personally, I do occasionally run remote VNC accesses to VMware Clients.

As a side note: I have seen a sniffer running on a printer as a demonstration, but I've never encountered one in the wild.

user10216038
  • 7,552
  • 2
  • 16
  • 19