Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

CDE/X-Win over VPN - risk assessment

  • 18-06-2004 6:59pm
    #1
    secret_squirrel
    Closed Accounts Posts: 3,357 ✭✭✭


    Im working on a project at the mo, and Im anticipating a battle with the know-nothing PHB's who live in our IT security dept, so I thought I would ask the august boffins in here for the lowdown.

    Basically to get this project off the ground we have to allow a remote developer access to our AIX devl enviroment to allow him to tweak his software to run under AIX (5.1). His devl enviroment is eclipse so he needs CDE & X-Win.

    Therefore we are in the process of setting up a VPN from his company to ours. The firewall rules will allow a single ip at his end to connect to our devl box.

    The potential problem is that as I understand it the X-server at the remote location will connect to our server over TCP port 6000, but the reply can come back over a small range of ports. This is likely to be a problem to the bod's (non-techies) in our security dept, who have it in their heads that opening a range of ports is A BAD THING. (understandable I spose)

    So my questions are this :

    How risky is this?

    If it is risky could it be mitigated using something like SSH?

    Go easy on me Im a developer!


Comments

  • #2
    Dizz
    Closed Accounts Posts: 423 ✭✭Dizz


    Easy and secure solution is vnc over ssh - don't need a vpn or XWin. All you need is port forwarding setup on the ssh server so there are no ranges of ports that the firewall needs to take into account.

    For yor customer:
    ssh -L5901:your.server:5901 user@your.server
    fire up vnc to connect to localhost:1

    For you:
    /etc/init.d/ssh start
    make sure firewall accepts incoming connections on port 22
    edit your vnc startup script to invoke the CDE window manager

    It's as risky as ssh is not secure!

    Dizz


Advertisement