From: Steve Shockley (steve.shockleyshockley.net)
Date: Wed Aug 15 2007 - 20:45:55 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Nick Holland wrote:
> as stated, you can't do what you want to do the way you propose doing it.

To be specific, if you want to have multiple sites behind one IP address
and one port, you need an application proxy. With http, you can do this
with host headers and a reverse http proxy. You can't do this with RDP
(Remote Desktop) because the RDP protocol doesn't know what the target
host name is.

> Do you REALLY want remote desktop sitting live on the 'net? That's one
> heck of a hole to punch in your firewall. If

More to the point, you do not want to remotely access WinXP machines
across the Internet; see http://www.oxid.it/downloads/rdp-gbu.pdf, all
versions of XP and Server 2003 pre-SP2 use a well-known "private" key to
encrypt the data, so a man-in-the-middle attack is trivial. Server 2003
SP2 allows you to load a signed certificate, so if you set up a CA and
use the RDP 6.0 client you can avoid the MITM problem. I'm not sure how
this interacts with rdesktop.

(Download Cain & Abel from oxid.it if you want to scare your PHB.)

> 1) authpf:

I'd avoid this in this case, it does nothing to prevent MITM attacks
once the authpf session is established.

> 2) SSH tunnels:

> Personally, I'd go for the tunnels.

Agreed. At least with ssh tunnels you avoid the possibility of a MITM
attack once the user connects the first time and saves the key. Putty's
warnings are suitably dire if the key changes unexpectedly.

Fortunately, Longhorn/Server 2008 has solutions to most of these
problems, but you have to both pay $$ and sell your soul.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]