Hello Charlie,

Charlie Bullen wrote:
> On a scale of 1 to 10 with 1 being totally insecure and 10 being totally 
> secure, how would you rate the following

I will take a shot at rating your options, but I will weigh the pros and cons 
more.  Also, I should mention, I don't believe in total security, because you 
can never prove security.  So nothing will receive a 10.

> 1. Using VNC from a computer anywhere on the internet connecting to a 
> computer sitting behind a firewall. The firewall passes traffic on port 
> 5900 to a  specific  computer on the LAN.



Rated 3 - The VNC password is encrypted so it wouldn't be the worst thing in the 
world, however all of the resulting traffic will be unencrypted ... which could 
be very bad if you open an ssh connection from your VNCed desktop.  Given that I 
would rate this relatively insecure because it requires the user to remember not 
to do stupid things (which will happen, not because users are stupid, just that 
they aren't perfect).  I would avoid this myself just because I wouldn't trust 
myself not to botch it.

> 2. The same basic setup as above, except using ssh to forward port 5900 
> to the specific machine behind the firewall.

Rated 9 - If using SSH to do port forwarding is an option, I would definately 
choose that.  With ssh-agent and public key authentication it's not tough to 
write a little wrapper script to setup your VNC connection automatically through 
ssh.  SSH is pretty well scrutinized by the security community and will continue 
to do so.  Any time you can close a port on your firewall and replace it with 
the service tunneled through ssh I would suggest it.  This will reduce the 
number of exposed services and transfer the risk to a better known risk.  Of 
course there are still the unknowns.

Good Luck

Austin