ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Installing X2Go NX Server on Linux Mint 17.2

    Scheduled Pinned Locked Moved IT Discussion
    x2gonxx windowslinuxlinux desktopterminal serverremote accessjump serverlinux mintlinux mint 17.2
    85 Posts 6 Posters 38.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @dafyre
      last edited by

      @dafyre said:

      I do not disagree that there is more exposure. But how is this any different than being on a LAN? If my laptop worker is sitting at their desk connected to my LAN, or if they're 500 miles away, connected to my LAN?

      So you agree that there is more exposure but what how there is more exposure? I don't follow.

      LAN and VPN put the user's local machine right in the network, exposed to everyone. Eliminate that and the massive majority of infection vectors go away. Something like 90% of the risks are gone because the local machines are not talking to the remote ones.

      www.smbitjournal.com/2012/08/how-i-learned-to-stop-worrying-and-love-byod/

      dafyreD 1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender @scottalanmiller
        last edited by

        @scottalanmiller said:

        And X2Go is natively secure running over SSH so unlike RDP you don't need to worry about setting up a separate secure tunnel to protect it.

        I thought RDP had encryption today, no?

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @dafyre
          last edited by

          @dafyre said:

          Right. But in their remote session where they have web browsers and emails open? That makes it no less vulnerable to poor decision making by the end-user than it does if they are working directly on their laptop.

          Not exactly. They can't go offline and make bad decisions. They aren't able to physically interact. They aren't bringing their whole lives, only a portion of them into exposure. It's a pretty massive level of risk reduction for a normal business. For an MSP, it's an insane amount of reduction.

          1 Reply Last reply Reply Quote 0
          • dafyreD
            dafyre @scottalanmiller
            last edited by

            @scottalanmiller said:

            So you agree that there is more exposure but what how there is more exposure? I don't follow.

            More exposure having a device VPNed or connected via ZT/Pertino vs just using port forwarding for something like RDP / NX

            LAN and VPN put the user's local machine right in the network, exposed to everyone. Eliminate that and the massive majority of infection vectors go away. Something like 90% of the risks are gone because the local machines are not talking to the remote ones.

            www.smbitjournal.com/2012/08/how-i-learned-to-stop-worrying-and-love-byod/

            Here is where things come to light. You are talking about BYOD. I am talking about a company owned and managed laptop being connected to ZT, not an end-user's personal device.

            BRB while I go read that article that I think I've read once or twice before, lol.

            scottalanmillerS 2 Replies Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @dafyre
              last edited by

              @dafyre said:

              @scottalanmiller said:

              So you agree that there is more exposure but what how there is more exposure? I don't follow.

              More exposure having a device VPNed or connected via ZT/Pertino vs just using port forwarding for something like RDP / NX

              Exactly. Open ports are the most secure option for reaching in, always. There is no technology to improve on that yet. The VPN is only additional exposure in this case.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @dafyre
                last edited by

                @dafyre said:

                Here is where things come to light. You are talking about BYOD. I am talking about a company owned and managed laptop being connected to ZT, not an end-user's personal device.

                Nope, I'm talking about both. Treat the company owned equipment as BYOD and you get a ton more security.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  NTG Does this.... we provide 100% of employee gear from desktops to laptops even to cell phones. But we treat that equipment as BYOD and wall it off from the systems. If @Minion-Queen gets ransomware, she can't infect me or vice versa. We are always isolated.

                  stacksofplatesS 1 Reply Last reply Reply Quote 0
                  • stacksofplatesS
                    stacksofplates @scottalanmiller
                    last edited by

                    @scottalanmiller said:

                    NTG Does this.... we provide 100% of employee gear from desktops to laptops even to cell phones. But we treat that equipment as BYOD and wall it off from the systems. If @Minion-Queen gets ransomware, she can't infect me or vice versa. We are always isolated.

                    I thought you guys used pertino?

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @stacksofplates
                      last edited by

                      @johnhooks said:

                      I thought you guys used pertino?

                      We used to, Windows 10 made that redundant and so we've phased it out for security reasons. AD doesn't need a VPN anymore, so no need to carry that kind of risk for authentication.

                      dafyreD 1 Reply Last reply Reply Quote 1
                      • dafyreD
                        dafyre @scottalanmiller
                        last edited by

                        @scottalanmiller said:

                        We used to, Windows 10 made that redundant and so we've phased it out for security reasons. AD doesn't need a VPN anymore, so no need to carry that kind of risk for authentication.

                        Which means now that all of the remote workers do everything via X2Go / RDP / SSH ?

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @dafyre
                          last edited by

                          @dafyre said:

                          Which means now that all of the remote workers do everything via X2Go / RDP / SSH ?

                          No, we only do that for accessing clients' networks so that we are not cross exposing. We communicate with each other through applications like Skype, Office 365, ownCloud, etc. We work locally but store remotely.

                          1 Reply Last reply Reply Quote 0
                          • dafyreD
                            dafyre
                            last edited by

                            So what do you do when you need to access a resource inside NTG while you are bouncing all over the planet?

                            IE: How is it that you are able to connect to the Lab and manage the Scale systems?

                            scottalanmillerS 2 Replies Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @dafyre
                              last edited by

                              @dafyre said:

                              So what do you do when you need to access a resource inside NTG while you are bouncing all over the planet?

                              What does "inside" mean to you? Everything is SaaS, we have no legacy apps.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @dafyre
                                last edited by

                                @dafyre said:

                                IE: How is it that you are able to connect to the Lab and manage the Scale systems?

                                The Lab is a separate entity, we would never comingle the lab with the corporate network. So we treat it just like any customer, it's NX to reach it.

                                dafyreD 1 Reply Last reply Reply Quote 0
                                • dafyreD
                                  dafyre
                                  last edited by dafyre

                                  @johnhooks just had a thought... and it got me to wondering..

                                  What about ownCloud. Assuming you guys share files back and forth... Do you block any types of files with it? If somebody puts a trojan or worm or other nasty in ownCloud and you are all sharing folders, everybody gets that file.

                                  (Assume AV doesn't catch the trojan )

                                  Aren't you guys still sharing the same type of risk, despite being isolated?

                                  scottalanmillerS 2 Replies Last reply Reply Quote 0
                                  • dafyreD
                                    dafyre @scottalanmiller
                                    last edited by

                                    @scottalanmiller said:

                                    @dafyre said:

                                    IE: How is it that you are able to connect to the Lab and manage the Scale systems?

                                    The Lab is a separate entity, we would never comingle the lab with the corporate network. So we treat it just like any customer, it's NX to reach it.

                                    If that's the case, do you even really need anything other than a laptop that is capable of connecting to a Terminal Server to get you access to your work environment?

                                    Why run email, et al, all on your laptop, when you can just remote into a server and do it there?

                                    scottalanmillerS 2 Replies Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @dafyre
                                      last edited by

                                      @dafyre said:

                                      What about ownCloud. Assuming you guys share files back and forth... Do you block any types of files with it? If somebody puts a trojan or worm or other nasty in ownCloud and you are all sharing folders, everybody gets that file.

                                      That would only happen if someone uploaded a Trojan AND shared it to people AND people decided to download it. It's not completely foolproof but it provides many layers and steps of protection that SMB shares do not.

                                      dafyreD 1 Reply Last reply Reply Quote 0
                                      • dafyreD
                                        dafyre @scottalanmiller
                                        last edited by

                                        @scottalanmiller You guys do not use the OwnCloud client app?

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @dafyre
                                          last edited by

                                          @dafyre said:

                                          Aren't you guys still sharing the same type of risk, despite being isolated?

                                          Number of shared files are extremely limited. Nearly all files are shared via applications and so do not pose those kinds of risks since they are never used in a local way that could execute them.

                                          1 Reply Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller @dafyre
                                            last edited by

                                            @dafyre said:

                                            If that's the case, do you even really need anything other than a laptop that is capable of connecting to a Terminal Server to get you access to your work environment?

                                            Don't even need that. Only need access to a terminal server if connecting to someone else's environment.

                                            stacksofplatesS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 3 / 5
                                            • First post
                                              Last post