Installing X2Go NX Server on Linux Mint 17.2

scottalanmiller

@dafyre said:

@scottalanmiller tries to see where you're going with this

Right. So I'll use my existing ZT Network and not (manually) poke holes in my firewall.

So you are going to expose the whole network to any ransomware / cryptoware risks on your connecting machines? One of the beauties of using a terminal server is providing an air gap to keep the biggest risks from getting through. VPNs are huge risks to networkworks.

dafyre

@scottalanmiller With something like ZeroTier, the LAN is simply spread over larger distances. In that same retrospect, considering any Remote-Desktop-like tool (RDSH / X2Go, et al) there's always a risk that someone can get infected with bad stuff.

If a user is using X2Go/RDP and connected to my server and they are connected to all their shares, and they get hit with Cryptoware, it doesn't matter that they're on an remote-session, or if they're physically connected to the LAN or by ZT (or VPN), it will still encrypt their files and shares.

scottalanmiller

@dafyre said:

@scottalanmiller With something like ZeroTier, the LAN is simply spread over larger distances. In that same retrospect, considering any Remote-Desktop-like tool (RDSH / X2Go, et al) there's always a risk that someone can get infected with bad stuff.

Not really. If I'm connected to an NX server at a client site, they cannot infect me nor can I infect them. We are firewalled from each other except for the graphical protocol. It's dramatically safer than a VPN.

scottalanmiller

@dafyre said:

If a user is using X2Go/RDP and connected to my server and they are connected to all their shares, and they get hit with Cryptoware, it doesn't matter that they're on an remote-session, or if they're physically connected to the LAN or by ZT (or VPN), it will still encrypt their files and shares.

Well then don't bypass the security by allowing shares to be added making the channel an more generic VPN again. That's not an exposure that you want.

Any direct LAN, ZT, VPN, etc. connection opens you up to huge exposure.

dafyre

@scottalanmiller said:

Not really. If I'm connected to an NX server at a client site, they cannot infect me nor can I infect them. We are firewalled from each other except for the graphical protocol. It's dramatically safer than a VPN.

Right, but an End User can still get themselves infected. (Yes, it's Linux, no, it isn't bullet proof, but you know this already).

@scottalanmiller said:

Well then don't bypass the security by allowing shares to be added making the channel an more generic VPN again. That's not an exposure that you want.

Any direct LAN, ZT, VPN, etc. connection opens you up to huge exposure.

So I have allowed my end-user to connect to their X2Go / RDP server and say "Here's all your applications" ... but what about their Data?

If their data lives on file shares, then what? They can have their apps but not their data?
Okay. Let's use ownCloud... Their files still get encrypted, and we still have to restore them from backups.

I do not disagree that there is more exposure. But how is this any different than being on a LAN? If my laptop worker is sitting at their desk connected to my LAN, or if they're 500 miles away, connected to my LAN?

[Maybe this would be good to fork off into its own discussion, lol... Title suggestion: VPN vs Port Forwarding ?].

scottalanmiller

@dafyre said:

@scottalanmiller said:

Not really. If I'm connected to an NX server at a client site, they cannot infect me nor can I infect them. We are firewalled from each other except for the graphical protocol. It's dramatically safer than a VPN.

Right, but an End User can still get themselves infected. (Yes, it's Linux, no, it isn't bullet proof, but you know this already).

All the more reason to keep them from infecting everyone else

scottalanmiller

@dafyre said:

So I have allowed my end-user to connect to their X2Go / RDP server and say "Here's all your applications" ... but what about their Data?

They access it via the remote session, not the local one.

dafyre

@scottalanmiller said:

@dafyre said:

So I have allowed my end-user to connect to their X2Go / RDP server and say "Here's all your applications" ... but what about their Data?

They access it via the remote session, not the local one.

Right. But in their remote session where they have web browsers and emails open? That makes it no less vulnerable to poor decision making by the end-user than it does if they are working directly on their laptop.

scottalanmiller

@dafyre said:

I do not disagree that there is more exposure. But how is this any different than being on a LAN? If my laptop worker is sitting at their desk connected to my LAN, or if they're 500 miles away, connected to my LAN?

So you agree that there is more exposure but what how there is more exposure? I don't follow.

LAN and VPN put the user's local machine right in the network, exposed to everyone. Eliminate that and the massive majority of infection vectors go away. Something like 90% of the risks are gone because the local machines are not talking to the remote ones.

www.smbitjournal.com/2012/08/how-i-learned-to-stop-worrying-and-love-byod/

Dashrender

@scottalanmiller said:

And X2Go is natively secure running over SSH so unlike RDP you don't need to worry about setting up a separate secure tunnel to protect it.

I thought RDP had encryption today, no?

scottalanmiller

@dafyre said:

Right. But in their remote session where they have web browsers and emails open? That makes it no less vulnerable to poor decision making by the end-user than it does if they are working directly on their laptop.

Not exactly. They can't go offline and make bad decisions. They aren't able to physically interact. They aren't bringing their whole lives, only a portion of them into exposure. It's a pretty massive level of risk reduction for a normal business. For an MSP, it's an insane amount of reduction.

dafyre

@scottalanmiller said:

So you agree that there is more exposure but what how there is more exposure? I don't follow.

More exposure having a device VPNed or connected via ZT/Pertino vs just using port forwarding for something like RDP / NX

LAN and VPN put the user's local machine right in the network, exposed to everyone. Eliminate that and the massive majority of infection vectors go away. Something like 90% of the risks are gone because the local machines are not talking to the remote ones.

www.smbitjournal.com/2012/08/how-i-learned-to-stop-worrying-and-love-byod/

Here is where things come to light. You are talking about BYOD. I am talking about a company owned and managed laptop being connected to ZT, not an end-user's personal device.

BRB while I go read that article that I think I've read once or twice before, lol.

scottalanmiller

@dafyre said:

@scottalanmiller said:

So you agree that there is more exposure but what how there is more exposure? I don't follow.

More exposure having a device VPNed or connected via ZT/Pertino vs just using port forwarding for something like RDP / NX

Exactly. Open ports are the most secure option for reaching in, always. There is no technology to improve on that yet. The VPN is only additional exposure in this case.

scottalanmiller

@dafyre said:

Here is where things come to light. You are talking about BYOD. I am talking about a company owned and managed laptop being connected to ZT, not an end-user's personal device.

Nope, I'm talking about both. Treat the company owned equipment as BYOD and you get a ton more security.

scottalanmiller

NTG Does this.... we provide 100% of employee gear from desktops to laptops even to cell phones. But we treat that equipment as BYOD and wall it off from the systems. If @Minion-Queen gets ransomware, she can't infect me or vice versa. We are always isolated.

stacksofplates

@scottalanmiller said:

NTG Does this.... we provide 100% of employee gear from desktops to laptops even to cell phones. But we treat that equipment as BYOD and wall it off from the systems. If @Minion-Queen gets ransomware, she can't infect me or vice versa. We are always isolated.

I thought you guys used pertino?

scottalanmiller

@johnhooks said:

I thought you guys used pertino?

We used to, Windows 10 made that redundant and so we've phased it out for security reasons. AD doesn't need a VPN anymore, so no need to carry that kind of risk for authentication.

dafyre

@scottalanmiller said:

We used to, Windows 10 made that redundant and so we've phased it out for security reasons. AD doesn't need a VPN anymore, so no need to carry that kind of risk for authentication.

Which means now that all of the remote workers do everything via X2Go / RDP / SSH ?

scottalanmiller

@dafyre said:

Which means now that all of the remote workers do everything via X2Go / RDP / SSH ?

No, we only do that for accessing clients' networks so that we are not cross exposing. We communicate with each other through applications like Skype, Office 365, ownCloud, etc. We work locally but store remotely.

dafyre

So what do you do when you need to access a resource inside NTG while you are bouncing all over the planet?

IE: How is it that you are able to connect to the Lab and manage the Scale systems?