[H-GEN] Secure and low bandwidth X through wireless broadband.

[Paul Gearon]

On Jun 24, 2006, at 11:51 PM, David Seikel wrote:

<snip/>

> A solution I am considering is to setup X & qemu on one of the linux
> boxes, install Windows on qemu, run the management GUI on it, and
> export the X over a secure link.  X or VNC or some other protocol can
> be used for the export.  Tunnelling via ssh is preferred as ssh is  
> used
> for all the other management stuff, and this means only the one  
> hole is
> needed in the firewall.  This Windows under qemu will then be
> completely isolated from the outside network as it's only getting it's
> screen scraped and exported via the local X, and it can safely be
> connected to the internal LAN with no extra security issues.  I can
> even go one step further, as the Windows management GUI only needs to
> talk to one other box in the inside, so a dedicated link can be setup
> if needed.  Did I mention they are paranoid?  B-)

<snip/>

> The options I can think of are to tunnel X via ssh or use VNC, maybe
> tunnelled via ssh.  Both have low bandwidth options, but security has
> priority if it comes to a trade off.  This is where the experience of
> humbuggers is needed.  Are there any other options that I should
> consider?  Which one tends to be more secure / lower bandwidth in the
> field?  Are any of these options better at dealing with wireless lag
> than others?

My approach is relatively naive, but it may work.

If you're concerned about bandwidth, then don't use VNC.  It does  
screen scraping, and sends rasterized images over the network.  There  
are optimizing settings to reduce the area being scrapped, but it's  
still a slow process.  It can even be slow on local networks.

X is good, as it sends the screen drawing commands over the network.   
The remote desktop protocol for Windows does the same sort of thing.   
The problem here is that remote desktop is usually unencrypted (I'm  
not sure how to turn off unencrypted connections), and I know nothing  
about the security of encrypted connections anyway.  The solution  
here is just to tunnel everything via ssh.

X over ssh is built in, so the only thing you have to do is to make  
sure the host accepts X11 forwarding (ForwardX11=yes) and that the  
client makes X11 requests (it usually does, but you can force it on  
with a -X command line switch).  Be sure to read the man pages for  
ssh so that you understand the security implications of allowing  
X11.  Once this is set up, then any shell prompts via will have a  
DISPLAY variable along the lines of: DISPLAY=localhost:11.0

Any X programs that get run will then be displayed on the client's X  
server.

For the windows box, I'd use ssh tunnelling.  First off, set up the  
remote desktop to only accept connections from the local host.  Then  
install an ssh server into windows (Cygwin is my favourite).  I  
haven't ever seen ssh automatically set up to accepts connections, so  
Google to find how to set it as a Windows service.  You eventually  
want to have the windows box completely firewalled from the net, with  
the exception of allowing in an ssh connection.

Now you can set up an ssh tunnel to port 3389 on a Windows computer  
called "remotehost" with the following:
ssh -L 3389:remotehost:3389 -N

The -N flag prevents a shell prompt from appearing, but you can  
remove this if you want.

Once the tunnel is set up, then use a remote desktop client, and  
connect it to your local machine.  The one built into Windows doesn't  
let you connect to localhost (Doh!), but rdesktop works very nicely  
(you're running X on your remote machine, right?)  :-)   The local  
connection is sent across the tunnel to the Windows box, where it  
then gets connected to the remote desktop server locally.

I've used exactly this setup in the past (I had Windows installed on  
VMWare on a Debian box), and I've found it to be quite responsive.   
If you don't open up any other ports, then your security is based on  
how much you trust ssh.

Regards,
Paul