Securing a Remote Desktop Connection

[786soul]

To keep things simple heres what I have and what I'm looking to do:

Home server set up for some stock/foreign exchange trading. Have already set up dyndns and remote desktop connection establishes fine.

I'd like to secure the connection so that nothing can be seen going back and forth. Is it necessary to do this? Also, I'd like to change the port that RDP is running on for the whole security through obscurity thing, where can I do this? Thanks for the help.

[Sparda]

To secure it you'll want to use a VPN. If you want to change the port so it is simply not easily detectable on the internet, the VPN will do that so it's not an issue.

[goldtouch]

As an alternative to a vpn, you could also use ssh port forwarding and tunnel the remote desktop session over that.

[lopez1364]

Another good way to do is thru a SSH tunnel. Set up RDP to only travel thru your tunnel.

[786soul]

I'm still wrapping my head around how the vpn would work, but maybe one of you could help me out.

After setting up the vpn to accept incoming connections for the pc I'll be connecting to, I then set up the vpn client on my laptop which I'll be using to connect to the server from my school's campus.

After establishing the vpn connection, what IP am I using to open the RDP connection? If I use the DynDNS address will it still go through the vpn? Essentially with the vpn connected, does that mean even internet traffic is tunnelled through the vpn?

I'm a bit confused as to how it all works. Any help is appreciated. thanks.

[Iain]

If the VPN server hands out IP addresses via DHCP, you will get an IP address which is on your home network. When the VPN's established, check it using ipconfig /all from the command prompt and you'll see 2 IP addresses. Just make sure that the remote and home networks are not using the same IP range. At home, I typically use something like 10.17.100.0/24 so there's almost no chance of that range being used if I connect to a potentially hostile wireless network.

If your home server address is, for instance, 10.17.100.250 then that's the address you'll need to use from your remote client. When the VPN is established you are, in effect, sitting at home connected directly to your home LAN.

[Netshroud]

Do it over a VPN, and force NLA connections.

[786soul]

Do it over a VPN, and force NLA connections.

What is the NLA connections for?

[555]

What is the NLA connections for?

Someone will probuly just tell you to google what a NLA connection is.. since i have no idea eaither what one is i will do us both a favor and look it up..

The Role of NLA

The Network Location Awareness (NLA) service provider is vital for computers or devices that might move between different networks, and for selecting optimal configurations when more than one is available. For example, a wireless computer roaming between physical networks can use NLA to determine the proper configuration based on information about its available network connection. NLA also proves valuable when a multihomed computer has a physical connection to one network while also connected to another network through a dial-up connection or a tunnel.

In the past, developers had to obtain information about a logical network interface, and therefore make decisions about network connectivity, based on a multitude of disparate network information. In those circumstances, developers had to choose the appropriate network interface based on the IP address, the subnet of the interface, the Domain Name System (DNS) name associated with the interface, the MAC address of a NIC, a wireless network name, or other network information. NLA alleviates this problem by supplying a standard interface for enumerating logical network attachment information, correlating it with physical network interface information, and then providing notification when previously returned information gets invalidated.

NLA provides the following network location information:

Logical Network Identity

NLA first attempts to identify a logical network by its DNS domain name. If a logical network does not have a domain name, NLA identifies the network from custom static information stored in the registry, and finally from its subnet address.

Logical Network Interfaces

For each network to which a computer is attached, NLA supplies an AdapterName that uniquely identifies a physical interface such as a NIC, or a logical interface such as a RAS connection. The AdapterName can then be used with functions available in the IP Helper API to obtain further interface characteristics.

NLA implements the logical network as a service class, with an associated class GUID and properties. Each logical network for which NLA returns information is an instance of that service class.

Im still not even sure what VPN is all about I use RDP.. im guessing a VPN is like Citrix?

[Iain]

Im still not even sure what VPN is all about I use RDP.. im guessing a VPN is like Citrix?

As you were kind enough to explain NLA (I didn't know what it was!), I'll explain what I know about VPN/RDP. They are both intrinsic within Windows XP/2003.

Remote Desktop is an insecure protocol that's used to access a remote host and bring the desktop to the local host as if the operator were sitting at the remote host. By default, it uses TCP 3389.

In order to make the RDP connection more secure, it's not uncommon to connect to the remote network first via VPN and that connection is encrypted. The simplest encryption is PPTP (TCP 1723) and the more secure is L2TP (TCP 1701). When the VPN connection has been established, the local host is given an additional IP address which is an address on the remote network. It's a simple matter then to connect to the target host via a RDP connection which is tunnelled through a secure VPN connection.

I'm a "Windows guy" and my knowledge of Linux is very limited. I think that the principles in Linux are similar.

[Netshroud]

Wrong NLA, I meant Network Level Authentication.

[Iain]

Wrong NLA, I meant Network Level Authentication.

Ha - that's the problem using abbreviations but I'm not blaming you specifically. IT is littered with such abbreviations. I'll set about researching "Network Level Authentication" now.

[Netshroud]

http://www.google.com.au/search?rlz=1C1GGL...ote+desktop+nla

[Iain]

You beat me to it - it was going to be my project for the weekend!

[786soul]

Here's what I'm thinking of doing:

I picked up a wrt54G router cheap and plan on getting dd-wrt set up on it. Is there a way I can keep my existing DLink router but Use the 54G as a VPN to my home network?

Small diagram:

Intenet ---> Dlink--->Linksys----VPN---->Server

Something tells me the way I'm looking at the setup isn't right.

[Sparda]

Here's what I'm thinking of doing:

I picked up a wrt54G router cheap and plan on getting dd-wrt set up on it. Is there a way I can keep my existing DLink router but Use the 54G as a VPN to my home network?

Small diagram:

Intenet ---> Dlink--->Linksys----VPN---->Server

Something tells me the way I'm looking at the setup isn't right.

It's completely possible, just have to setup port forwarding on the Dlink to send the correct traffic to the WRT.