Installing X2Go NX Server on Linux Mint 17.2
-
@johnhooks said:
I had the same issue with cinnamon. It would go to fallback mode and then all you had was the application menu and places. I couldn't even log out! But Mate works really well. You get the old Mint Menu design and it works pretty well at least on my LAN. I'm going to test it tomorrow from my parents house over ZeroTier to see how it works over the internet.
How use ZeroTier? Why not connect directly?
-
@johnhooks It seems to work really well over the internet for me. I love the fact that I can disconnect a session and come back to it later. I've always wanted that for the Linux GUI.
-
@scottalanmiller Because we don't want to poke holes in our router / firewall. ... and we already have ZT going.
-
Yes, persistent desktops are really nice.
-
@scottalanmiller said:
@johnhooks said:
I had the same issue with cinnamon. It would go to fallback mode and then all you had was the application menu and places. I couldn't even log out! But Mate works really well. You get the old Mint Menu design and it works pretty well at least on my LAN. I'm going to test it tomorrow from my parents house over ZeroTier to see how it works over the internet.
How use ZeroTier? Why not connect directly?
It's on a VM on the server in my house. I'd either have to port forward or just use ZeroTier.
-
@dafyre said:
@scottalanmiller Because we don't want to poke holes in our router / firewall. ... and we already have ZT going.
But for security, you don't want unnecessary exposure, right?
-
@johnhooks said:
It's on a VM on the server in my house. I'd either have to port forward or just use ZeroTier.
Ah, okay.
-
@scottalanmiller tries to see where you're going with this
Right. So I'll use my existing ZT Network and not (manually) poke holes in my firewall.
-
@dafyre said:
@scottalanmiller tries to see where you're going with this
Right. So I'll use my existing ZT Network and not (manually) poke holes in my firewall.
So you are going to expose the whole network to any ransomware / cryptoware risks on your connecting machines? One of the beauties of using a terminal server is providing an air gap to keep the biggest risks from getting through. VPNs are huge risks to networkworks.
-
@scottalanmiller With something like ZeroTier, the LAN is simply spread over larger distances. In that same retrospect, considering any Remote-Desktop-like tool (RDSH / X2Go, et al) there's always a risk that someone can get infected with bad stuff.
If a user is using X2Go/RDP and connected to my server and they are connected to all their shares, and they get hit with Cryptoware, it doesn't matter that they're on an remote-session, or if they're physically connected to the LAN or by ZT (or VPN), it will still encrypt their files and shares.
-
@dafyre said:
@scottalanmiller With something like ZeroTier, the LAN is simply spread over larger distances. In that same retrospect, considering any Remote-Desktop-like tool (RDSH / X2Go, et al) there's always a risk that someone can get infected with bad stuff.
Not really. If I'm connected to an NX server at a client site, they cannot infect me nor can I infect them. We are firewalled from each other except for the graphical protocol. It's dramatically safer than a VPN.
-
@dafyre said:
If a user is using X2Go/RDP and connected to my server and they are connected to all their shares, and they get hit with Cryptoware, it doesn't matter that they're on an remote-session, or if they're physically connected to the LAN or by ZT (or VPN), it will still encrypt their files and shares.
Well then don't bypass the security by allowing shares to be added making the channel an more generic VPN again. That's not an exposure that you want.
Any direct LAN, ZT, VPN, etc. connection opens you up to huge exposure.
-
@scottalanmiller said:
Not really. If I'm connected to an NX server at a client site, they cannot infect me nor can I infect them. We are firewalled from each other except for the graphical protocol. It's dramatically safer than a VPN.
Right, but an End User can still get themselves infected. (Yes, it's Linux, no, it isn't bullet proof, but you know this already).
@scottalanmiller said:
Well then don't bypass the security by allowing shares to be added making the channel an more generic VPN again. That's not an exposure that you want.
Any direct LAN, ZT, VPN, etc. connection opens you up to huge exposure.
So I have allowed my end-user to connect to their X2Go / RDP server and say "Here's all your applications" ... but what about their Data?
If their data lives on file shares, then what? They can have their apps but not their data?
Okay. Let's use ownCloud... Their files still get encrypted, and we still have to restore them from backups.I do not disagree that there is more exposure. But how is this any different than being on a LAN? If my laptop worker is sitting at their desk connected to my LAN, or if they're 500 miles away, connected to my LAN?
[Maybe this would be good to fork off into its own discussion, lol... Title suggestion: VPN vs Port Forwarding ?].
-
@dafyre said:
@scottalanmiller said:
Not really. If I'm connected to an NX server at a client site, they cannot infect me nor can I infect them. We are firewalled from each other except for the graphical protocol. It's dramatically safer than a VPN.
Right, but an End User can still get themselves infected. (Yes, it's Linux, no, it isn't bullet proof, but you know this already).
All the more reason to keep them from infecting everyone else
-
@dafyre said:
So I have allowed my end-user to connect to their X2Go / RDP server and say "Here's all your applications" ... but what about their Data?
They access it via the remote session, not the local one.
-
@scottalanmiller said:
@dafyre said:
So I have allowed my end-user to connect to their X2Go / RDP server and say "Here's all your applications" ... but what about their Data?
They access it via the remote session, not the local one.
Right. But in their remote session where they have web browsers and emails open? That makes it no less vulnerable to poor decision making by the end-user than it does if they are working directly on their laptop.
-
@dafyre said:
I do not disagree that there is more exposure. But how is this any different than being on a LAN? If my laptop worker is sitting at their desk connected to my LAN, or if they're 500 miles away, connected to my LAN?
So you agree that there is more exposure but what how there is more exposure? I don't follow.
LAN and VPN put the user's local machine right in the network, exposed to everyone. Eliminate that and the massive majority of infection vectors go away. Something like 90% of the risks are gone because the local machines are not talking to the remote ones.
www.smbitjournal.com/2012/08/how-i-learned-to-stop-worrying-and-love-byod/
-
@scottalanmiller said:
And X2Go is natively secure running over SSH so unlike RDP you don't need to worry about setting up a separate secure tunnel to protect it.
I thought RDP had encryption today, no?
-
@dafyre said:
Right. But in their remote session where they have web browsers and emails open? That makes it no less vulnerable to poor decision making by the end-user than it does if they are working directly on their laptop.
Not exactly. They can't go offline and make bad decisions. They aren't able to physically interact. They aren't bringing their whole lives, only a portion of them into exposure. It's a pretty massive level of risk reduction for a normal business. For an MSP, it's an insane amount of reduction.
-
@scottalanmiller said:
So you agree that there is more exposure but what how there is more exposure? I don't follow.
More exposure having a device VPNed or connected via ZT/Pertino vs just using port forwarding for something like RDP / NX
LAN and VPN put the user's local machine right in the network, exposed to everyone. Eliminate that and the massive majority of infection vectors go away. Something like 90% of the risks are gone because the local machines are not talking to the remote ones.
www.smbitjournal.com/2012/08/how-i-learned-to-stop-worrying-and-love-byod/
Here is where things come to light. You are talking about BYOD. I am talking about a company owned and managed laptop being connected to ZT, not an end-user's personal device.
BRB while I go read that article that I think I've read once or twice before, lol.