What are the issues about X11 through a firewall?
The X Windows System is a very useful system, but unfortunately has some major security flaws. Remote systems that can gain or spoof access to a workstation’s X display can monitor keystrokes that a user enters, download copies of the contents of their windows, etc. While attempts have been made to overcome them (E.g., MIT “Magic Cookie”) it is still entirely too easy for an attacker to interfere with a user’s X display. Most firewalls block all X traffic. Some permit X traffic through application proxies such as the DEC CRL X proxy (FTP crl.dec.com). The firewall toolkit includes a proxy for X, called x-gw, which a user can invoke via the Telnet proxy, to create a virtual X server on the firewall. When requests are made for an X connection on the virtual X server, the user is presented with a pop-up asking them if it is OK to allow the connection. While this is a little unaesthetic, it’s entirely in keeping with the rest of X.
The X Windows System is a very useful system, but unfortunately has some major security flaws. Remote systems that can gain or spoof access to a workstation’s X11 display can monitor keystrokes that a user enters, download copies of the contents of their windows, etc. While attempts have been made to overcome them (E.g., MIT “Magic Cookie”) it is still entirely too easy for an attacker to interfere with a user’s X11 display. Most firewalls block all X11 traffic. Some permit X11 traffic through application proxies such as the DEC CRL X11 proxy (FTP crl.dec.com). The firewall toolkit includes a proxy for X11, called x-gw, which a user can invoke via the Telnet proxy, to create a virtual X11 server on the firewall. When requests are made for an X11 connection on the virtual X11 server, the user is presented with a pop-up asking them if it is OK to allow the connection. While this is a little unaesthetic, it’s entirely in keeping with the rest of X11.
