Secure access for teleworkers: RDP, VPN & VDI
Layers are a fundamental building block of security. We use passwords to authenticate our users, run an antivirus to prevent malware from our endpoints, monitor our networks, and implement firewalls so that we can have multiple defenses against attackers.
Then our team members travel on business or work from home and sit outside of all those layers of security. How to implement the security of teleworkers working on unsecured networks? And what if an employee’s credentials are stolen: how vulnerable do we become?
These issues have become even more critical in the age of remote working.
Meanwhile, our corporate data still exists in the corporate data center, but some may also migrate to the cloud or to SaaS applications that are beyond our control. The many solutions available reflect the breadth of possible use cases, but we can achieve a high level understanding by looking at the four most common solutions: RDP, VPN, VDI, and DaaS. All of these technologies can present security challenges, which makes the principles of zero trust important in any remote access solution.
RDP: a pre-cloud solution
The most common way to access work computers from outside the network was through Remote Desktop Protocol (RDP). Although still widely used, RDP’s security vulnerabilities make it difficult to secure, and as such, RDP has faced a decline in popularity.
In its default configurations, older versions of RDP do not use encryption to transmit credentials and session keys. This makes the protocol vulnerable to man-in-the-middle attacks where an attacker can intercept and view all information packets. Administrators can enable transport layer encryption to mitigate this problem, but that’s just the beginning of the problems.
One main weakness is credentials. RDP sessions often store credentials in memory, where they can be stolen by an attacker who accesses them. However, even without access, attackers often succeed by using credential stuffing, that is, when they use credentials stolen from other sites where users might have reused credentials. Passwords. Administrators generally do not support RDP, and therefore users can choose their own credentials.
Unfortunately, employees often just reuse their login credentials for convenience. A LastPass survey found that while 92% of users know they shouldn’t, 65% reuse credentials or variations in different ways. Even large security companies experience credential breaches due to old or reused passwords, so the average business can be considered vulnerable.
Also, many of us don’t update our RDP software. A year and a half after Microsoft released fixes for the BlueKeep RDP bug, researchers have detected hundreds of thousands of unpatched and vulnerable RDP devices. Attackers frequently target open firewall ports commonly used for RDP in order to take advantage of exposed vulnerabilities and gain access to both the endpoint and the network.
Also Read: Fine-Tuning Firewall Rules: 10 Best Practices
However, these security weaknesses can be overcome. Administrators can use multi-factor authentication (MFA) or single sign-on (SSO) to reduce problems with weak credentials or RDP desktop passwords, and can be managed to improve the security of the office. user authentication.
To limit attacks on the firewall, IP address ranges can be limited to trusted locations. However, this approach is laborious. For every employee on the road, every hotel, airport, and cafe needs a new IP address to be whitelisted and then removed later when the employee moves. It’s just easier to run RDP through a secure tunnel instead.
VPN: an imperfect solution
While there are many private RDP and secure tunnel applications, the most common category is virtual private network (VPN). VPNs solve the problem of insecure networks by creating encrypted point-to-point connections and avoid many of the data interception issues of RDP.
Because VPNs encrypt communications, our business security effectively extends beyond our firewall and all the way to the remote work endpoint. However, this doesn’t really provide any additional layers of security as VPN servers are usually located behind firewall protection.
VPNs remain vulnerable to stolen credentials, zero-day attacks, and botched updates. As with RDP, user security can be enhanced through MFA or SSO access; however, in either case, a breach in the terminal places the attacker within the corporate network and behind other layers of defense.
Additionally, VPNs typically require dedicated virtual or physical hardware, which can still only handle a modest number of connections. This scalability issue is complicated by other costs in terms of license, hardware, corporate bandwidth, and labor costs for IT management.
Finally, connecting to the company with RDP or VPN only to come back through the firewall to access cloud applications does not make operational sense. Employees don’t always do this either. Sometimes they go directly to cloud applications and forgo security protection. For many organizations, it makes more sense to consider cloud-ready solutions.
One new technology touted as a replacement for VPNs is zero trust, which assumes that no user should be trusted until they’ve been verified, a promising approach that can block critical apps and data, even against hackers who are already inside your network.
Also read: Best Zero Trust Security Solutions for 2021
VDI: a virtualized solution
Virtual Desktop Interface (VDI) sessions provide the ability to use virtual machines in the corporate data center or in the cloud. Similar to VPN, these sessions create end-to-end encrypted access to a desktop that can be more secure with MFA or SSO, but virtualization adds additional benefits.
First, if attackers steal credentials and break into a virtual office, they no longer bypass the corporate firewall and no longer have access to the network. Rather, attackers must navigate a virtual environment, which can be locked down with limited access (again, zero trust principles at work).
Additionally, VDIs can be launched as instances so that there is no hardware waiting to be pinged by attackers. Instead, VDI managers can launch systems as needed and save resources for the organization.
Launching VDI in the cloud eliminates operational inefficiencies for accessing cloud resources such as websites, cloud storage, or cloud applications like Office365, GoogleDocs, and Salesforce. For small businesses with tighter budgets, many cloud providers also offer Desktop-as-a-Service (DaaS). DaaS offloads infrastructure management onto the service provider and enables rapid scalability to meet large increases and decreases in demand.
See also: CNAP platforms: the next evolution in cloud security
Which remote access solution is the best? It depends
RDP, VPN, VDI, and DaaS all offer tradeoffs between security, cost, deployment resources, and accessibility. Each organization will need to consider its own legacy resources, employees and investments to determine both what is the right solution for today and the target solution for the future.
Whichever you choose, zero trust should be on everyone’s radar. Limiting access to critical applications and data is the best last layer of defense.