Using RDP together with VPN/MFA gives a false sense of security
The COVID19 pandemic has caught the world unprepared. Enterprises, from small businesses to Fortune 100 companies have been forced to enable “work from home” in literally a few days. Even companies which have already transformed most of their workflows to the cloud have to keep up with the unexpected demand for services which were NOT designed for the consumption by 100% of the available workforce.
A majority of companies on the other hand seem to be leveraging remote desktop services and VPN based solution architectures to allow their employees to access their workstations from home.
We can see this trend from Shodan.io data. According to Shodan (https://blog.shodan.io/trends-in-internet-exposure/) there is about a 41% increase in RDP (Port 3389) services exposed to the Internet and about 33% increase in VPN servers exposed to the Internet.
Companies have been struggling to securely enable BYOD and remote employee access for over a decade now. In the time of crisis, use of decades old legacy solutions available to them, specifically RDP and VPN based ones, is an expected trend. However, this trend brings significant cybersecurity implications with it.
These solutions inherit all the cybersecurity problems associated with them from the last 20 years.
BRUTE FORCE ATTACKS
Brute force attacks are the attacks where the attackers try to find out the account credentials by trying all possible username and password combinations.
This literally means, as soon as the PC is booted, it is attacked in the background, even before the user starts working. In order to experiment, we created 15 different windows workstations publicly exposed through Amazon Cloud, Azure, Google Cloud or Verizon Wireless based public IP addresses. We then checked the windows security audit logs for failed login attempts. It took 2 minutes on average for the host to be discovered and attacked. Below is a screenshot of an audit log from one of the PCs. As soon as it is exposed, the attacker, possibly a bot, from Russia, probed it.
Today, password protection alone is as good as no protection. If a PC is exposed to the internet using windows RDP services without additional security measures, it should be assumed attacked and owned already. Because majority of passwords are weak and can be cracked instantly.
DENIAL OF SERVICE ATTACKS
Denial of service (DoS) attacks require attackers to consume available computing resources so that legitimate users cannot access the requested services. For the companies which use RDP as a solution for their day to day business operations, protection against DoS attacks is critical for their business continuity. Unfortunately, such a protection is not so straightforward to implement when legacy solutions like RDP or VPNs are used. Having most of the workforce on remote desktop services makes “the RDP” a critical component for any company; as critical as industrial control systems.
Attacking an unprotected host does not require too much from an attacker’s side: 1 mbs traffic is enough to disable a VPN or a Firewall or an RDP host!
A FALSE SENSE OF SECURITY: MFA AND VPN AUGMENTATION
In order to mitigate the cybersecurity risks, some companies couple their RDP based architectures with VPN and MFA (Multi-factor Authentication) solutions.
However, while they might mitigate certain attack vectors, the threats outlined above are not really addressed effectively.
Use of a VPN solution alone does not mitigate the risk of brute-force attacks or DoS service attacks but just moves attackers’ target from RDP host to the VPN server itself, potentially making the impact of a successful attack even worse because VPN servers become a single point of failure.
Use of a multi-factor authentication (MFA) solution mitigates the risk of brute-force attacks however when used to protect access to legacy solutions like VPNs and RDP services they do NOT address the fundamental problem: The authentication happens AFTER connections are established to the protected resources i.e. a VPN server. This unauthenticated connectivity makes the resources vulnerable to a wide range of attacks.
MFA does not protect against DoS attacks to VPN or RDP gateways. But in addition to DoS attacks, it offers no protection against direct exploitation attacks neither. VPN servers, just like RDP services, are direct targets of attackers. Bots are constantly scanning for exposed VPN servers to exploit vulnerabilities in them such as Palo Alto Networks (CVE-2019-1579), Fortinet (CVE-2018-13382, CVE-2018-13383, CVE-2018-13379), Pulse Secure (CVE-2019-11510, CVE-2019-11508, CVE-2019-11540, CVE-2019-11543, CVE-2019-11541, CVE-2019-11542, CVE-2019-11539, CVE-2019-11538, CVE-2019-11509), and Citrix (CVE-2019-19781):
Attackers have been hitting companies with these solutions, so that Airbus (using Palo Alto) and Travelex (using Pulse Secure) got breached recently through their exposed VPN servers.
ENABLE SECURE REMOTE DESKTOP ACCESS WITH TRANSIENTACCESS
TransientAccess and the disposable networking technology address all the security problems listed above while enabling remote desktop access services. A disposable network is a hidden and a temporary network built for each user, on demand. It is only exposed to the user for whom it is created and destroyed as soon as the user disconnects from it. More information on the technology can be found at: Disposable Networks. A video about TransientAccess and how it works can be found at https://www.youtube.com/watch?v=LUwG3ufAZFE&t=679s
STOP DENIAL OF SERVICE ATTACKS TO RDP SERVICES
With TransientAccess, resources such as RDP hosts, are not exposed to the internet. Since they are not directly accessible, they are not vulnerable to DoS attacks. While orchestrating access requests, users are pre-authenticated by TransientX cloud first. After such an authentication, a hidden network with the remote host and the user’s device is built for the authenticated user allowing temporary remote access without internet exposure.
STOP BRUTE FORCE ATTACKS TO RDP SERVICES
With TransientAccess, because access to RDP services happen in a hidden disposable network, nothing is exposed to the Internet and hence attackers cannot target the host. TransientAccess cloud employs modern authentication technologies such as integration with authentication providers like Okta or Azure AD. Administrators can also make use of MFA effectively, making the technology work for legacy solutions as well.
WORK FROM HOME SECURELY AND EFFECTIVELY
TransientAccess also provides endpoint data loss prevention (DLP) features specifically designed for unmanaged devices, making it a suitable BYOD solution without any dependency on MDM/MAMs. As part of our social responsibility, we are providing a no-cost subscription for it.