File Access the Zero Trust Way

accessing Windows & Linux file shares securely without the VPN

Accessing Windows & Linux file shares securely without the VPN

Remote file access has always been a major use case for enterprise IT. In the 20th century (yes last century!) when VPNs were invented, they were used to solve pain points associated with offsite workers having to copy files from onsite computers to offsite. At the time floppy disks, CDs and USB sticks were the leading-edge technologies of choice.

Fast forward to today. Along with the dramatic increase in offsite workers, different file sharing problems have arisen: tracking changes, preventing data leaks, BYOD devices accessing corporate files etc. Companies like Box.com or Dropbox.com focus on solving these problems. While they do solve certain pain points, there is a trade-off: corporate files/data must be moved to their cloud.

Windows and Linux file shares are still used in many enterprise workflows. But do they have a place in today’s modern zero trust solution architectures? After all, out of box, they have several issues that conflict with zero trust concepts:

1- VPN required: In order to facilitate access to file shares, a solution usually needs to have a VPN. Just like last century! VPN is an antonym for zero trust.

2- No MFA support: As a legacy technology, access to file shares is not secured by modern MF authentication mechanisms out of the box.

3- Access is permanent: Once the VPN connection is established, the access to the file share is permanent and untethered. A user will be able to access the files but so will ransomware if the PC is infected.

4 – BYOD/BYOPC and 3rd Party access issues: Allowing access from unmanaged devices, devices that are not corporate owned or managed e.g. BYOPC or contractors/affiliates and their devices, is a recipe for disaster. Data leak disasters, ransomware infections etc.

With TransientAccess, we implemented a true zero trust solution architecture for accessing Windows & Linux file shares, something unique in the market.

The basic solution architecture is outlined below. This architecture is not specific to file sharing and suitable for any other access scenario.

TransientAccess Solution Architecture

With TransientAccess, access to file shares is zero trust because:

1- No VPN is Required. While accessing the file share, even IP address or hostname of the file server are hidden to the users.

2- Built-in MFA Support. If an enterprise doesn’t have a modern IdP that supports MFA, TransientAccess has built-in support.

3- Access is Transient (i.e. Temporary). TransientX networks are application networks that are built and dissolved on demand, as opposed to VPNs. Even the data (i.e. files transferred to the accessing device) can be temporary if admins choose that configuration option.

4- BYOPC and 3rd-Party Friendly: Access to the network, shares and file data is temporary and not broad. Even if the PC is infected with a ransomware, shares wont be visible to the ransomware but only to the file manager.

5 – Zero Friction Solution: Security is delivered without compromising usability. TransientAccess also simplifies the use of file shares for end users as well as administrators. From IT teams’ perspective, the solution can be implemented in as little as 30 mins. From the end-user’s perspective, there is no need for advanced training on how to access file shares. It is as simple as logging into a web based portal and clicking on a link.

Below is a video of how it works from the end user’s perspective:

With TransientAccess, even a legacy use case like Windows file shares can be easily implemented in a zero trust way! Additional security comes hand-in-hand with enhanced usability. It’s simpler to use Windows file shares with TransientAccess.

Ready to try for yourself? Contact us.

TransientAccess 2.0 now available

TransientAccess 2.0 Desktop view

Like the ease of use of Zoom? You’ll love how easy we’ve made ZTNA with TA2.0

Highlights:

  • Unified User Experience
  • Friction-Free Browser-Based User Onboarding
  • Automatic Disposal of Application Contents
  • Built-In MFA Support

We’ve made it our mission to deliver zero-trust network access that provides a seamless, transparent user experience with no compromise on security. With the release of TransientAccess 2.0 we’ve delivered on that goal on multiple fronts:

Unified User Experience & Friction-Free Onboarding

We have simplified the end user experience significantly. The same lightweight client is available on all platforms, from IOS and Android to Windows and Mac.

We have also removed the friction of provisioning or installing our clients to endpoint devices, with a new seamless browser based experience. For mobile users they see:

TransientAccess mobile client

Desktop users see this:

TransientAccess 2.0 Desktop view
TransientAccess 2.0 Desktop view

Whether accessing via desktop or mobile, TransientAccess 2.0 provides a seamless, frictionless and consistent UX across all platforms.

MFA support built-in

Lack of MFA adoption by end users because of the friction and hassle involved is arguably one of the biggest security risks out there. Now TransientAccess has MFA support enabled, allowing TOTP-based authentication using common 2FA apps from Google, Microsoft, DUO and more.

Automatic Disposal of Application Contents

We have added a much-anticipated feature for automatically deleting container contents when going offline. With this new option, when users go offline or sign out, all the application contents can be erased from the device.

TransientAccess 2.0 new features
TransientAccess Automatic container content disposal

Ready to try for yourself? Contact us and we’ll get you set up today.

Using RDP together with VPN/MFA gives a false sense of security

The COVID19 pandemic has caught the world unprepared. Enterprises, from small businesses to Fortune 100 companies have been forced to enable “work from home” in literally a few days. Even companies which have already transformed most of their workflows to the cloud have to keep up with the unexpected demand for services which were NOT designed for the consumption by 100% of the available workforce.

A majority of companies on the other hand seem to be leveraging remote desktop services and VPN based solution architectures to allow their employees to access their workstations from home.

We can see this trend from Shodan.io data. According to Shodan (https://blog.shodan.io/trends-in-internet-exposure/) there is about a 41% increase in RDP (Port 3389) services exposed to the Internet and about 33% increase in VPN servers exposed to the Internet.

Companies have been struggling to securely enable BYOD and remote employee access for over a decade now. In the time of crisis, use of decades old legacy solutions available to them, specifically RDP and VPN based ones, is an expected trend. However, this trend brings significant cybersecurity implications with it.

These solutions inherit all the cybersecurity problems associated with them from the last 20 years.

BRUTE FORCE ATTACKS

Brute force attacks are the attacks where the attackers try to find out the account credentials by trying all possible username and password combinations.

In our experiments, it took 2 minutes, on average, for an exposed RDP host to be a target of a brute force attack.

This literally means, as soon as the PC is booted, it is attacked in the background, even before the user starts working. In order to experiment, we created 15 different windows workstations publicly exposed through Amazon Cloud, Azure, Google Cloud or Verizon Wireless based public IP addresses. We then checked the windows security audit logs for failed login attempts. It took 2 minutes on average for the host to be discovered and attacked. Below is a screenshot of an audit log from one of the PCs. As soon as it is exposed, the attacker, possibly a bot, from Russia, probed it.

Today, password protection alone is as good as no protection. If a PC is exposed to the internet using windows RDP services without additional security measures, it should be assumed attacked and owned already. Because majority of passwords are weak and can be cracked instantly.

Even a relatively “strong” password with 7 letters containing numbers, upper and lower characters and special symbols can be cracked in 17 hrs.

DENIAL OF SERVICE ATTACKS

Denial of service (DoS) attacks require attackers to consume available computing resources so that legitimate users cannot access the requested services. For the companies which use RDP as a solution for their day to day business operations, protection against DoS attacks is critical for their business continuity. Unfortunately, such a protection is not so straightforward to implement when legacy solutions like RDP or VPNs are used. Having most of the workforce on remote desktop services makes “the RDP” a critical component for any company; as critical as industrial control systems.

And keeping in mind the fact that most companies had only a few days to enable remote access, it is safe to assume that they are now vulnerable to a new type of ransomware attack: DoS against their business continuity

Attacking an unprotected host does not require too much from an attacker’s side: 1 mbs traffic is enough to disable a VPN or a Firewall or an RDP host!

A FALSE SENSE OF SECURITY: MFA AND VPN AUGMENTATION

In order to mitigate the cybersecurity risks, some companies couple their RDP based architectures with VPN and MFA (Multi-factor Authentication) solutions.

However, while they might mitigate certain attack vectors, the threats outlined above are not really addressed effectively.

Use of a VPN solution alone does not mitigate the risk of brute-force attacks or DoS service attacks but just moves attackers’ target from RDP host to the VPN server itself, potentially making the impact of a successful attack even worse because VPN servers become a single point of failure.

Use of a multi-factor authentication (MFA) solution mitigates the risk of brute-force attacks however when used to protect access to legacy solutions like VPNs and RDP services they do NOT address the fundamental problem: The authentication happens AFTER connections are established to the protected resources i.e. a VPN server. This unauthenticated connectivity makes the resources vulnerable to a wide range of attacks.

MFA solutions do not address the fundamental problem: The authentication happens AFTER connections are established to the protected resources i.e. a VPN server.

MFA does not protect against DoS attacks to VPN or RDP gateways. But in addition to DoS attacks, it offers no protection against direct exploitation attacks neither. VPN servers, just like RDP services, are direct targets of attackers. Bots are constantly scanning for exposed VPN servers to exploit vulnerabilities in them such as Palo Alto Networks (CVE-2019-1579), Fortinet (CVE-2018-13382CVE-2018-13383CVE-2018-13379), Pulse Secure (CVE-2019-11510CVE-2019-11508CVE-2019-11540CVE-2019-11543CVE-2019-11541CVE-2019-11542CVE-2019-11539CVE-2019-11538CVE-2019-11509), and Citrix (CVE-2019-19781):

Attackers have been hitting companies with these solutions, so that Airbus (using Palo Alto) and Travelex (using Pulse Secure) got breached recently through their exposed VPN servers.

ENABLE SECURE REMOTE DESKTOP ACCESS WITH TRANSIENTACCESS

TransientAccess and the disposable networking technology address all the security problems listed above while enabling remote desktop access services. A disposable network is a hidden and a temporary network built for each user, on demand. It is only exposed to the user for whom it is created and destroyed as soon as the user disconnects from it. More information on the technology can be found at: Disposable Networks. A video about TransientAccess and how it works can be found at https://www.youtube.com/watch?v=LUwG3ufAZFE&t=679s

STOP DENIAL OF SERVICE ATTACKS TO RDP SERVICES

With TransientAccess, resources such as RDP hosts, are not exposed to the internet. Since they are not directly accessible, they are not vulnerable to DoS attacks. While orchestrating access requests, users are pre-authenticated by TransientX cloud first. After such an authentication, a hidden network with the remote host and the user’s device is built for the authenticated user allowing temporary remote access without internet exposure.

STOP BRUTE FORCE ATTACKS TO RDP SERVICES

With TransientAccess, because access to RDP services happen in a hidden disposable network, nothing is exposed to the Internet and hence attackers cannot target the host. TransientAccess cloud employs modern authentication technologies such as integration with authentication providers like Okta or Azure AD. Administrators can also make use of MFA effectively, making the technology work for legacy solutions as well.

WORK FROM HOME SECURELY AND EFFECTIVELY

TransientAccess also provides endpoint data loss prevention (DLP) features specifically designed for unmanaged devices, making it a suitable BYOD solution without any dependency on MDM/MAMs. As part of our social responsibility, we are providing a no-cost subscription for it.