Security is a hot topic. Everywhere you look in the IT space, you’ll see stories of hacking attempts, brute force attacks, DDOS, and much more. While the big story in our defense against these insurgencies is layered security, unless you fully understand your weaknesses and vulnerabilities, adding “security” solutions to your network is a potentially useless action. It’s like having the world's most secure locks on your front door, and leaving your back door unlocked—it makes no sense.
You need to start with a good understanding of what it is you’re securing against. For the purpose of these articles, I’m going to focus on one aspect of your network structure—your remote access solution. This is the one piece of software you own as a business specifically designed to penetrate your devices and networks.
Let’s explore how these work.
As a starting point, we’re going to look at RDP (Remote Desktop Protocol). Why do we start here? Quite simply, because all Windows devices support Remote Desktop. It is the oldest desktop sharing application and sets the bar for the rest of the industry.
Remote Desktop is a great feature you enable on your target host, resulting in a “listening” socket being opened. This socket usually accepts inbound connection attempts over TCP3389, with authentication to follow after. The result is quick, responsive, immediate, and authenticated remote access to a Windows machine.
While this may sound ideal, the device is now effectively open to many kinds of attack. One of the issues with Remote Desktop is that it often relies solely on username/password authentication and lockout mechanisms, which are all too often unable to protect against modern attack vectors. Additionally, even if the machine is within an RFC1918 network addressing scheme, it remains visible to a multitude of attacks, not least of which includes brute force, etc. A publicly hosted instance of RDP, then, is even more susceptible to vulnerabilities.
This is an all-too-common approach to desktop sharing, and remains highly popular to this day. In today’s security-conscious business environment, the vulnerabilities this raises are obvious, and it’s clear that if we are to make these connections more secure, a new method must be found.
We take a different approach with Take Control.
With RDP, the Windows host you connect from and the machine you connect to remain entirely responsible for desktop sharing and viewing, with no management other than what is provided by the Windows operating system itself. The Take Control™ solution provides a viewer (the technology required to view another desktop) an agent (the technology required to connect), and a fully managed cloud infrastructure.
When you install the agent, it will begin sending a “heartbeat” to the fully managed and protected cloud infrastructure, letting the technicians know the machine is online. These heartbeats are sent using encrypted data, so even somebody spying on your network traffic would be unable to see what was being sent. This creates an architecture where only a device where the heartbeats are specifically directed and which understands how to decrypt those heartbeats would have any actual knowledge of the fact that the first device is online and ready to connect.
Finally, in order to actually start a remote session, you still need a remote viewer part of the transaction. In RDP, the viewer functionality is written in as part of the host OS. In Take Control, you have a viewer with an extremely broad feature set. Not only does it give you the tools to provide a first-class tech support experience, it has been designed with security in mind. Only a viewer that has been authenticated with the cloud infrastructure is allowed to start the connection process. Not only that—due to the protected nature of the network, there is no way to connect to the infrastructure using any other tool.
In simple terms, you have a network infrastructure where the traffic—from source to destination—is protected using FIPS 140-2-Certificated Open SSL modules. The result is that traffic to and from the cloud-based infrastructure and connecting nodes is protected using highly advanced cryptographic protocols and packet signing techniques. Session instantiation takes place using advanced and rigorous public/private key exchange protocols—we use ECDH (Elliptic Curve Diffie Hellman) key agreement protocol amongst other methods.
In my next blog, I’ll look at our physical approach to security: our office, our data centers, our adherence to standardization and more.
Read the next blog in the series here: Securing Your Remote Access—Are You Managing Logins Effectively?
Gerry O’Donnell is the product manager for the SolarWinds® Take Control solution and RMM products, having been with SolarWinds for some 7 years.
To find out how SolarWinds Take Control can help your business, click here
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.