by Erin Risk —
RDP & VPN: Why These Outdated Solutions Are Still Commonly Used
The most commonly used methods of remote access are Microsoft’s Remote Desktop Protocol and virtual private networks. The first lets users access and control their office desktop computers over the internet. The second lets users access shared network resources while outside the company firewall.
In addition to being the popular choice of businesses, they are also the favored target for cybercriminals. Many of the worst security breaches of the past few years originated from security flaws in these outdated security technologies.
In this article, we will explain why companies continue using Remote Desktop Protocol and virtual private networks. Then we will discuss the security flaws inherent to these systems. We will finish by introducing you to more modern access control approaches that are more secure, performant, and simpler to manage.
What is Remote Desktop Protocol (RDP)?
Remote Desktop Protocol lets you access a computer or server over the internet. In its simplest form, an RDP client initiates a connection between a user’s device and a host computer. The remote user can control the computer as if they were physically sitting in front of it.
RDP use cases
Network administrators often use a simple direct RDP connection to manage servers in data centers. Without leaving the office, they can use RDP to perform system maintenance.
Small or mid-sized businesses consolidate their RDP traffic through a Remote Desktop Gateway server. Besides being more efficient, the server integrates with the companies’ existing authentication and authorization systems.
Larger enterprises use RDP with desktop virtualization. They run instances of Windows on a server or in the cloud to avoid the overhead of physical desktops. RDP turns any device into a thin client for the virtual computer.
Straightforward remote access
RDP has a shallow learning curve as it works seamlessly with Microsoft’s network management tools and virtualization solutions.
Improved user productivity
Likewise, employees transitioning to home working have less to learn since they get the same desktop experience they had at the office.
Simplify BYOD management
Bring your own device policies often add administrative overhead. With minimal configuration, Microsoft’s RDP clients run effortlessly on Windows and Mac desktops as well as Android and iOS mobile devices.
The host computer’s display output is the only data users’ personal devices receive. Applications and files remain on company-controlled systems, so your company’s proprietary data is more secure.
RDP sensitivity to network performance
Sending desktop monitor outputs to remote users turns your business into a streaming video service. You may need to invest in additional network hardware to relieve the resulting congestion.
RDP visibility to hackers
RDP relies on publicly visible open ports to enable remote connections. Cybercriminals can easily scan the internet to find any of the over four million visible RDP ports.
Weak RDP password policies
Many RDP configurations control access with existing desktop passwords. Weak or poorly-enforced password policies make simple brute force attacks more effective.
What is a Virtual Private Network (VPN)?
For nearly three decades, virtual private networks have been the preferred solution for remote access. VPN creates encrypted portals through their secure network perimeter to let remote employees access email and other network resources.
VPN use cases
VPN’s original purpose was to create secure wide-area networks over the internet. It was an affordable way for businesses to link their remote offices to central computing resources.
VPN solution providers adapted this technique to enable remote access for end-users. The encrypted tunnel between the user’s VPN client and the company’s VPN gateway extended the network to the user’s device.
Secure remote access
Given the poor security of public internet connections, sending remote users’ data through encrypted tunnels keeps the company information away from prying eyes.
Compatibility with network systems
Business VPN solutions have been available for many years, making it relatively easy to find a VPN solution that can be integrated with your network’s existing security and administrative systems.
From small businesses to large enterprises, you can find a VPN solution to meet your users’ needs, security policies, and budgets.
VPN impact on network performance
The VPN gateway is a bottleneck for your company’s remote traffic. The only way to address issues of backhaul, bandwidth congestion, and latency is to purchase more gateways or more expensive gateways.
You can avoid many hardware limitations by implementing VPN solutions in software. However, complicated pricing structures get expensive quickly.
VPN impact on security
Like RDP hosts, VPN gateways must be visible on the internet. You risk a security breach unless you can patch your gateways faster than hackers can scan the internet. Since VPN gateways grant full access to the protected network, bad actors can do considerable damage.
VPN solutions often require networking expertise to roll out and support in an organization. Secure implementation of a corporate VPN may also require existing network infrastructure to be reconfigured, leading to an intensive deployment process.
How are RDP & VPN different?
Although both RDP and VPN provide remote access, they address different business needs. RDP’s primary purpose is to let users remotely access files and applications kept locally on a computer. VPN’s primary purpose is to give users remote access to shared network resources.
VPN is better when…
Your business follows a network-centric IT philosophy that:
- Requires network storage of all files.
- Hosts business applications on company servers.
- Uses cloud-based applications and X-as-a-Service solutions.
RDP is better when…
Your business follows a desktop-centric IT philosophy that:
- Lets employees keep files locally.
- Relies on desktop applications.
Use both RDP and VPN when…
You want better RDP security. Although you still have VPN’s drawbacks, you mitigate RDP’s security risks by putting it behind a VPN gateway (albeit by shifting some of the security risk to the VPN gateway itself).
Frankly, neither technology is a great option compared to more secure modern alternatives.
What alternative remote access solutions exist outside of RDP & VPNs?
The remote access solution that offers the best combination of security, flexibility, and value is a zero trust network access (ZTNA) product that allows a software-defined perimeter (SDP) to be implemented.
Zero trust network access
Traditional approaches to network security operate on a principle of trust once users, devices, or networks pass initial security criteria. This is the core weakness that opens security holes in technologies like RDP and VPN. Trust is never assumed in a ZTNA access control system which operates on three principles:
Never trust, always verify
ZTNA treats an executive working at the office no differently from a contractor working at an airport. Every user must verify their identity every time they connect — and no matter what network they use to connect.
You can never predict when cyberattacks will work, so assume your defenses are already compromised. Use least privileged, role-based access permissions to minimize damage from successful attacks.
Do not rely on a simple username and password for verification. Authentication and authorization processes should use multiple criteria including multi-factor authentication, device posture and user location to determine the degree of access a user receives.
The trouble with traditional secure perimeters is that successful breaches give cybercriminals access to everything on the protected network. SDP refocuses security away from the network to what really matters: a company’s resources. Neither on-premises servers nor cloud applications can be seen, much less accessed, without going through the SDP’s access control system. A well-implemented SDP also allows RDP servers to be truly hidden from prying eyes on the public internet, while not merely shifting the problem to a VPN gateway which itself is visible.
Beyond security: the benefits of SDP + ZTNA
While security drives much of the interest in SDP and ZTNA, these access solutions offer several other benefits.
Traditional security methods only work for certain scenarios. People working on-premises, remote workers, proprietary networks, and cloud-based resources are protected by different systems. Solutions based on SDP and ZTNA support all these scenarios within a unified administrative system.
Efficient network architecture
Network segmentation and other attempts to mitigate the weaknesses of outdated systems require expensive investments and considerable overhead. SDP creates the ultimate segmentation by drawing the secure perimeter around each resource — without the need for more hardware.
Improved network performance
Once authenticated and authorized, the SDP system creates a direct connection between a resource and a user’s device. This eliminates the bottlenecks imposed by VPN and other network endpoints. SDP systems can also employ split-tunneling to send non-essential traffic directly through the public internet rather than routing it through company networks first.
Access control systems based on SDP and ZTNA are more responsive to changing business needs than traditional approaches. On-boarding and off-boarding users, changing roles, and other administrative tasks can be performed through simple, centralized consoles.
Why do many companies continue to use RDP and VPNs despite their security flaws?
Despite modern solutions’ clear advantages, companies have been slow to change. Historically, enterprise solutions were incompatible with existing systems. Migrating to SDP meant investing in a complete architecture before making the switch. With all its resources, even Google took years to implement its zero-trust system.
This situation has begun to change. New government policies require federal agencies to adopt zero-trust and SDP. The ripple effect of these decisions will extend into the private sector and accelerate the acceptance of zero-trust security.
Twingate already offers an access control solution that makes it easy to adopt SDP and ZTNA. Compatible with your existing infrastructure and security stack, you can deploy Twingate in phases. You can protect on-premises and cloud-based resources while making it easier for your users to connect.
Once deployed, managing user access will require less overhead thanks to Twingate’s simple administrative consoles. User experience will improve as the transparent, always-on Twingate client automatically manages their role-based access.
Replace outdated remote access solutions with Twingate
The most popular remote access solutions, including RDP and VPN, have been around for decades. While that makes them known quantities, both technologies make inherent assumptions that expand your organization’s attack surface. The shift to remote working has exposed these security flaws like never before. And increasingly, companies are looking for a better, more secure way of providing access to sensitive resources.
Twingate’s modern solution uses Zero Trust Network Access and Software Defined Perimeters to improve access to company resources while enhancing security. Our zero trust access solution makes your networks more agile, performant, and scalable. Find out more today.