In the past few months, as ransomware and hackers continue to make headlines, we are hearing more and more questions about security protocols for remote access solutions, along with questions about VPN (Virtual Private Network) vulnerabilities and RDP (Remote Desktop Protocol). In some cases, we’ve heard that people may even compare RDP and its inherent risk with Splashtop’s solutions.
我們的行銷長 Michelle Burrows 與 Splashtop 共同創辦人暨技術長 Phil Sheu 以及 Splashtop 安全與規範資深總監 Jerry Hsieh,共同探討對 RDP 的擔憂是否有其道理,並對 RDP 與 Splashtop 解決方案進行比較。
Michelle: I’ve read a lot lately about the risk in using RDP, including this recent article which talked through all the reasons that RDP isn’t secure. Why do you also believe that RDP is not the right choice for security-minded organizations?
Jerry: Before we talk about why RDP poses a threat to companies and businesses who use it, let’s first talk about what it is and why it exists. RDP is an older technology that was originally designed for IT staff to access the servers without having to physically go into the server room. It was created to solve a very specific problem – the server room is usually kept super cold, and it is also noisy as it holds a lot of equipment. It is easy to understand why IT wouldn’t want to go into that room very often and not to mention to work in it. Along comes RDP enabling IT staff the ability to launch RDP sessions to work on servers remotely, no travel to a cold and noisy server room required.
隨著時間的推移,IT 人員開始意識到 RDP 並不是特別安全,因此有些人開始添加其他安全設定,例如 ACL、防火牆策略,或者在需要存取 RDP 時添加 VPN 閘道以在公司網路之外增加另一層安全性。我曾與一些團隊談論過,他們認為這非常安全,但系統的錯誤配置通常會導致它受到損害。
而且,正如我們幾週前在此採訪提到的,VPN 也不安全,原因很多。然後我看到有些團隊相信他們正在為他們的安全基礎補強,做法卻是將兩種舊式且易受攻擊的技術結合起來。這就像在你的房子周圍放一道柵欄,然後讓柵欄和前門解鎖並打開。如果圍欄和門都敞開著,如何保護房子裡的資產。VPN 中的安全功能顯然無法彌補 RDP 漏洞。
Michelle: As I’m listening to you and all the reasons not to use RDP or a VPN, I have to wonder, why do teams continue to use these kinds of technology?
Jerry: The biggest reason that IT staff use RDP and RDP plus a VPN is because it is sort of free and it is easy. It is built in Microsoft, and it is just sitting there for you to use as part of Windows utility. This means IT teams don’t need to purchase anything special – it comes with your Microsoft license, although RDS (Remote Desktop Services) requires additional licenses.
Michelle: Phil, anything to add on RDP and its vulnerabilities?
Phil: RDP has indeed been around a long time – even before HTTPS and TLS became the gold standard for securing Internet traffic. RDP was designed to work over a particular port and will respond to anyone who “pings” it over the port. A computer put on the Internet with this port open and RDP active can start seeing attacks in as short as 90 seconds. Attackers are incredibly adept at looking for and finding vulnerable RDP endpoints. By gaining access into a RDP endpoint, attackers can then pivot to access the corporate network which the computer is connected to.
Michelle: Tell me me how Splashtop is different from RDP.
Phil: First, we architected Splashtop to be cloud-native and use industry-standard security protocols like HTTPS and TLS. Data is passed over port 443 just like all standard encrypted web traffic today, and connections are facilitated by our relay servers worldwide. For our customers, all of that means no special ports are needed, and firewalls do not need to allow special exceptions. Computers using Splashtop do not need to be left exposed on the Internet or DMZ for bad actors to easily scan and attack.
Michelle: Does that mean that Splashtop has its own proprietary technology?
Phil: Yes, we have our own proprietary technology. There is very little in common between Splashtop’s and RDP’s architectures for remote access. I can think of companies who have chosen to build on top of RDP, but we decided to build something unique for the sake of security and user experience.
除了安全性之外,這種方法還使我們的 IT 和服務台客戶能夠存取不支援 RDP 的大量裝置 (想想 Mac、iOS、Android,甚至某些版本的 Windows),所有設備一致具有最高標準的高效能和可用性。
作為關於 RDP 的最後一個說明,我想進一步使用 Jerry 對小偷敞開大門的比喻。假設你在街上有一間房子,門是開著的,你所有的家當都陳列其中。雖然整個周邊地區不會知道你的門是開著的,但任何路過的人都可以很容易地知道沒有人在家,而你的門是開著的。這就像RDP。現在,把這所房子放在一個封閉的社區裡面,但是,讓門敞開,大門敞開。這就像 RDP,加上 VPN。
讓我們用這個類比來比較 Splashtop 的運作原理。把這間房子放在一個有警衛的封閉社區裡。現在關上門並鎖上大門。保安正在檢查探視權限。門外沒有人可以看到您的房屋及其所有物。事實上,從大門後面甚至可能看不到房子。沒有人可以看到你的房子、它的財物,或者你是否在家。現在,您可以邀請特定的人進入,但您沒有公開的邀請其他人窺視。這就是 Splashtop 更高境界的運作方式。
Michelle: Thank you for the analogies and taking the time to walk through this. Can you direct me to where our blog readers can learn more about Splashtop’s security?
Phil: I would love to share some security resources with our customers and future customers. We’ve created a section on our website that is dedicated to security and the questions that people may have. You can access it here: https://www.splashtop.com/security
