In the past few months, as ransomware and hackers continue to make headlines, we are hearing more and more questions about security protocols for remote access solutions, along with questions about VPN (Virtual Private Network) vulnerabilities and RDP (Remote Desktop Protocol). In some cases, we’ve heard that people may even compare RDP and its inherent risk with Splashtop’s solutions.
Splashtop 的首席营销官 Michelle Burrows 与 Splashtop 联合创始人兼首席技术官 Phil Sheu 以及安全与合规高级总监 Jerry Hsieh 共同探讨人们对 RDP 的担忧是否有必要,并将 RDP 与 Splashtop 解决方案进行比较。
Michelle: I’ve read a lot lately about the risk in using RDP, including this recent article which talked through all the reasons that RDP isn’t secure. Why do you also believe that RDP is not the right choice for security-minded organizations?
Jerry: Before we talk about why RDP poses a threat to companies and businesses who use it, let’s first talk about what it is and why it exists. RDP is an older technology that was originally designed for IT staff to access the servers without having to physically go into the server room. It was created to solve a very specific problem – the server room is usually kept super cold, and it is also noisy as it holds a lot of equipment. It is easy to understand why IT wouldn’t want to go into that room very often and not to mention to work in it. Along comes RDP enabling IT staff the ability to launch RDP sessions to work on servers remotely, no travel to a cold and noisy server room required.
随着时间的推移,IT 人员逐渐意识到 RDP 并不太安全,然后有些人开始添加其他安全设置,例如 ACL、防火墙策略,如果员工需要在公司网络之外访问 RDP,有些人还会添加 VPN 网关以增加安全保护层。我曾与那些认为这种做法非常安全的团队展开讨论,但错误配置常常会导致系统崩溃。
几周前的采访中我们谈到过,诸多原因致使 VPN 不安全。后来我发现,有些团队认为同时使用这两种易受攻击的旧技术可以增强安全性。这就好比我们在房子周围围上栅栏,但又敞开栅栏大门,房门也未上锁。这样做,房子里的资产根本得不到保护。同样,VPN 的安全功能也无法弥补 RDP 的安全漏洞。
Michelle: As I’m listening to you and all the reasons not to use RDP or a VPN, I have to wonder, why do teams continue to use these kinds of technology?
Jerry: The biggest reason that IT staff use RDP and RDP plus a VPN is because it is sort of free and it is easy. It is built in Microsoft, and it is just sitting there for you to use as part of Windows utility. This means IT teams don’t need to purchase anything special – it comes with your Microsoft license, although RDS (Remote Desktop Services) requires additional licenses.
Michelle: Phil, anything to add on RDP and its vulnerabilities?
Phil: RDP has indeed been around a long time – even before HTTPS and TLS became the gold standard for securing Internet traffic. RDP was designed to work over a particular port and will respond to anyone who “pings” it over the port. A computer put on the Internet with this port open and RDP active can start seeing attacks in as short as 90 seconds. Attackers are incredibly adept at looking for and finding vulnerable RDP endpoints. By gaining access into a RDP endpoint, attackers can then pivot to access the corporate network which the computer is connected to.
Michelle: Tell me me how Splashtop is different from RDP.
Phil: First, we architected Splashtop to be cloud-native and use industry-standard security protocols like HTTPS and TLS. Data is passed over port 443 just like all standard encrypted web traffic today, and connections are facilitated by our relay servers worldwide. For our customers, all of that means no special ports are needed, and firewalls do not need to allow special exceptions. Computers using Splashtop do not need to be left exposed on the Internet or DMZ for bad actors to easily scan and attack.
Michelle: Does that mean that Splashtop has its own proprietary technology?
Phil: Yes, we have our own proprietary technology. There is very little in common between Splashtop’s and RDP’s architectures for remote access. I can think of companies who have chosen to build on top of RDP, but we decided to build something unique for the sake of security and user experience.
除了安全性之外,Splashtop 还可以帮助 IT 和帮助台客户访问大量不支持 RDP 的设备(比如 Mac、iOS、Android,甚至某些版本的 Windows),Splashtop 的所有产品都具有同样的高性能和可用性。
关于 RDP,我再进一步说明一下。让我们继续使用 Jerry 刚才讲到的比喻。假设你在街边有一所房子,房门敞开,这时房子里所有的财务基本都看得见。虽然并非整个周边地区都知道此刻你的房门敞开,但从旁走过的行人很容易就发现这所房子里没人,而且房门是敞开的。这就是 RDP。我们再假设这所房子位于封闭式小区。但是,房门和小区大门都敞开着。这就是 RDP 和 VPN 组合使用。
我们再使用这个比喻来解释 Splashtop 的工作原理。假设这所房子位于封闭式小区,大门口还有保安。然后,关上房门,给大门上锁,保安负责检查访问权限。大门外没有人可以看到这所房子,也看不到里面的财物。事实上,即便站在大门后面也看不到这所房子。也就是说,谁也看不到这所房子和里面的财物,谁也不会知道你是否在家。不过,你可以邀请某个人进入,但这不是公开邀请,不允许其他任何人窥视。这就是 Splashtop 更加高级的工作原理。
Michelle: Thank you for the analogies and taking the time to walk through this. Can you direct me to where our blog readers can learn more about Splashtop’s security?
Phil: I would love to share some security resources with our customers and future customers. We’ve created a section on our website that is dedicated to security and the questions that people may have. You can access it here: https://www.splashtop.com/security
