October 15, 2020//Tony Howlett
With our increasing reliance on outsourcing, companies are having to invite more outsiders (vendors, suppliers, business partners) onto their networks and systems than ever before. And though there are many reasons a vendor might need remote access, mostly this is to provide technical support. Because of this growing requirement, there have been many tools developed to enable this activity. Some have evolved from existing tools, others have been built precisely to allow vendors onto networks.
VPNs and remote desktop sharing are two of the more popular and common applications used for remote support. However, they are quite different from each other and serve different use cases in both theory and practice. They each have limitations in their usefulness for certain scenarios and harbor different security issues both in design and when not implemented correctly.
Let’s look at these two classes of tools and the differences between them to understand where each might fit and where they don’t.
VPNs, or virtual private networks, were born out of a need to provide a connection to remote workers that behaved much like a local area connection. This “network extender” was intended to be used over a public network, such as the internet, and uses encryption to keep the session safe and secure. The technology operates at the network level and typically provides a user with access to servers and machines that are only accessible within the corporate firewall. For the average remote corporate user, this is all they need. Their connection replicates what they would have if they were sitting at their desk at work but provides no additional functionality beyond access.
For internal support staff who need to provide support for other employees, this type of connection works fine since all the resources they need access to would be provided as part of their employee onboarding (email, group membership, shared drives, etc.).
However, for a third-party needing access to provide support, a VPN is merely the first step. Additional layers of access would need to be added in order for them to access the servers or hosts to be supported. For instance, if you will be supporting a server, you need credentials on that server and the proper rights-levels to do the work. This is, at minimum, a two-step process (you might need credentials on multiple hosts) which allows for human error and active maliciousness to cause issues or problems. On the converse side, they may be provided with too much access and that access may not be tracked adequately. Once the job is done and the contract’s terminated, credentials and VPN access must be removed in a timely manner. If not, this provides a window of vulnerability into those services and devices. And if a user’s credentials are stolen or coopted, the amount of damage that can be caused is greatly increased by a VPN’s broad network access.
VPNs also have very limited auditing and monitoring capabilities. Generally, the log files generated will show only minimal information such as connect time, IP address, and username. The actual activities done under that session are opaque, which can be a problem if a detailed audit is required for compliance or if forensic work is necessary after an incident.
Desktop sharing evolved out of the shortcomings of VPNs for remote support. Additional capabilities were needed to be able to access any or all of an enterprise’s desktops without needing credentials on each machine. Most remote desktop sharing tools provide an encrypted tunnel much like VPNs, usually using SSL or similar methods, and then enable a “take-over” of an existing user’s role, which eliminates the need for separate credentials. This can be really handy if you need to use your local desktop with programs only resident there. Or if a support representative needs to show a user how to use an application or program on their machine. There are also often other features built into a desktop sharing platform for monitoring and recording a session, but this is usually optional.
However, while remote desktop sharing offers more functionality for the purpose of support than VPNs, it also has shortcomings of its own. It only provides access to the desktop and is not as useful for enterprise support, such as database or server support or those using a command line. While a VPN sometimes offers too much access, desktop sharing might not offer enough. Each session for each machine must generally be initiated, meaning providing 24/7 unattended support is difficult or impossible.
There are also security downsides to having full access to a machine on the network, including access to local files as well as network resources with the full permissions of that user. There may be sensitive files on the machine that could be viewed if the attendant isn’t watching closely. The host could also be used as a beachhead to do reconnaissance or even attack other computers on the network. This is a frequent tactic of hackers, where they get low-level access on a single network node, but expand out from there by finding other vulnerable machines or services visible on the network.
So we have shown that VPNs and remote desktop sharing solutions offer different advantages and disadvantages for remote support and remote access functions. Depending on your applications and the type of support needed, you may want to use one or the other. If you need additional security or compliance features, you may want to augment or replace these technologies with even more purpose-built tools such as privileged access management (PAM) or vendor privileged access management (VPAM) to fully secure the remote support connection.
While VPN and remote desktop sharing tools work great for their intended purposes—they are not secure or efficient tools for third-party remote access. If third parties are accessing your network, whether you’re using a VPN, a vendor-supplied support tool, or a Privileged Access Management (PAM) solution to manage network vendor access, the limitations of those tools leave you vulnerable to breaches. Download our brochure that highlights the importance of having a separate software platform specifically to manage vendors’ privileged access to systems, networks, and applications.