Dimme wrote:
That is a lot of money to not be able to track around and find the criminals.
It also sets a very dangerous precedent.
That is a lot of money to not be able to track around and find the criminals.
I think we agree 
We can talk about security of VPNs and RDP until the cows come home: the reality is for larger organisations like Garmin, typically they aren’t using cheap consumer kit for their routers, and it’s quite likely they will have implemented things like 2FA for remote access.
What usually does the likes of Garmin in is an attack on the wetware. This attack was crafted specifically for Garmin, and PROB99 getting it in there was a combination of social engineering, plus too many people having too many privileges, plus being behind on patches – the latter two allowing the malware to spread once the initial social engineering attack had succeeded.
Targeted malware is rarely uses a single exploit – it usually involves several exploits, and the initial exploit to get a foot in the door is an attack on wetware, not software or hardware.
Social engineering is the oldest (and most “difficult to patch”) exploit out there. See Kevin Mitnick for an early example of social engineering attacks on computer networks. Read the book “Other People’s Money: The Rise and Fall of Britain’s Boldest Credit Card Fraudster” by Neil Forsyth/Elliott Castro for a first-person perspective on the use of social engineering attacks.
Those attacks will all fail anyway if an admin with a brain has set up a username/password which is nontrivial and which totally cannot be guessed.
You can have all the architecture discussions you like, but the thing which you can never be 100% sure about is a back door. The recent RDP vulnerability existed no matter what credentials you chose. And there were similar exploits in years past for stuff like PC/Anywhere. You sidestep these by running remote access only via a VPN but then how solidly is the VPN implemented (in the VPN terminating router)? In my router log I see all kinds of attacks on the VPN gateways, where the attacker is submitting various invalid values and probing various protocol timeouts.
You can never be sure the VPN in your router is solid, which is why a successful RDP login should still need to be followed by a second login, to get into any machine on the LAN. This second login can be configured in the RDP caller (for convenience) but an attacker won’t have the creds so will be presented with a login prompt. And nobody should have a device on the LAN which is open. Most people don’t have a login on their PC at home. That login should be configured for both network access and interactive access. But that PC could also have a back door… for many years you could get into a Windows or MacOS PC via the LAN, by presenting malformed packets to its RJ45.
With decent hardware (like Garmin should have, but the vast majority of small business routers cannot be configured for) you could have a firewall routing the VPN traffic to a specific IP only. This is what alioth was saying. This also needs a physical separation; no good having the VPN traffic coming out of the same RJ45 as the rest. And facilities for doing this are pretty limited on the cheaper stuff. But the “physical” separation is still only done by the one single CPU running some code in the router, so ultimately you have to trust the router to have absolutely solid code implementing its VLAN functionality… Chinese IT gear is all buggy as hell.
If running the whole lot on a unix server, rather than having a “box” doing the VPN termination / firewalling etc, you are having to trust the OS and everything running under it. Then you can implement fail2ban etc but if there is a back door it won’t help. The entire trust issue is now in the software
This is getting like the interminable Zoom video conferencing discussions we had, which made a lot of people drop out of the EuroGA Zoom meetings, and IMHO for poor reasons. All encrypted video conf setup still need a trusted server.
Actually I think the biggest vulnerability is in customer service where you have to open outside emails, online chat IMs, etc. This is obviously known and e.g. the UK CAA has all its emails going through a 3rd party (Scansafe) which strips out all the attachments and replaces them with “virus checked” URLs to copies on its own server. You see this when you have any emails with them. They simply dump some stuff though; another company I am emailing with dumps all emails containing a dropbox link, which is a PITA for obvious reasons… This has to be the best route today for planting exploits on the inside of a company, right past all security, firewalls, the lot…
Automated attacks of various kinds can easily be blocked using something like fail2ban.
E.g. you can set up a rule that if there are more than X failed login attempts to ban the host. Or ban a host if it tries to access well known directories that do not exist, like /admin. That gets rid of 99% of the stuffing attacks Peter is referring to above.
Yes but a VPN that terminates with only one thing on the other end results in a much smaller attackable footprint than a VPN that terminates in an entire network of things that can be attacked. Two factor authentication also helps protect against things like credential stuffing attacks (which is what the automated attacks are attempting).
Terminating the VPN at a RDP server doesn’t stop admins from doing their job.
That’s all sound advice but …
etc…
I have a load of VPNs across the systems I look after and all of them are constantly attacked, all day, all night, mostly from China/Russia, and if this never worked, nobody would bother.
Peter wrote:
Interesting that Kaspersky (above link) recommend using RDP, given that RDP itself has turned out to be easily vulnerable, unless used over a VPN.
RDP has been improved over time, and it usually is used in combination with a VPN.
I think the general advice, amplified, over use RDP is:
That way the enormous attack surface of the corporate Windows servers are not exposed to remote workers; the attack surface is limited to the RDP service, which is much less vulnerable than the smorgasbord of potentially attackable stuff a Windows server exposes by default.
A huge amount of malware travels by exploiting issues with Microsoft’s CIFS implementation (a lot of known vulnerabilities companies are very slow to patch). Providing nothing except an RDP connection mitigates the enormous attack surface that you’d otherwise have just by allowing people to join the network.
Newer services like MS Always On are very convenient but you better always be bang up to date with your patching of everything, because in that Microsoft monoculture, infection will travel like wildfire. Especially when you consider the insecure networks things like laptops will end up joining.
