Remote Desktop Solutions | Inside Network Perimeter Security (2nd Edition)

A class of VPN-like methods utilizes remote desktop software to provide remote users with some of the same capabilities as local workstation users. Remote desktop software allows an external user to have access through the Internet to an internal host's graphical interface, such as a Windows XP Professional workstation. A remote user can access applications, files, and other host and network resources through the remote desktop software. Although not a pure VPN solution, the software offers protection for data traversing networks. Remote desktop software packages fall into two general categories: single session for one user at a time, and multiple session for concurrent users.

Single Session

Single-session remote desktop software allows one user at a time to have access to the GUI of a particular host. The best-known single-session software is Remote Desktop, which is built into Windows XP Professional, and pcAnywhere, a third-party product, although many different remote desktop products are available. Many people do not think of software such as pcAnywhere as a VPN option, but it can easily be configured to provide useful host-to-host VPN capabilities. Most remote desktop software packages can provide a strongly encrypted "wrapper" through which many applications can be run, files can be transferred, and other resources can be utilized. Other remote desktop software does not natively provide encryption but could possibly be run through an SSH or SSL tunnel to provide VPN capabilities. For example, VNC (http://www.realvnc.com/) does not provide encryption in its client software, and it recommends that tunneling methods be used to protect connections.

The Risks of Do-It-Yourself Remote Desktops

For many years, users have covertly installed packages, such as pcAnywhere, onto their corporate workstations to remotely access them from their home computers. Originally, this was done primarily through modem connections, but this has increasingly changed to Internet-based connections. In many cases, connections made with these applications are not strongly encrypted, or not encrypted at all. Remote desktop software might not even be configured to require authentication!

Don't permit remote desktop packages to be implemented for usage between internal and external hosts if you do not have the utmost confidence in the security of both the internal and external hosts. Do not permit users to implement and configure their own solutions because that is just an accident waiting to happen. Block traffic that is used by such packages at your firewall, and only permit such traffic to particular internal hosts whose security you can verify and maintain.

Single-Session Remote Desktop Client Integration

The appropriate remote desktop client software that corresponds to the remote desktop server software must be installed on the end users' workstations. Most products, such as pcAnywhere, can only be installed on Windows hosts. The Remote Desktop service built in to Windows XP Professional can be accessed remotely from various flavors of Windows and non-Windows systems, as long as they are running the Remote Desktop Connection client¹ or using Internet Explorer with the Remote Desktop Web Connection client.² Remote desktop products usually install like any other software and do not make changes to the network configuration of the host.

Single-Session Remote Desktop Server Integration

As mentioned previously, the same brand of remote desktop software must be installed on the client and the server. In general, you want to configure an internal host to have any necessary applications or resources, and you want to install the remote desktop server software onto that host. Of course, you want to harden this host strongly to reduce the risk of it being compromised, because external users will be connecting directly to it. You also want to take prudent measures to authenticate users properly, such as by requiring strong passwords to be provided for authentication and, in the case of pcAnywhere, by using a shared secretlike mechanism between the client and server software to further authenticate the external host. pcAnywhere also can be configured to only accept connections from certain IP addresses or subnets, which is helpful in certain situations.

It is absolutely critical that the server software be configured to require a sufficiently high level of encryption and to use a cryptographically strong encryption protocol. For example, the standard and web-based Remote Desktop clients offer 40-, 56-, and 128-bit encryption using the RC4 algorithm for their communications. Avoid using proprietary encryption methods because their cryptographic strength has usually not been verified through peer reviews and research. Proprietary methods often turn out to be flawed, which means that your traffic could be decrypted much more easily than you expect. For example, pcAnywhere 11.0 offers three encryption levels: symmetric encryption, public key encryption, and pcAnywhere Encoding (a proprietary method that provides a weak level of encryption). Thoroughly research the available encryption options for all remote desktop products; do not assume that just because the product offers encryption, the encryption is sufficiently strong for your needs.

Single-Session Remote Desktop Perimeter Defense Adjustments

Each remote desktop software package uses one or more specific TCP or UDP ports for its communications. Perimeter defenses need to be modified to permit traffic for these ports to pass. Determining where to deploy the remote desktop host can be difficult, depending on the purpose of the host. For example, if this solution is needed so that a particular user can access his corporate workstation from home, it's unlikely you would move that user's workstation to a screened subnet; you would leave the workstation on the internal corporate network. However, this means you would have to allow external traffic to directly contact the internal host. Host security, particularly host-based intrusion detection and firewalls, is important in such a situation because external parties could target the host.

One way around this is to use SSH tunneling to connect the external host to an SSH server on a screened subnet and then tunnel the remote desktop software traffic through it. Another possibility is to use a product that can be proxied by a firewall, which adds at least a better degree of perimeter security than just allowing a pure direct connection between an external host and an internal host. The applications and protocols that can be proxied vary widely among firewalls, so make sure to verify your firewall's capabilities.

When to Use Single-Session Remote Desktop Software

A VPN-like solution based on remote desktop software provides a capability that no pure VPN method can offer. When a user needs to run graphical applications that cannot be installed on the client system or needs to interface graphically with an application that manipulates huge amounts of data (too much to transfer from the server to the client), remote desktop software might provide the only feasible protection option.

Obviously, single-session remote desktop software is not very scalable. Multiple session products, discussed in the next section, provide a more robust implementation. But for an isolated useone external user who absolutely needs VPN-like capabilities to a particular host on the networksuch a solution is inexpensive and easy to deploy. Note that single session connections might be slow due to the amount of graphics being transmitted over the public network. However, when a graphical application must be run on an internal host and have its results sent to an external host, nothing can be done to alleviate the problem.

Multiple Session

Multiple-session remote desktop software is more commonly referred to as a terminal server. A terminal server, such as Citrix MetaFrame or Windows Terminal Services, establishes a desktop standard and allows multiple users to receive virtual copies of the same host desktop at the same time. Because a terminal server grants access to virtual interfaces, not the server's actual interface, none of its users has access to the others' sessions or data. Terminal servers provide a much more robust and scalable solution than single-session software. In addition, most terminal servers offer 128-bit encryption, often SSL-based, for its users' sessions. This section uses Citrix MetaFrame as an example, but other products, such as Windows Terminal Services, have similar capabilities and requirements.

Multiple Remote Desktop Client Integration

To use a terminal server, each host must have the appropriate client software installed. The Citrix MetaFrame client is called ICA Client; it is available for many operating systems, including several versions of Windows and UNIX, Macintosh OSs, PDAs, and even some types of cell phones. There is also a Java ICA Client applet that can be loaded onto a web server, which users can then access through a web browser. ICA Clients are free of charge and available from the Citrix website at http://www.citrix.com.

Multiple Remote Desktop Server Integration

A terminal server should have its own dedicated host. The host should be strongly hardened to reduce the risk of system compromise, of course; this is particularly important because external users will be connecting to this server, so it will be directly exposed to attacks from the outside. After the terminal software has been installed, it should be configured to require all clients to connect using sufficiently strong encryption and strong passwords. Then all desired user applications should be installed on the terminal server.

Multiple Remote Desktop Perimeter Defense Adjustments

Some terminal servers require multiple TCP or UDP ports to be used, whereas others only use a single port. Some firewalls have proxying capabilities for particular terminal services, but many do not. In most cases, you will probably just have to open holes in firewalls and packet filters to allow such traffic through. Of course, you should place your terminal server on a secured subnet, not your internal network, if at all possible.

When to Use Terminal Server Software

Terminal server software can provide a reasonable VPN-like solution for certain situations. Because the only traffic that is passing between the terminal client and server is graphics, keystrokes, and mouse movements, a terminal server can handle virtually any application and any protocol because the applications and protocols are not passing their traffic across the connection. Unlike the VPN methods we have discussed, which could not handle UDP-based applications, a terminal server-based solution would not know or care that UDP was being used on the internal network.

Any time you have graphical applications that must run on a host but be accessed by remote users, particularly over low-bandwidth connections, terminal servers should be strongly considered. Many applications might not be portable due to resource issues, platform requirements, data volumes, software licensing issues, or excessive costs, among other reasons. The only feasible way to access these applications remotely and securely is by implementing a remote desktop solution.

However, if you want to use a terminal serverbased VPN across the Internet, you should consider the risks associated with doing that. The terminal server's native encryption might not be strong enough, or the encryption implementation might contain serious security flaws. In addition, terminal servers might have authentication issues. Remember that a terminal server is designed primarily to provide remote application usage on a local network, not to secure data that is traversing public networks. Consequently, you might find that to achieve a sufficiently secure solution for Internet usage, you will need to tunnel terminal server traffic inside a standard VPN solution, such as IPSec, rather than rely solely on the terminal server's encryption and authentication mechanisms.