Cloudflare Access; Protecting remote desktops for teams | RDP protection
Cloudflare Access; Protecting remote desktops for teams, big or small
With attacks on remote desktop software rising dramatically, protecting remote desktops with any means possible seems more important than ever. In this post, we review different tools to secure RDP, with a focus on Cloudflare Access.
Cloudflare Access creates a secure tunnel to protect RDP connections for the end-users. To do so, you need to have a Cloudflare account and a site active on Cloudflare. You also need to install Cloudflared daemon on the host and client machines.
What is remote desktop software?
Remote desktop is a software feature that enables users to connect to a distant computer, see its desktop and take over it remotely, like they’re controlling their local system.
Remote desktop tools such as Microsoft’s Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) have been here for over two decades.
Note that remote desktop software should not be confused with Corporate VPN intranets , which is another technology that allows remote access to computer systems. Remote desktop tools are usually faster, less expensive, and less complicated to set up than Corporate VPNs. Therefore, remote desktops are more common these days, although large corporations may still use Corporate VPNs.
As Windows’s built-in remote desktop tool, which is also supported on macOS operating systems, RDP is currently the most popular remote desktop protocol in the world. Configuring RDP is not complicated, it enables users to easily access remote resources and run applications remotely, so it seems like a perfect choice for companies that need to let their employees work remotely, especially if they are in a hurry to set up remote access. The problem is that many such companies do not pay enough attention to securing RDP connection, which could result in security disasters, like Ransomware attacks .
Protecting remote desktops
By exposing your system to the Internet, RDP brings about lots of potential risks for your computer. The good news is that you can block the risks and protect your remote desktop connections to a great extent, by being mindful of the RDP vulnerabilities and taking some important security precautions. There are also several third-party tools that can make protecting RDP easier for you.
One common tool for protecting remote desktops is pass-through VPNs that encrypt network traffic before sending it over to the destination. A pass-through VPN connects your system to a server, which is another computer on the Internet and can be anywhere in the world. This way, it looks like you’re on the same local network as the server. Therefore, you can browse the Internet using that computer’s Internet connection and that network’s Internet protocol (IP) address.
Another effective way to protect remote desktops is by using a powerful firewall that is equipped with RDP protection features. For example, SunFirewall can dynamically change Remote Desktop Port, find suspected RDP users and detect and block Brute-Force attacks. It also provides RDP users with an advanced two-step authentication method and lets you thoroughly monitor your network traffic by offering detailed report logs.
Today, we want to discuss Cloudflare Access, a relatively new product by Cloudflare, Inc. which claims to be a secure replacement for legacy corporate VPNs.
What is Cloudflare Access?
Cloudflare for Teams is a set of security products that aim to protect devices, networks, and applications for online teams. Cloudflare for Teams consists of two main products: Cloudflare Access and Cloudflare Gateway.
Cloudflare Access is an identity and access management product that provides secure access to online team resources by authenticating every employee and device and making sure they are really who they say they are.
Currently, Cloudflare collaborates with different identity providers and security companies, such as Okta, OneLogin, and Ping Identity, VMware Carbon Black, Malwarebytes, and Tanium.
Using per user and per application security checks and encrypted tunnels, Cloudflare Access can secure web apps, SSH connections, and remote desktops.
Corporate VPN vs Cloudflare Access
Cloudflare call Cloudflare Access the modern VPN. To understand why, let’s briefly compare legacy corporate VPN vs Cloudflare Access.
In legacy VPNs, internal corporation resources are located in the safety of the company’s intranet, while they are accessible to the outside users through encrypted Internet connections. Cloudflare Access provides secure online access to the corporate resources as well. But with Cloudflare Access, teams can put everything on the Internet in the first place, knowing that no Internet connection or online user is trusted until they are proved otherwise. This is called Zero-Trust security policy.
So, instead of locking everything up in a local safe house and then, endeavoring to create a safe way out from it to the unsafe Internet, Cloudflare Access lets resources be on the Internet, but tries to put secure locks on them so only the authenticated users with the required permissions can access them.
The idea was used by Google in building BeyondCorp, an application the company created for its own employers only. Now, Cloudflare Access has made it available to the public.
How to deploy Cloudflare Access to protect remote desktops
Cloudflare Access authenticates every user with their single sign-on (SSO) provider so they can safely connect through Remote Desktop Protocole and access remote files and resources.
With Single sign-on (SSO), end-users need to logging in only once, with just one set of login credentials (e.g. an Id and password), to be able to securely authenticate and access multiple applications and websites. Services and websites that are accessed through SSO trust a reliable third party to verify that users are who they claim to be.
To secure RDP connections, you need to configure your Cloudflare Access-protected server to deploy Argo Tunnel for RDP connections.
Argo Tunnel uses the Cloudflare daemon, Cloudflared, to create a persistent connection between your web server and the Cloudflare network. After installing the daemon and configuring Argo Tunnel, the Tunnel creates an encrypted connection between the RDP server and Cloudflare edge. Then, Cloudflare Access uses identity-driven rules created by the users to decide who could log in to their resources and block the rest of the Internet from accessing them.
To use Cloudflare Access to protect RDP you have two options: You can either opt to deploy the Cloudflare agent on every target machine or use Argo Tunnel RDP Bastion mode which only requires installing Cloudflared once, in a bastion mode, in your target environment.
Installing the Cloudflare agent on each RDP server
When Cloudflare Access first started protecting RDP connections, it required deploying Cloudflare daemon on all RDP desktops.
To start setting up Access for RDP protection, after installing Cloudflared on the required remote machine, you need to authenticate the Cloudflare daemon into your Cloudflare account. Then you should create a new policy to control who can connect to the desktop and the subdomain you plan to register. Finally, use the default RDP port, 3389, or other available ports, to connect the remote desktop to Cloudflare.
Argo Tunnel RDP Bastion mode
A while after introducing Cloudflare Access’ new feature to protect RDP, the developers realized setting up a new daemon on every server could be too costly and time-consuming, especially for bigger corporations who may need to allow thousands of employees work through RDP. So, they came up with Argo Tunnel RDP Bastion mode, as an easier and faster way to provide RDP protection on a larger scale.
In this method, authorized users can reach any RDP desktop through a single Cloudflared instance.
Aiming to be a modern replacement for legacy corporate VPNs, Cloudflare Access provides secure access to online team resources by authenticating every employee and device and making sure they are really who they claim to be.
Protecting remote desktops is one of the recent features provided by Cloudflare Access. Setting up Cloudflare Access to protect RDP, is easier than configuring corporate VPNs, especially if you use Argo Tunnel RDP Bastion mode.
Cloudflare Access offers many options and features, but the interface may be confusing for non-technical users. Also, more advanced features require extra payment, so the subscriptions can get costly quickly.