As the world becomes much more digital and global, organizations are opening up their network and internal applications to the outside world (e.g. business partners), much more than in the past.
The common methods of integration with business partners, include providing FTP/S access, VPN and SSL VPN access, reverse-proxy access, RDP, etc. But with great cooperation and openness to the world, comes a high level of risk. The common access options, have benefits but also major faults:
- FTP/S and SFTP – File servers are simple to deploy and use by either internal or external users, and are usually placed in the DMZ for easy access.
However, this methodology is inviting hackers to easily attack such as service, using it as a jump point to the network via the open firewall port or steal its SSL keys and certificates.
- VPN / SSL VPN – VPNs offer high security by utilizing certificates or other authentication mechanisms. However, they pose various challenges when used by business partners – they are complicated to manage due to certificates distribution to partners, there is no support for ad hoc access, and they store SSL certificates, usually in the DMZ, making them prime targets to SSL based attacks.
- Reverse Proxy access – reverse-proxies are the simplest means of allowing external parties to access internal applications, they are simple to deploy and they offer a wide range of security options. However they pose quite serious security concerns – hackers can easily “see” and attack them using various SSL/SSH based attacks or OS based vulnerabilities, they store SSL keys in the DMZ unprotected, they require opening ports in the firewall, and more.
- RDP (Remote Desktop) – remote desktop access is used to allow remote/external access to a specific machine within the network. This access can be granted to organization employees or 3rd party partners, however in most cases the basic requirement is the use of a VPN connection over which the RDP protocol will flow. This results in the VPN deployment challenges discussed above.
Safe-T RSAccess Application Access Proxy, introduces an evolution in the way organizations grant secure external access to their services. It offers true secure access to internal applications and machines, while:
- Offering robust authentication options for both registered (internal, external, partners) and ad hoc users (AD, SAML, certs, OTP, etc)
- Removing the need to distribute certificates for partners
- Performing SSL decryption in a secure zone, and removing any SSL keys from the DMZ
- Ensuring organizations do not deploy any DMZ components which can be hacked and utilized to access the network
- Removing the need to open ports in the firewall, thus preventing port and OS scanning attack vectors
- Preventing access to the network but only allowing access to a specific application/service
- Supporting RDP services over HTTPS (i.e. RDH5), enabling to both secure RDP and scan the traffic