Go Back  FlyerTalk Forums > Travel&Dining > Travel Technology
Reload this Page >

Company requires VPN then remote desktop

Company requires VPN then remote desktop

Reply

Old May 13, 15, 8:27 pm
  #1  
Original Poster
 
Join Date: May 2008
Location: Minneapolis
Programs: AA EXP, Hyatt Diamond, SPG Gold, GlobalEntry, Admirals Club, United Club
Posts: 1,413
Company requires VPN then remote desktop

Our company has a private system that is accessible from anywhere through the web. Meaning, technically, you can type in the web address, log in with your id and password, and you'd have full access to the information.

Our company makes it a security violation to log in without going through the following procedures:

We must sign into the VPN server.
We must then sign into remote desktop to connect to the website.

My question is, does connecting to the remote desktop make the connection any more secure than just connecting to the VPN server? Connecting to remote desktop makes it incredibly slow.

I've done work with other companies before where all you had to do was connect to the VPN server, and they were bigger companies that had an even greater need for security (needless to say, you could not even connect to the site without connecting to the VPN server first).
jetsfan92588 is offline  
Reply With Quote
Old May 13, 15, 8:43 pm
  #2  
FlyerTalk Evangelist
 
Join Date: Apr 2009
Location: Bye Delta
Programs: AA EXP, HH Diamond, IHG Plat, Hyatt Plat, SPG Gold, MR Gold, Nat'l Exec Elite, Avis Presidents Club
Posts: 14,979
Seems kind of dumb to require Remote Desktop over VPN only to have the system ultimately be internet facing. Kinda defeats the point of VPN.

But yes, Remote Desktop over VPN in many cases adds an extra layer of security. I'm just not sure it does in your specific case.
javabytes is offline  
Reply With Quote
Old May 13, 15, 11:00 pm
  #3  
 
Join Date: Jul 2006
Location: DFW, SEA and AA in between
Programs: AA-3MM-ExPLT
Posts: 1,146
RDP transfers only the image of the screen, not the data on the screen itself. With powerful OCR available that's a very minor improvement.
BStrauss3 is offline  
Reply With Quote
Old May 13, 15, 11:27 pm
  #4  
FlyerTalk Evangelist
 
Join Date: Apr 2009
Location: Bye Delta
Programs: AA EXP, HH Diamond, IHG Plat, Hyatt Plat, SPG Gold, MR Gold, Nat'l Exec Elite, Avis Presidents Club
Posts: 14,979
Originally Posted by BStrauss3 View Post
RDP transfers only the image of the screen, not the data on the screen itself. With powerful OCR available that's a very minor improvement.
OCR is a highly unlikely attack on RDP. Much more likely would be an attempt to sniff keystrokes.

Preventing data leakage is a major benefit of Remote Desktop solutions, but with the system being internet facing it's hard to imagine that's what they're really after.
javabytes is offline  
Reply With Quote
Old May 14, 15, 1:36 am
  #5  
 
Join Date: Jan 2003
Location: Manchester, United Kingdom
Programs: Hilton Gold, Priority Club Blue, SPG Gold, Sofitel Gold, FB Ivory, BA Blue
Posts: 7,578
One policy I'm increasingly seeing quoted as "Best practice,"* is barring devices not supplied by the company to directly access network resources. In this scenario, connection to the mail server, or a share-point, is fine, but direct access to the network (file servers, SSH sessions and so on) is verboten. For example, from home I can only access though remote desktop over VPN, if I'm using my own PC. For full access, I have to bring my laptop home.

* Best practice? You can make of that whatever you want.
Internaut is offline  
Reply With Quote
Old May 14, 15, 7:36 am
  #6  
FlyerTalk Evangelist
 
Join Date: Apr 2001
Location: Denver, CO
Programs: Bonvoy Platinum
Posts: 16,104
What kind of computer are you remote desktop-ing to? Perhaps that VM instance is a bit more locked down than normal?
pseudoswede is online now  
Reply With Quote
Old May 14, 15, 9:37 am
  #7  
FlyerTalk Evangelist
 
Join Date: Jun 2005
Posts: 30,935
They can be more sure the machine you remoted into is uninfected than the machine you are using to connect.

It's also much harder to do bulk data theft over a remote desktop than by direct connection.
Loren Pechtel is online now  
Reply With Quote
Old May 14, 15, 11:04 am
  #8  
 
Join Date: Nov 2012
Posts: 3,531
Yes, but it's silly to have a system that needs that level of security be Internet-facing...
AllieKat is offline  
Reply With Quote
Old May 14, 15, 1:11 pm
  #9  
 
Join Date: Oct 2007
Programs: DL GM
Posts: 640
The VPN handles secure encrypted data connection to the remote network for authorized users.

The Remote Desktop connection enables the remote user to interact with a desktop session inside the remote network.

Neither function replaces the other. Tomato vs potatoe. Although some, but not all, implementations of Remote Desktop Services do handle authentication and data encryption.
WWGuy is offline  
Reply With Quote
Old May 14, 15, 2:37 pm
  #10  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 87,679
Originally Posted by AllieKat View Post
Yes, but it's silly to have a system that needs that level of security be Internet-facing...
I am not so sure that it's silly.

It can be rather effective to reduce data theft scale and scope or otherwise address such concerns. Also, it frustrates some unauthorized surveillance/spying tools, malware, etc. and user-driven configuration changes that mess up systems or otherwise increase the clean-up work load.

The game is risk management; for risk elimination may be far less affordable.
GUWonder is offline  
Reply With Quote
Old May 14, 15, 3:40 pm
  #11  
FlyerTalk Evangelist
 
Join Date: Nov 2002
Location: PWM - the way life should be
Posts: 11,583
I think the OP's point is that this internal remote desktop system is in fact accessible to the broader internet without first signing onto VPN. So OP's company IT apparently has some 'splaining to do.
gfunkdave is offline  
Reply With Quote
Old May 14, 15, 3:45 pm
  #12  
 
Join Date: Jan 2014
Posts: 106
Originally Posted by jetsfan92588 View Post
We must sign into the VPN server.
We must then sign into remote desktop to connect to the website.

My question is, does connecting to the remote desktop make the connection any more secure than just connecting to the VPN server? Connecting to remote desktop makes it incredibly slow.
In short: Yes.

They do different things. The VPN protects your interaction with the RDP box (keystrokes, screen image) from being intercepted. Using an RDP server means that 'data' is never transferred to your local device.

To give a practical example. Say you wanted to update a confidential sales file and email it to someone else in your business. The VPN would stop anyone intercepting the keystrokes of you writing the email, updating the spreadsheet etc. Using RDP would mean the sales file and email were never on your laptop, so if it got stolen or cloned by customs etc their would be no risk of the file falling into someone else's hands.
N1AK is offline  
Reply With Quote
Old May 14, 15, 8:16 pm
  #13  
 
Join Date: Dec 2009
Location: RDU
Programs: DL DM (segs), Hilton DM, Marriott Pt, TSA Opt-out Platinum
Posts: 2,406
Originally Posted by jetsfan92588 View Post

We must sign into the VPN server.
We must then sign into remote desktop to connect to the website.
I assume "the website" is a website on the company intranet? Could be many reasons, including, but not limited too: high security, lazy IT peeps who don't feel like properly configuring tunnels or proxies, or perhaps you're going into a third network (see below).

I have a (virtual) server in my house that is VPN tunneled outside the U.S. for reasons I'm not at liberty to discuss. Often, I'll VPN into my home network from the road), and then RDP to the server that has all its internet traffic put through another VPN tunnel. So it may appear I'm in Sweden when I'm really in a hotel in Chicago.
HDQDD is offline  
Reply With Quote
Old May 15, 15, 12:58 am
  #14  
 
Join Date: Nov 2012
Posts: 3,531
Originally Posted by GUWonder View Post
I am not so sure that it's silly.

It can be rather effective to reduce data theft scale and scope or otherwise address such concerns. Also, it frustrates some unauthorized surveillance/spying tools, malware, etc. and user-driven configuration changes that mess up systems or otherwise increase the clean-up work load.

The game is risk management; for risk elimination may be far less affordable.
I didn't say the policy was silly. I said it was silly to have the server for something they feel needs this policy be facing the public Internet. The fact a server they consider this sensitive is facing the public Internet is absurd.
AllieKat is offline  
Reply With Quote
Old May 15, 15, 1:36 am
  #15  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 87,679
Originally Posted by AllieKat View Post
I didn't say the policy was silly. I said it was silly to have the server for something they feel needs this policy be facing the public Internet. The fact a server they consider this sensitive is facing the public Internet is absurd.
As I mentioned, it's not silly. Unless certain other attributes (which are not known here) are certainly involved, there are still risk mitigation benefits attributable to even such arrangements.
GUWonder is offline  
Reply With Quote

Thread Tools
Search this Thread