What's the problem that tunneling is trying to solve?

[shivajikobardan]

Currently in my company, we're using VPN->Then RDP. And inside RDP, we access remote server. While some servers are directly accessible, some are not. We need to do tunneling for it. I'm failing to understand the point of tunneling. I've read articles after articles like this(https://www.gaia-gis.it/fossil/virtualpg/wiki?name=port-forwarding), but it's not entering my head.
Can't anyone who knows the server IP and has company VPN; tunnel and get access to that server? I know they can, but what's the point of that tunnel? They could've just filtered by requests coming via a particular IP say xx.xx.xx.xx to be allowed and reject everything else. What's the point of tunneling?

What's the problem that tunneling is trying to solve

[Levent]

Security. Some services are extremely vulnerable to attacks (Like SMB). Having them out in the open is asking for trouble. Filtering each users IP address is much much more effort than installing a VPN to the user.

[Needfuldoer]

10 minutes ago, shivajikobardan said:

I'm failing to understand the point of tunneling.

A VPN minimizes the company's security exposure, because only that one service is exposed to the Internet. Everything else is locked down and inaccessible without the VPN connection.

 

Without a VPN, your company would have to expose all of their service to the wide open Internet in order to allow access. The company's infrastructure would be virtually impossible to secure, because hackers could easily exploit a zero-day vulnerability in any system. 

 

A VPN tunnel also protects all company Internet traffic from the client device back to their system. If everything was just exposed to the public Internet, their traffic could be sniffed by other devices connected to the same network if they use public WiFi.

 

10 minutes ago, shivajikobardan said:

Can't anyone who knows the server IP and has company VPN; tunnel and get access to that server?

Not necessarily, because they still have to authenticate with the VPN in order to light the connection up.

 

That's also why two-factor authentication like an RSA key or an app like Duo is so important; that's a second device that needs to be stolen or compromised on top of the unauthorized user having a known working login.

 

11 minutes ago, shivajikobardan said:

They could've just filtered by requests coming via a particular IP say xx.xx.xx.xx to be allowed and reject everything else.

That's far more work to set up and keep updated, because public IP addresses are not static. There are many, many reasons they can change; for example they could reboot or replace their modem, or they could switch to tethering off their phone, or they could use the public WiFi at a restaurant or hotel.

 

8 minutes ago, Levent said:

Security. Some services are extremely vulnerable to attacks (Like SMB).

Exactly. Exposing RDP to the open Internet is a terrible idea.

[shivajikobardan]

I'm talking about ssh tunneling lol.

[Kaetemi]

Routing of private LAN address spaces. Encrypted traffic. No external visibility of who's connecting to what.

[Levent]

32 minutes ago, shivajikobardan said:

I'm talking about ssh tunneling lol.

Same idea, not everything is secure exposed even if that is LAN. You can only expose SSH port for example of a production server and access everything that runs in it without (for example mysql) exposing MYSQL to the whole network. You should ask this to the sysadmin, each scenario is different and we are all playing the guessing game here.

[Akolyte]

13 minutes ago, shivajikobardan said:

I'm talking about ssh tunneling lol.

Whitelisting IP addresses generally isn't considered secure, and although many cloud tutorials will show that as a valid option, it's highly discouraged. 

 

It's essential to note that tunnelling can be done via SSH, VPN or any service, but it's still the same idea. 

 

Even though you use VPN -> RDP, that's quite an outdated mechanism; nowadays, it's preferred to avoid VPNs and opt for a zero-trust model via a web service or something like that, so it's even tighter nowadays. 

 

Here is what tunnelling is intended to solve:  

1. In-transit security & obfuscation

2. Authentication

3. Centralised access and auditing

 

1. in-transit security:

If you think about a database, your database could contain sensitive information - while restricting its access to a set of IP addresses could be a reasonable security control - it still leaves communication's vulnerable. 

 

Even communications via TLS will still reveal the port, hostname, and the packets will be encapsulated with whatever encryption the DBMS provides by default.  Web services commonly have vulnerabilities (your RDP, a Windows server). You can't trust accessing even a secure service, if it's private, over the public internet relying on its security mechanisms alone. 

 

By using a tunnel, we connect to a server using a more robust and trusted security protocol (e.g. SSH or OpenVPN) over a more generic port to a more generic hostname, and this protocol further encrypts our traffic, providing additional security against vulnerabilities in the web service we're accessing. 

 

Lastly, these exposed services are common targets even if they are secure. Many people develop complex exploits for them, many that won't work on more straightforward, more robust security protocols like SSH.  For example, there are known tools people use to compromise RDP.   Using a VPN provides an extra security layer. 

 

 

2. Authentication:

It's less of an issue for RDP, but many companies will use tunnelling because it encourages a centralised authentication mechanism for their employees to access internal services.  

 

For example, maybe you'll have an employee login to your VPN, and they can refer to that login to view your network traffic, apply network policies, and revoke remote access quickly in case of a compromise without impacting your at-the-office credentials. 

 

3. Centralised access & auditing :

Companies these days are encouraged to have a good audit trail - they store logs on: 

- when you connect to what machines, 

- what IP address and device do you connect from,

- what actions you perform, 

 

using a tunnel allows them to centralise this logging in one place, like a funnel - they can gather these logs from one place (the VPN or SSH server), and this provides them with reassurance that their audit logs are complete and have better observability so they can detect incidents quicker. 

 

--------------------

 

I know this was a bit long, man, but I hope this has helped you understand why some companies opt for tunnels. VPNs are pretty standard, but RDP over VPN is considered a security risk - there's usually another layer or 2 in there. 

 

[shivajikobardan]

@Akolyte I love longer posts man. Thanks.

[Isuck Assimov]

tldr;

Confidentiality
Integrity
Authenticity

[Mark Kaine]

On 7/7/2023 at 12:23 PM, shivajikobardan said:

I'm talking about ssh tunneling lol.

it makes your internet work, thats all you need to know ; p