Blog

Medium: Threats against your LAN and Cloud resources mean it's time to change

September 22, 2022

Original article posted on Medium

It’s time to adapt and adopt new networking security and connection models for IoT and Cloud

You own a castle.

It will inevitably be attacked.

Do you build a bigger moat? Maybe add more archers at the walls? Does the draw bridge to your main gate work or do you need to upgrade so it can be lifted quickly?

What if I offered you the ability to hide your castle — to make it invisible to enemy eyes but easier to let the good guys in?

It’s all about your defense strategy and where you want to invest scarce resources. You can do the obvious to build more defenses, like adding alligators to your moat, or you can invest in something new that makes traditional permitter defense strategies seem less important.

Your Network is Vulnerable

It’s the same thinking that needs to go into defending your online and networked properties. To do so, you’ll need to start thinking out of the box because it’s time for change as threats escalate and become more severe.

The changes need to come in the form of two major shifts. They are:

  • Hide public IP addresses and makes them very hard to discover
  • Limit user access to a defined endpoint(s) and nothing more

TCP/IP is a foundation

Home, business, cloud, and internet networking growth over the last 30+ years now demands that these shifts accelerate adoption. The foundation for the shift began years ago and is the result of how networks today are designed to operate using TCP/IP as they were when it was invented back in 1978.

While there were competing protocols like Novell NetWare (if you remember that, bonus points to you!), TCP/IP became the de facto standard that is used broadly today. It’s hard to imagine how our global Internet would operate without it.

But that’s the problem. We are relying on a robust and resilient protocol that couldn’t foresee all the exploits of today’s online world. Networking has grown to become complicated beyond what was originally envisioned. It includes a tight orchestration of sending bits through a labyrinth of hardware and software. Expensive appliances for routing, security gateways, VPNs, ISPs, cloud load balancing, and more have become standard for most networks. And how bits are handled on these networks falls into a model called Open Systems Interconnect (OSI).

Layer 3 and 4 of the OSI

The shifts I’m referring to are occurring in Layer 3 and Layer 4 of the OSI model. It has to do with Public IPs and how they ensure we can get data from point A to point B to point ‘n’… Public IPs play a role but have become the problem as they are used as a way of discovery, ID’ing, and exploiting what’s on the other end. It’s like walking around and trying the front doors of homes and businesses. If you try to open enough of them, you’ll find one that isn’t locked, allowing you to get inside and take what isn’t yours.

Tools like Shodan continually scan IPs looking for open ports and determining what’s connected to those IPs. A bad actor can decide if and how they exploit those endpoints with basic knowledge — do they exist or not? If they know a public IP address has something connected and responding, they’ll test whether login credentials are secure or if they can enter via an unprotected open port. And once they succeed, it’s possible to move laterally in the network exploiting other resources.

Discoverable Public IPs are a Problem

ShadowServer’s recent report found over 3.6 million MySQL server instances accessible on port 3306/TCP. That’s a small example of the problem I’m referring to that needs to be changed. Those public IP addresses and exposed ports are at the forefront of discoverability and potential hacking and abuse.

But it’s not just cloud services like MySQL. Any connected IoT device or endpoint broadcasting a public IP that becomes vulnerable because it’s discoverable. If you can’t find the front door because there is no IP address to tell you it’s there, the bad guys are going to go somewhere else where there are easier targets.

The second part of the shift is accessing endpoints and who gets access. This means using a zero trust model that only makes the endpoints available to authorized users. Those users don’t need to know the public IP — they just need to create a connection when access is required. In other words, authorize the user to get endpoint access by doing all the heavy lifting and connection management for them. The only thing the user should deal with is when they want to connect to a specific endpoint — not exposing them to an entire LAN or subnet.

Solution

Let’s go back to the castle, which is analogous to an endpoint with a specific IP address (or multiple IPs). You only have so many arrows and you’ll need to decide where to aim them. If arrows are even your thing. One thing is clear, you should be spending less time defending your public IPs with ever-increasing and expensive security perimeters.

For security and management, spend less time with less effort. Hide public IPs - get your IPs off the public internet!

The required shift means networking professionals must rethink their strategies and introduce better connection methodologies to secure their networks while making user connections better and easier. Point-to-point connections for authenticated users greatly simplify security by only allowing those that need access to get access. As is common with VPNs and other security appliances, no subnets and associated devices are exposed.

A New Class of Tools

A new class of networking tools like Remote.It will make these shifts easy. Remote.It works because it manages the overhead of connecting to both Cloud and IoT endpoints. Once the private networks are defined with specific endpoints added, the users can then be invited to connect to a single or multiple set of endpoints of your choosing.

With Remote.It, endpoints don’t need exposed public IPs on the network. Remote.It hides the IP address and makes the endpoint undiscoverable from malicious scans.

This means open ports can no longer be exploited.

With Remote.It, a shared endpoint, gives any invited user easy and secure access. The user can connect because they were invited to connect to a specific endpoint and don’t have to deal with the hassles of configuring and setting up the device access. And keeps them from connecting to other endpoints on the LAN, because even they can’t see them.

Get ready to shift. Stop building bigger moats. Use Remote.It to hide your castle and to choose which invited users to let in. It’s simple and it just works!

Related Blogs