How about Cloud Secure Edge?
Simon_Weel
Enthusiast ✭✭
We use Remote Desktop to access pc's from the home. I know it's not the most secure solution for remote access. And no, we don't have port 3389 open for the whole world - it's tied to the home-IP-address. We asked our Sonicwall supplier how to elevate the security for Remote Desktop. They come up with Cloud Secure Edge. Read the product description, but It's not clear to me what it does and how it works? To me, it looks like a 'firewall in the cloud'.
So I wonder what it is exactly. And more important, what are the opinions / experiences of those who actually use it?
Category: Cloud Secure Edge
0
Answers
@Simon_Weel I'am currently in the process of evaluating both components of Cloud Secure Edge. Secure Private Access would the part for your requirement.
The big advantage is, that you don't need to open any ports facing the Internet, it's all done via a Connector component which can run on a SonicWall with SonicOS 7.1.2 (yikes!) and up. The connector is also available on Linux, Docker, VM or Windows. For example I deployed a connector on Docker in my AWS environment and now I can connect to my internal resources without accepting VPN on my AWS gateway. It's all done internally with a Wireguard tunnel.
You can publish Web Applications which does some kind of Reverse Proxy, or you allow full fledged Tunnels.
I highly recommend the Documentation, which holds some great insights.
https://docs.banyansecurity.io/
I can't give a final verdict at the moment because I already experienced some bumps on the road, as usual. I'am a magnet for that. But it's on my radar and I have high hopes in it, because it's not only bound to SonicWall Firewalls, time will tell.
—Michael@BWC
FYI: In addition to the web applications, the proxy configuration in the CSE console can also surface infra services so you could actually surface a RDP service as an alternative without doing a full fledged tunnel — speaking specifically to the request to surface 3389 to users.
That might also be preferable if you'd like to surface a catalog of services in the desktop app for users with descriptions, help links, auto-run, etc.
Hi Simon,
The reason Cloud Secure Edge (CSE) is proposed to elevate the security of RDP its because it focuses on contextual trust for devices. CSE employs the concept of Zero Trust Network Access (ZTNA), which operates on the principle of "always verify, never trust" through continuous trust score assessments on the device itself. "Does the user claim who they really say they are?"
For example, it regularly verify the PC with CSE client installed to ensure features such as an enabled windows firewall and endpoint protection are active, among other criteria. If all these trust requirements are satisfied (Can be defined what type of criteria must be satisfied in the console), the client can establish an RDP session via a reverse proxy without needing to expose port 3389 to the internet or even a trusted network destination, as mentioned by DBOROS. Conversely, if the defined trust criteria aren't met, the RDP services will either be restricted or the client's access privileges will be lowered, adjusted based on the settings specified in the console and if the PC was compromised while connected to the RDP service, the trust criteria will update itself and disconnect the session automatically.
This is crucial because it mitigates the potential damage that could occur if an infected Administrator PC gained unfiltered access to all user home PCs via RDP. It just modernizes the way of traditional VPN and improves the user experience.