SASE Week 2023 On-Demand! Explore sessions.

  • Security Service Edge Products

    Protect against advanced and cloud-enabled threats and safeguard data across all vectors.

  • Borderless SD-WAN

    Confidently provide secure, high-performance access to every remote user, device, site, and cloud.

The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Borderless SD-WAN: Ushering in the New Era of Borderless Enterprise

Netskope Borderless SD-WAN offers an architecture that converges zero trust principles and assured application performance to provide unprecedented secure, high-performance connectivity for every site, cloud, remote user, and IoT device.

Read the article
Borderless SD-WAN
  • NewEdge

    NewEdge is the world’s largest, highest-performing security private cloud.

  • Cloud Security Platform

    Unrivaled visibility and real-time data and threat protection on the world's largest security private cloud.

  • Technology Partners & Integrations

    Netskope partners with the strongest companies in enterprise technology.

Embrace a Secure Access Service Edge (SASE) architecture

Netskope NewEdge is the world’s largest, highest-performing security private cloud and provides customers with unparalleled service coverage, performance and resilience.

Learn about NewEdge
NewEdge
Your Network of Tomorrow

Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.

Get the white paper
Your Network of Tomorrow
Netskope Cloud Exchange

The Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Learn about Cloud Exchange
Netskope video
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope enables a safe, cloud-smart, and fast journey to adopt cloud services, apps, and public cloud infrastructure.

Learn about Industry Solutions
Wind turbines along cliffside
  • Resources

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog

    Learn how Netskope enables security and networking transformation through security service edge (SSE).

  • Events & Workshops

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

Unveiling the Under-reported Aspects of AI
Emily Wearmouth sits down with Neil Thacker, EMEA CISO, Yihua Liao, Head of Netskope AI Labs, and Suzanne Oliver, Director of IP Strategy at Scintilla, to discuss the topics in the realm of AI that they each wish people were discussing more.

Play the podcast
Unveiling the Under-reported Aspects of AI Social card
Latest Blogs

How Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
SASE Week 2023: Your SASE journey starts now!

Replay sessions from the fourth annual SASE Week.

Explore sessions
SASE Week 2023
What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn about Security Service Edge
Four-way roundabout
  • Our Customers

    Netskope serves more than 2,000 customers worldwide including more than 25 of the Fortune 100

  • Customer Solutions

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Netskope Community

    Learn from other network, data, and security professionals.

  • Training and Certification

    Netskope training will help you become a cloud security expert.

We help our customers to be Ready for Anything

See our Customers
Woman smiling with glasses looking out window
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
The Netskope Community can help you and your team get more value out of products and practices.

Go to the Netskope Community
The Netskope Community
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working
  • Company

    We help you stay ahead of cloud, data, and network security challenges.

  • Why Netskope

    Cloud transformation and work from anywhere have changed how security needs to work.

  • Leadership

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Partners

    We partner with security leaders to help you secure your journey to the cloud.

Supporting sustainability through data security

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more
Supporting Sustainability Through Data Security
Highest in Execution. Furthest in Vision.

Netskope recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge.

Get the report
Netskope recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge.
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling

It’s All About Access: Remote Access Statistics for Public Cloud Workloads

Oct 06 2020

Introduction

The more things change, the more they stay the same.

In the recent Equinix breach in September 2020, 74 RDP servers were exposed to the Internet. Any publicly exposed ports are a risk but remote access protocols such as RDP have had their share of critical vulnerabilities (e.g., BlueKeep in 2019).

In this blog, we will look at remote access statistics of public cloud workloads based on 287,877 compute instances across 327 anonymized production environments in AWS, Google Cloud, and Azure. The focus will be on a few common ports/protocols used for remote access or management of workloads, namely: SSH, RDP, and to a lesser extent, VNC.

What we will find is that:

  • Direct Access is Still Very Common
    Direct access to compute instances is still very common (35-85%+ of public workloads depending upon cloud provider environment)—allowing inbound traffic to ports from public CIDRs for SSH/RDP. Although this finding is not necessarily surprising, the high percentage of workloads is, from 35% up to 85%. Unsurprisingly, SSH is the most common due to the popularity of Linux workloads, followed by RDP, then VNC.
  • Broad Internet Exposure is Alarmingly Common
    Additionally, a fair number of network configurations allow broad source IP CIDRs to access these same ports (SSH/RDP) e.g. from the entire public Internet (0.0.0.0/0). Over 13% of AWS public instances allow inbound access to All Destination Ports from any public Internet address, 71% of AWS public instances allow SSH from any public Internet address, and 14% of AWS public instances allow RDP from any public Internet IP address.
  • Better Secure Access Alternatives Not Deployed
    The implication from the above is that better secure access alternatives from the cloud service providers or other vendors are not being deployed. These alternatives are more secure than direct access or bastion hosts in almost every area (credential/key management, authorization, auditing, protocol/port attack surface, protocol vulnerabilities) and are referenced later in this blog.

Direct remote access

To identify direct access, we looked at public compute instances (with at least one assigned public IP address) that have a network security group or firewall ruleset that allows inbound traffic to a port range that included any of: 22 (SSH), 3389 (RDP), or 3800/3900 (VNC) and from a public source IP range. We counted separately the All Port range (0-65535).

We might guess that remote access directly to public instances is still common in the cloud, but the frequency of occurrence is eye-opening:

  • In AWS, out of 6,597 public EC2 instances, 16% allowed inbound traffic to All Ports, 36% to SSH, 8% to RDP, 1% to VNC.
Bar graph showing AWS public compute instances of remote access
  • In GCP, out of 5,675 public compute instances, 55% allowed inbound traffic to All Ports, 88% to SSH, 85% to RDP, and 1% to VNC.
Bar graph showing GCP public compute instances of remote access
  • In Azure, out of 15,432 public compute instances, 53% allowed inbound traffic to SSH.
Bar graph showing Azure public compute instances of remote access

As we can see, direct inbound access from the Internet to public compute instances is very common, regardless of cloud service provider. This reflects bad security practices since there are better alternatives mentioned below.

In addition, allowing traffic to all All Destination Ports (0-65535) is commonly found in AWS (16%) and GCP (55%) public compute instances. Overly broad port access only increases the risk of port scans and exploits of other services running on the compute instances that normally should not be exposed to the Internet.

Internet exposure

In the inbound traffic rules and data above, narrow IP allow lists restricting traffic from a single IP address (/32) would normally mitigate some of the risks above. To provide more context, we break down the source IP ranges for these same public instances and protocols. Since VNC counts were negligible, we will focus on SSH and RDP.

We see that there are a significant number of compute instances with networking rules allowing traffic from any public Internet address

  • In AWS, out of 1,054 public compute instances allowing All Destination Ports, more than 15% (161) of these can be scanned/attacked from any public IP address. For those instances allowing SSH, more than 36% (859) are reachable from any public IP address. And for RDP, more than 30% (166) of the compute instances are reachable from any public IP address.
Bar graph showing CIDR distribution of AWS remote access
Table showing values used to create bar graph of CIDR distribution of AWS remote access
  • In GCP, similarly, more than 44% of the compute instances have rules allowing inbound traffic from any public Internet address to All Destination Ports. Instances allowing SSH are minimally exposed to the whole Internet (only .5%). But for those instances allowing RDP, more than 50% are reachable from any Internet address.
Bar graph showing CIDR distribution of GCP remote access
Table showing values used to create bar graph of CIDR distribution of AWS remote access
  • In contrast, the Azure compute instances in this dataset have tighter network controls. All Destination Ports, RDP and VNC were tightly restricted, and out of the 8,128 instances allowing SSH and the one instance allowing RDP, all (100%) of the instances were restricted to traffic from a single source IP address (/32).
Bar graph showing CIDR distribution of Azure remote access
Table showing values used to create bar graph of CIDR distribution of Azure remote access

Conclusions

In the above environments, there are clearly some security concerns:

  • Compute Instances: A significant number of public compute instances allow direct remote access to either SSH or RDP from the Internet. This ranges from more than 40% of public instances in AWS, 50% in Azure, and more than 85% in GCP that allow this traffic.
  • Ports Exposed: It is not only the number of instances, but the number of ports exposed in each instance. In AWS, 16% (1,054) of the public compute instances have All Destination Ports open to inbound traffic from the Internet, and in GCP, more than 55% (3,136) expose All Ports as well.
  • Internet Exposure: Additionally, the breadth of source IP ranges that are allowed to contact compute instances is overly broad. In AWS, 15% up to 36% of the public compute instances expose All Ports, SSH, or RDP to the entire Internet. in GCP, 44% to 51% expose All Ports or RDP similarly.
  • Protocol Vulnerabilities: There is more risk due to multiple protocols e.g. SSH and RDP and VNC. Hardening practices differ, and it’s more difficult to manage access consistently due to differences in authentication (keys/AD/password), authorization (AD/OS-level), logging (different local logs). In addition, all three protocols (SSH, RDP, VNC) have had numerous vulnerabilities and CVEs such as RDP BlueKeep etc. In addition, there are specific attacks such as SSH multiplexing that are protocol dependent.

Fortunately, there are several, relatively simple measures that can be taken to reduce these risks:

  • Audit/Configuration Checks: Compute instances and their security groups or firewall rules can be regularly audited for insecure settings, such as All Destination Ports allowed or overly broad Source IP CIDR ranges including 0.0.0.0/0. This can be done DIY with API/CLI scripts or with commercial offerings such as Netskope for AWS, Azure, and GCP

Data analysis and methodology

The analysis presented in this blog post is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization.

A compute instance was determined to be public if the instance had an assigned public IP address. Network routability or other intervening controls were not considered.

Protocols were inferred from common default ports for the major remote access protocols (SSH = tcp/22, RDP = tcp/udp/3389, VNC = tcp 3800/3900). Compute instances that allowed All Destination Ports (0-65535) were counted once only, while double-counting among protocols were allowed especially if ranges were used (e.g. allowed destination port range: 0-5000 would count for both SSH, RDP, and VNC).

author image
Jenko Hwong
Jenko has 15+ years of experience in research, product management, and engineering in cloud security, AV/AS, routers/appliances, threat intel, Windows security, vulnerability scanning and compliance. At Netskope, he researches new cloud attacks.

Stay informed!

Subscribe for the latest from the Netskope Blog