The tricky problem of remote access and thin clients

cloud computing

I am being haunted by the spectre of temptation.

Every writer covering the recent announcement of Dell’s acquisition of Wyse is besieged by dreadful puns – Not only in the name of the acquisition but in the job their products do, to wit, being thin.

To make it worse, Wyse has not been behaving like a traditional acquisition target lately – if anything, their results have been robustly healthy, not the usual walking-wounded or leaderless accident waiting to happen conjured up by takeover news.

Dell has had a consistent run of purchases in the corporate sector over the last few years. No asset-stripping, competitor-squashing rampage, for this company, it’s all about adding on to the core business and the core values. 140 patents in thin client computing isn’t a bad haul.

Except this: I have hardly come across a single Wyse product out in the wild, and precious few thin products, no matter what type of client I arrive in - and I am a very long standing thin client computing aficionado. I actively propose it wherever I go, mainly as a way of breaking out of those tedious version gridlocks which beset any company making use of a Windows-hosted specific database product that might be – how shall I put this – a bit crappy. And that is a huge slice of pretty much any and every sector of business.

The main reason why I didn’t recommend Wyse or other dedicated thin terminals in that situation was very simple: It was Dell. No matter how much I proposed the maintenance-free concept of a thin client on a desktop, the riposte was always the same – “Oh, but our Dell salesman can undercut that by half, and we get a proper full sized PC for the money!”.

And the customer was almost right. True enough, the cost-per-unit was lower for a Dell Windows deskside PC: the Dell Windows ultra-small-form-factor machines were if anything more expensive than their air-filled, plastic-box range-buddies – and both could (frequently, by a lot) undercut the svelte and just-slightly-slow Wyse, HP and other thin clients.

This always seemed to me the conundrum about thin computing. Users wanted to feel they had a “real PC”, and unless an organisation could draw up a fully thought-out environmental impact statement, and were already used to thinking about centralised management and therefore strongly motivated to keep Windows off the desktop, then they wouldn’t have an easy job justifying a £500 plus gap between general-purpose, high-power devices, and the kind of tightly built and controlled platform that Wyse have been making for the last two decades or more.

Of course, some companies are indeed like that, as Wyse’s financial results clearly show, but that’s not where the thin client party is, anymore, these days. Thin client suddenly changed, from meaning “tightly controlled box on the back of the monitor” to “completely uncontrolled, wild-west crazy smartphone or tablet, jingling about in the user’s jeans pocket”.

That’s a massive market shift by anyone’s measure. In 2005, nobody would have really predicted that by 2012 we would seriously consider a smart cellular device as a credible means of accessing the thick part of thin client resources in a corporate LAN – but here indeed we are. And Wyse have kept up with the pace of change, in fact: I have been recommending their Pocket Cloud RDP client to anyone who asks me about bringing up their Windows resources on the screen of their phone (or, as I’ve been lately, on the screen of my Motorola Xoom android tablet).

Or rather: I wish I could recommend it. The reason for my sudden tongue-tied state actually has nothing whatsoever to do with the Dell/Wyse acquisition, and yet it may have quite a powerful impact upon it. Despite the existence of the quite mind-boggling [link] Wikipedia page on remote desktop protocol (RDP) most corporates use Microsoft RDP as their default choice for thin client and remote access computing.

Citrix runs a close second, but there are now two utterly different Citrixes to contend with – and anyway, neither of them have been chosen by Amazon to provide anyone who signs up, for free, with a vital demo that they must fully understand in order to communicate with their gratis, no-charge, no-commitments wash-and-go Windows 2008 R2 virtual server within Amazon Web Services cloud computing platform. You can read my how-to experiences from the point of view of a hardened networking geek over on IT Pro.

Here’s the thing. Aside from the technically interesting stuff around the AWS demo - like how it gets out to the Net from inside the non-IP Schwarzschild radius of Amazon’s own network - the basic fact is that there used to be a bit of an awkwardness barrier to any old hacker setting up an RDP demo. It came inside a corporate platform; it was uncool, being unrelated to HTTP; and besides, there was money to be made swiping credit card databases and faking bank logins.

This appears to no longer be the case – perhaps it’s coincidental to the AWS freebie, perhaps not - but the fact remains that the rate of password-cracking attacks on RDP servers that have been open to the world for the past decade has shot through the roof, in the past quarter.

The days of free and easy access on the standard RDP ports and protocols from any device anywhere on the Net look to be well and truly behind us. If the logs on any of the RDP hosts I see regularly are any guide, then from now on it will be all about heavily guarded VPNs, limited IP source numbers, non-standard ports and all those other security tricks and traps to keep the Colombians, the Chinese, and the Malaysians out of your servers.

I can’t put my hand on my heart and point to a trail of evidence linking the AWS RDP cloud server access system direct to the increase in attacks – however, it is somewhat ironic to note that the access to AWS’ web-based control panel is secured a million times better, than desktop access to the servers you start and stop on that control panel.

Some of this effort by AWS is down to security shortcomings in RDP itself – it would be child’s play to have RDP clients present a two-part key in Hex, of arbitrary length, generated by the RDP server itself.

But I can’t see anything as lightweight and simple happening since the supported secure access method is the aforementioned VPN (tricky on Android, or come to think of it, most phones), or RDP over HTTPS, which requires a separate gateway server and a very well developed understanding of the security and certificate-generation features of Internet Information Server.

Funnily enough, the reason I am intimate with these concepts right now is after a nasty scare with a bucketload of smartphones which had quietly – but painfully – “forgotten” a certificate update. It’s dealing with problems like these, without useful errors or log entries, which had sent me back to the cosy and compatible world of the native RDP client in the first place.

So with all of that churn and pain and security work in mind, does it seem like a good time to be buying a thin client company? Actually, I think it probably is: Dell will be coming under pressure to service a green agenda, instead of the bad old plastic box shifting days of yore, and thin client looks to be part of the answer. Whether a thin unsecured client can still safely be deployed? ... well, that’s a whole other bottle of Ibuprofen.