Skip to content
English - United Kingdom

Beyond RDP: How a New Remote Access Architecture Redefines Security

 Remote work is an economic reality, but much of it relies on crumbling technological foundations. RDP and VNC protocols, while familiar, have become vectors of systemic threats. A figure illustrates this crisis: in 2023, RDP compromise was involved in 90% of ransomware breaches.
 
This is not an accident. It is the symptom of an architecture designed for internal networks perceived as fortresses, an assumption that is now obsolete. For CIOs and CISOs, the question is no longer whether these protocols will be exploited, but how to move away from a model that, even when "free" or "included," incurs exorbitant hidden costs in management, lost productivity, and security risks.
 
The answer does not lie in adding new layers of protection on potentially failing protocols. It lies in a change of architectural paradigm. Solutions are emerging that do not seek to patch the past but to replace it with radically different approaches adapted to today's threats and uses.


Anatomy of a Legacy Problem
 

To understand the extent of the change, we must analyze the design flaws of these protocols.
  • RDP (Remote Desktop Protocol): Its main flaw is its connection model. By default, it puts a port (typically 3389) in listening mode, waiting for an incoming connection. This "open door" is an invitation for vulnerability scanners and brute force attacks that constantly run on the Internet. Even secured behind a gateway or VPN, the complexity remains, and the protocol itself remains a target, with a heavy history of critical flaws (RCE).
  • VNC (Virtual Network Computing): Its multi-platform simplicity comes at the cost of often rudimentary security. Encryption is inconsistent, authentication is weak, and its raw image (framebuffer) transmission model is bandwidth-intensive and sensitive to latency, degrading the user experience.
Both protocols share the same original flaw: they require the remote machine to be "listening," thus exposing a direct attack surface.
 
The Architectural Shift: The Inverted Connection Model
 
The first major innovation of modern platforms is to reverse this connection flow. This is a fundamental principle of Zero Trust Network Access (ZTNA). Rather than waiting for an incoming connection, a lightweight software agent on the remote machine initiates an outgoing connection to a secure cloud gateway (or broker). The user, from their browser, also connects to this same gateway. The broker then "connects" these two outgoing flows.
 
The implications of this model, used by solutions like Reemo Remote Desktop, are profound:
  1. Invisibility on the network: The remote machine has no open listening ports. It is therefore invisible to vulnerability scanners and external attackers. The attack surface is drastically reduced.
  2. Simplified firewall bypassing: Only an outgoing flow is needed, which is generally allowed by standard security policies. Configuration is massively simplified.
  3. The end of VPN for workstation access: This model makes the traditional VPN obsolete for workstation access. The VPN extends the network perimeter to the user's device, which may be insecure. The ZTNA approach establishes a secure, authenticated, and application-specific (here, the remote desktop) tunnel without ever trusting the end-user's device.
The flow is then streamed to the user as pixels, via a high-performance protocol like WebRTC. No data from the remote desktop transits directly, only an encrypted video stream. It is this combination—connection initiated from within and pixel streaming—that offers both ultra-secure and high-performance access, capable of handling 4K at 60FPS, chroma colors, multi-screen, real-time collaboration. Reemo has been developing its own protocol around this concept since 2017.
 

Beyond Access: Isolation by Protocol Breakage

But what happens if the threat does not come from the access itself but from the user's activity, such as browsing untrusted websites, opening potentially malicious documents, or third-party access to your company's resources? For these high-risk use cases, a second, even more secure, architectural approach is necessary: protocol break.
 
This is where solutions like Reemo Containers come in. The principle is different: the application (e.g., a remote browser isolation web browser) is not run on an existing workstation but in a secure, disposable container in the cloud.
 
It is in this model that protocol breakage makes perfect sense:
  • The user interacts with the container via the same high-performance pixel stream.
  • The container, in turn, browses the Internet from an environment completely isolated from the company's network.
  • There is a complete break between the user's navigation protocol (the Reemo pixel stream) and the application's protocol (HTTP/S in the container).
No code from the Internet can ever reach the user's workstation or the company's network. At the end of the session, the container is destroyed, along with any potential threats it may have contained (malware, trackers, etc.). This is the pinnacle of isolation.
 

The Synthesis: The Right Security for the Right Use

The future of remote access is not a single architecture, but a platform capable of offering the right level of security for each use case without ever sacrificing performance.

Architectural Approach Ideal Use Case Key Mechanism Replaces...
Reemo Proprietary Protocol Access to existing physical/virtual workstations (developers, support, telecommuting) Agent initiating an outgoing flow, no open ports VPN, direct RDP/VNC
Protocol Breakage (Containers) Web browsing, access to untrusted applications, sensitive data management, third-party access Execution in an isolated and disposable container Web proxies, workstations, BYOD
What unifies these approaches in a platform like Reemo is the user experience. Whether accessing a Windows desktop via an inverted connection or a browser in a container, access is from a simple browser tab, with near-zero latency and high visual fidelity.
 

Strategic Implications for CIOs and CISOs

This nuanced view of remote access offers new strategic levers:
  1. Tailored Security (Least Privilege): Rather than a single, rigid security policy, it becomes possible to apply controls adapted to the risk level of each task. Access to an internal development workstation is a different risk than an employee consulting a suspicious link.
  2. Resource Optimization: Providing a disposable container for browsing is more efficient and secure than dedicating and maintaining a full virtual machine for this purpose.
  3. Agility and Productivity: Users have access to their tools instantly, from anywhere, without the friction of VPN clients or the slowness of legacy solutions. Performance becomes a catalyst for productivity, not a hindrance.

In conclusion, the conversation about remote access must go beyond the simple RDP vs. VNC debate. The solutions of the future do not just better secure an old model; they introduce new ones. By combining inverted connection architectures for secure access to existing workstations and protocol breakage models for isolating risky tasks, they offer a complete and adapted response to the complexity of the modern cybersecurity landscape. This is a fundamental change that allows organizations to no longer choose between security and flexibility but to benefit from both.

Create your account on Reemo.io and connect your distant computers

4K, 60 FPS and advanced security features for your business !