AccessEnforcer 5.0 Adds Remote Access Security and Inbound Traffic Blocking

We are always excited to announce AccessEnforcer releases, but today we are especially excited to announce the release of AccessEnforcer v5.0! In this milestone release we are introducing two great features, Gatekeeper for remote access security and Geo Fence for inbound traffic blocking.


In the current COVID-19 pandemic we have all seen the rise in teleworking and the use of remote access tools. For many of us, that means RDP.

We all know that exposing RDP to the Internet is extremely ill-advised, providing direct access to potentially insecure workstations. The cybercriminals are very aware too, which is why Kaspersky has recently reported that RDP bruteforce attacks are on the rise since the beginning of March 2020.

Even before the pandemic, RDP vulnerabilities have been making the news:

It's like RDP Groundhog Day/Month/Year every time!

The safest way to secure your RDP access is to use a VPN, such as CalyptixVPN. Unfortunately, many users find VPN clients to be cumbersome, or run into technical issues and ISP blocks. Consequently, many users resort to a port forwarding rule for their RDP connection which is patently unsafe.

We have developed a more secure method to implement RDP access that only allows securely authenticated RDP access, achieved with only a few clicks. Allow us to introduce Gatekeeper.

What is Gatekeeper?

Gatekeeper is a new patent-pending feature in AccessEnforcer that requires users to first authenticate with 2FA before granting special pinhole access to RDP. Instead of exposing your RDP port to the Internet or requiring network access with a VPN client, users simply access a secure Gatekeeper URL they bookmark on their browsers.

In the secure Gatekeeper portal, the user is prompted for their Active Directory username, password, and a Gatekeeper 2FA one-time code provided by a mobile authenticator app such as Google Authenticator or Authy. Once fully authenticated, they are given a list of the RDP hosts they have permission to connect to.

After that, they simply click the desired "Connect" button and their configured RDP client will make a connection using a special one-time-use pinhole firewall rule, permitting only their computer to connect to the remote host just once.

You can now allow users to access RDP with peace of mind that you are providing best in class access control consitent with the highest stardards set by NIST, CIS 20 etc.:

  • Secure access with 2FA!
  • No RDP exposed to the Internet (port of gateway application)!
  • No clunky VPN client to set up, install & maintain!
  • No VPN performance hit!
  • No stress every time the next inevitable RDP vulnerability is announced!

How does Gatekeeper work?

Enabling Gatekeeper for Users is Simple:

  1. Setup a link to your Active Directory server.
  2. Invite users to Gatekeeper via email, the first step of the self-enrollment process.
  3. Each user completes the simple self-enrollment process (they're encouraged to bookmark the portal URL)

That's it in a nutshell! For more information please see links below under "Related Resources" so you don't have to stop reading now!

To sum up, Gatekeeper is security and convenience in one nice package. Go ahead, have your delicious rich chocolate cake and eat it too!

This is just the beginning. Future versions of Gatekeeper will add support for more protocols in addition to RDP. Stay tuned!

Introducing Geo Fence

Gatekeeper is not the only v5.0 feature we have been busy working on. Let's introduce you to Geo Fence!

Geo Fence, like its name implies, blocks inbound traffic from countries that have no business connecting to you. For example, if your customer is a US-based company that only does business with US-based customers, there is no need to accept a connection from Russia, or North Korea, or anywhere else! So all you need to do is to set up a Geo Fence policy that allows inbound traffic from only the USA.

For example, here's what the Geo Fence UI looks like when Europe is selected:

There's a heatmap feature too that allows you to see the "hot spots" where most network alerts are generated so you can tune your Geo Fence configuration:

Last but not least, the Network Alerts page now shows Geo Fence alerts too!

Additional Improvements

Gatekeeper and Geo Fence are the most prominent new features in this release, but they're not the only things. We have made improvements in other areas too:

  • OpenBSD 6.7. AccessEnforcer v5.0 runs on OpenBSD 6.7, which is the latest OpenBSD release at the time of writing. For those who may not be familiar, OpenBSD is one of the most secure operating systems on the planet. Some of the improvements that OpenBSD 6.7 brings are:
    • LibreSSL 3.1.1.
    • OpenSSH 8.3. The latest OpenSSH.
    • Intel CPU mitigations. Intel MDS CPU flaw has been mitigated.
    • Performance improvements. Performance improvements have been made to make OpenBSD work better with multiple CPUs and cores.
    • All OpenBSD errata as of the time of writing have been applied.
  • Snort 2.9.16. This is the latest version of the Snort IDS/IPS system.
  • Performance and reliability improvements.
    • Increased maximum live connection limit. The maximum limit of live connections has been increased. The limit is now 15,000 for units with less than 2GB of RAM, 50,000 for units with 2GB of RAM, 100,000 for units with 4GB of RAM, and 200,000 for units with 8GB of RAM or more.
    • Network alert monitor rewrite. The internal network alert monitor has been significantly rewritten to improve performance and integrate more effectively with the new features like Gatekeeper and Geo Fence.
    • CalyptixVPN stability fix. Internal log rotation of CalyptixVPN logs no longer cause CalyptixVPN to restart for improved CalyptixVPN stability.
  • GUI improvements.
    • Support for latest Microsoft Edge. The latest Chromium-based Microsoft Edge is now supported as a browser for the AccessEnforcer GUI.
    • Auto logout. The GUI will now automatically log out when the idle timeout has been reached.
    • Updated EULA. The Calyptix End User License Agreement (EULA) has been updated.
    • Legacy browser notification. The end user email quarantine view will now inform the user if they are using a legacy unsupported browser.
    • Web Filter Exemptions clarification. The Security > Web > Web Filter Exemptions page now includes additional clarification that domain-based web filter exemptions do not apply in Multi-WAN configurations.
  • Miscellaneous improvements.
    • Packet Analyzer support for Gatekeeper and Geo Fence. The Packet Analyzer now allows packets to be captured on the "Gatekeeper Log" and "Geo Fence Log" interfaces to allow packets reaching Geo Fence and Gatekeeper to be captured.
    • PPPoE Fix. We fixed a bug where units with PPPoE interfaces would not report the correct IP address to SPS.
    • IPv6 forwarding explicitly disabled. We implemented extra measures to prevent IPv6 traffic from being forwarded/processed.
    • DHCP server bug fix. This release fixed a scenario where the DHCP server could end up with duplicate DHCP ranges.

Let us know what you think! Share your success stories. We're always looking to improve and best meet small business needs for cybersecurity.

Written by Calyptix

 - June 26, 2020

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram