WatchGuard Blog

RMM Software: How to Protect it with a Firewall

Remote monitoring and management (RMM) solutions provide flexible methods to enable MSPs to detect network or device anomalies early, facilitating proactive systems monitoring. While these tools are deployed for legitimate purposes, it is common for cybercriminals to make malicious use of them. Known as "living-off-the -and" (LotL) attacks, in these intrusions, hackers leverage tools that are already present in the environment to conceal their activity rather than use intrinsically malicious files, code, or scripts.

In recent years, criminals have intensified their use of these tools to breach security defenses and gain persistent access to their victims' networks. A recent report has detected a growing trend in cyberattack tactics whereby small and midsize businesses are targeted through RMM solutions. 65% of cybersecurity incidents involved threat actors using RMM tools to obtain unauthorized access to victims' systems. This data shows the need to act and establish new ways to protect these solutions.

4 network-based controls to protect your RMM 

Given this backdrop, CISA issued a guide for RMM security last year, which included implementing network-based security controls among its key recommendations. Below, we explain in detail how a robust firewall solution boosts protection for your remote access software:

  • Employ network segmentation: 

    Using a firewall, you can segment the network to minimize lateral movement and restrict access to devices, data, and applications. This also lets you control traffic between subnets and implement access control lists (ACLs) to authorize or deny access to specific resources.

  • Block RMM ports and protocols: 

    A firewall allows you to create rules that block unwanted traffic on specific ports and protocols used by RMM tools. This only allows legitimate use of these tools, minimizing the risk of intrusions. A firewall protects your network from unauthorized access by reducing the risk of hackers exploiting vulnerabilities in RMM solutions to access your network, data, and customers' data. 

  • Use RMM solutions from within the network: 

    Implement secure remote access solutions, such as a VPN, to establish a protected connection to a specific subnet within your local network. Configure your RMM software to only connect to devices within that subnet, restricting their access to other devices on your local network.

  • Use a firewall in your public Cloud environment

    This will allow you to filter and monitor HTTP traffic, detecting and blocking attacks such as SQL injection and other web threats.

While RMM tools are a target for cybercriminals, the multiple advantages these solutions provide regarding cybersecurity management are undeniable. MSPs must recognize these tools' usefulness, but they need to be aware of the risks and take preventative measures such as implementing a firewall. By keeping current on the latest attack trends and following the recommendations of reputable organizations such as CISA, you can minimize the vulnerabilities found in RMM tools and take full advantage of the benefits they deliver.

If you want to learn more about securing your RMM solutions, check out the following blog post: Why RMM integrations are important for MSPs.