Securing RDP using TFG – BSG

Remote Desktop Protocol (RDP) allows users to access and control remote systems across corporate, industrial, and government networks. Its power lies in convenience, but that same power can destroy security if left unguarded.

By design, RDP is bidirectional, creating a tunnel where not just commands, but files, screen data, keyboard input, clipboard sync, and even device redirection can flow both ways. This bidirectional nature is essential for functionality but creates a massive attack surface.

The challenge with RDP is that its utility and its vulnerability are intrinsically linked. The same features that make it indispensable for remote operations also make it a prime target for cybercriminals and state-sponsored attackers.

Several critical security incidents demonstrate the devastating potential of unsecured RDP implementations across different attack vectors and methodologies.

BlueKeep (CVE-2019-0708) represents one of the most serious RDP vulnerabilities discovered. This pre-authentication remote code execution vulnerability allowed attackers to take over systems without any credentials. The vulnerability exploited memory corruption in the RDP service, enabling arbitrary code execution and complete system compromise. Thousands of Windows servers worldwide were affected, and the vulnerability could have been mitigated if unsolicited access was directionally restricted at the hardware level.

RDP Brute-Force Attacks combined with ransomware deployment have become the preferred method for major ransomware groups including Conti and REvil. These groups exploit open RDP ports (TCP 3389) exposed to the internet, using automated brute-force attacks to gain initial access. Once inside, they exfiltrate data and deploy ransomware across entire domains. This attack vector demonstrates how initial RDP compromise can lead to organization-wide security breaches.

RDP Clipboard Data Hijacking represents a more subtle but equally dangerous attack vector. Clipboard synchronization in RDP sessions can leak sensitive information such as passwords, encryption keys, and source code. This feature has been exploited for stealthy data exfiltration in advanced persistent threat operations, where attackers monitor clipboard content during legitimate RDP sessions to gather intelligence.

The TFG-BSG is a hardware-enforced, FPGA-controlled, port-based, direction-aware security device. It is engineered to connect networks of different trust levels, such as IT and OT environments, without exposing them to bidirectional threats.

Unlike software firewalls that attempt to understand and filter protocols, BSG enforces physical communication discipline at the hardware level. This fundamental difference in approach provides security guarantees that software solutions cannot match.

The architecture implements port-based control where only explicitly enabled TCP and UDP ports are processed at the hardware level. All other traffic is dropped before it can reach any software layer, eliminating entire classes of attacks that rely on unexpected port access.

The system enforces a strict request-response model where the source network can only initiate requests, while the destination can only respond. No unsolicited messages are permitted in either direction, creating a deterministic communication pattern that prevents unauthorized data flows.

Dual diodes route requests and responses through separate hardware diode-based paths, ensuring directionality cannot be reversed through any software manipulation. The FPGA core contains no operating system, no shell access, and no software vulnerabilities, implementing only tamper-proof logic that cannot be hacked, overridden, or reconfigured remotely.

RDP's normal operation involves continuous bidirectional flow of input and output, synchronization and control commands. In insecure environments, this creates pathways for malware injection, ransomware staging, lateral domain movement, and credential theft.

BSG fundamentally transforms this security model by enforcing strict directional control over RDP communications. RDP initiation from the IT side is passed through the request diode with full protocol support, maintaining all necessary functionality for remote access. Only the RDP server's direct responses travel back through the response diode, ensuring that all communication is tied to specific request-response pairs.

The system blocks critical attack vectors by preventing the OT RDP server from initiating any new communication or connections. File transfers, clipboard synchronization, and print redirection are blocked if they attempt unsolicited transmission. No reverse scanning, pingbacks, or telemetry outflow is possible, and command and control channels cannot be established through the RDP connection.

This protocol-agnostic security approach operates on primitive certainty rather than protocol understanding. BSG enforces traffic discipline at the hardware level, making it impossible to bypass through malformed packets, protocol fuzzing, or zero-day exploits that might affect software-based security solutions.

Traditional security approaches attempt to understand application protocols and make intelligent filtering decisions. This approach is fundamentally flawed because it relies on software interpretation of complex protocols that can be manipulated by sophisticated attackers.

BSG's approach provides superior security through port-level certainty, where only predefined TCP and UDP ports are processed, with all decisions made at the hardware level before any software interpretation occurs. This eliminates entire attack surfaces that depend on protocol confusion or unexpected port usage.

Physical direction enforcement separates request and response paths through hardware diodes, making it impossible for traffic to flow in unintended directions regardless of software vulnerabilities or protocol manipulations. This hardware-level separation provides absolute guarantees about communication direction.

The protocol independence of BSG's security model means it doesn't depend on understanding RDP, OPC-UA, or any other protocol. Security is enforced through traffic discipline, not protocol analysis, making it immune to protocol-specific vulnerabilities and zero-day exploits.

The unfuzzable logic of BSG operates below the protocol layer, making it impossible to bypass through malformed packets, buffer overflows, or protocol-specific vulnerabilities that might affect traditional security solutions.

A power plant engineer from the IT zone needs to access a turbine SCADA screen on an OT server via RDP for diagnostic purposes. This represents a common operational requirement that traditionally creates significant security risks.

Without BSG protection, the traditional approach requires opening the OT server's RDP port to the IT zone through firewall rules. If IT infrastructure becomes compromised, malware can move laterally into OT systems through this connection. Even legitimate sessions can leak operational data through clipboard sync, file transfers, or screen captures, while log data and diagnostic information flows back to potentially compromised IT systems.

With TFG-BSG implementation, TCP 3389 for RDP is allowed only from IT to OT via the request diode pathway. The OT server responds with screen data and control feedback only via the response diode, maintaining full functionality while preventing security risks. No clipboard synchronization, outbound logs, file redirection, or command injection is possible. Even if IT infrastructure is completely compromised, BSG blocks anything not tied to the original legitimate request.

The security outcome ensures the engineer maintains full diagnostic capability while the power grid's OT infrastructure remains completely protected from reverse attacks, lateral movement, and data exfiltration. Normal RDP functionality is preserved, including real-time screen updates, keyboard and mouse control, and diagnostic access, while eliminating security risks that could threaten power grid stability.

RDP is essential for modern remote operations but dangerously vulnerable when unrestricted. TFG-BSG doesn't just filter traffic, it enforces secure behavior at the hardware level through FPGA-driven, tamper-proof core logic that cannot be compromised through software attacks.

The system implements port-based permissioning with hardware-level enforcement, request-response pathways enforced through dedicated physical channels, and protocol-agnostic filtering that works regardless of application-layer protocols. With no operating system, no shell access, and no backdoors, BSG provides pure hardware logic implementation.

This approach delivers true zero-trust communication that is physically enforced at the hardware level, not just implemented through policy. BSG ensures that only authorized traffic flows in authorized directions, transforming RDP from a significant security risk into a resilient operational tool that can be safely deployed even in the most security-critical environments.

This represents a fundamental shift from hoping that software security measures will hold, to knowing with certainty that hardware-enforced security cannot be bypassed by any known attack methodology.