Those attacks will all fail anyway if an admin with a brain has set up a username/password which is nontrivial and which totally cannot be guessed.
You can have all the architecture discussions you like, but the thing which you can never be 100% sure about is a back door. The recent RDP vulnerability existed no matter what credentials you chose. And there were similar exploits in years past for stuff like PC/Anywhere. You sidestep these by running remote access only via a VPN but then how solidly is the VPN implemented (in the VPN terminating router)? In my router log I see all kinds of attacks on the VPN gateways, where the attacker is submitting various invalid values and probing various protocol timeouts.
You can never be sure the VPN in your router is solid, which is why a successful RDP login should still need to be followed by a second login, to get into any machine on the LAN. This second login can be configured in the RDP caller (for convenience) but an attacker won’t have the creds so will be presented with a login prompt. And nobody should have a device on the LAN which is open. Most people don’t have a login on their PC at home. That login should be configured for both network access and interactive access. But that PC could also have a back door… for many years you could get into a Windows or MacOS PC via the LAN, by presenting malformed packets to its RJ45.
With decent hardware (like Garmin should have, but the vast majority of small business routers cannot be configured for) you could have a firewall routing the VPN traffic to a specific IP only. This is what alioth was saying. This also needs a physical separation; no good having the VPN traffic coming out of the same RJ45 as the rest. And facilities for doing this are pretty limited on the cheaper stuff. But the “physical” separation is still only done by the one single CPU running some code in the router, so ultimately you have to trust the router to have absolutely solid code implementing its VLAN functionality… Chinese IT gear is all buggy as hell.
If running the whole lot on a unix server, rather than having a “box” doing the VPN termination / firewalling etc, you are having to trust the OS and everything running under it. Then you can implement fail2ban etc but if there is a back door it won’t help. The entire trust issue is now in the software 
This is getting like the interminable Zoom video conferencing discussions we had, which made a lot of people drop out of the EuroGA Zoom meetings, and IMHO for poor reasons. All encrypted video conf setup still need a trusted server.
Actually I think the biggest vulnerability is in customer service where you have to open outside emails, online chat IMs, etc. This is obviously known and e.g. the UK CAA has all its emails going through a 3rd party (Scansafe) which strips out all the attachments and replaces them with “virus checked” URLs to copies on its own server. You see this when you have any emails with them. They simply dump some stuff though; another company I am emailing with dumps all emails containing a dropbox link, which is a PITA for obvious reasons… This has to be the best route today for planting exploits on the inside of a company, right past all security, firewalls, the lot…
We can talk about security of VPNs and RDP until the cows come home: the reality is for larger organisations like Garmin, typically they aren’t using cheap consumer kit for their routers, and it’s quite likely they will have implemented things like 2FA for remote access.
What usually does the likes of Garmin in is an attack on the wetware. This attack was crafted specifically for Garmin, and PROB99 getting it in there was a combination of social engineering, plus too many people having too many privileges, plus being behind on patches – the latter two allowing the malware to spread once the initial social engineering attack had succeeded.
Targeted malware is rarely uses a single exploit – it usually involves several exploits, and the initial exploit to get a foot in the door is an attack on wetware, not software or hardware.
Social engineering is the oldest (and most “difficult to patch”) exploit out there. See Kevin Mitnick for an early example of social engineering attacks on computer networks. Read the book “Other People’s Money: The Rise and Fall of Britain’s Boldest Credit Card Fraudster” by Neil Forsyth/Elliott Castro for a first-person perspective on the use of social engineering attacks.
I think we agree
That is a lot of money to not be able to track around and find the criminals.
Dimme wrote:
That is a lot of money to not be able to track around and find the criminals.
It also sets a very dangerous precedent.
