WO2023031907A1 - A secure remote access system and method - Google Patents

A secure remote access system and method Download PDF

Info

Publication number
WO2023031907A1
WO2023031907A1 PCT/IL2022/050877 IL2022050877W WO2023031907A1 WO 2023031907 A1 WO2023031907 A1 WO 2023031907A1 IL 2022050877 W IL2022050877 W IL 2022050877W WO 2023031907 A1 WO2023031907 A1 WO 2023031907A1
Authority
WO
WIPO (PCT)
Prior art keywords
remote workstation
remote
authentication system
software
internal authentication
Prior art date
Application number
PCT/IL2022/050877
Other languages
French (fr)
Inventor
Moti COHEN
Original Assignee
The Israel Electric Corporation Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by The Israel Electric Corporation Ltd. filed Critical The Israel Electric Corporation Ltd.
Publication of WO2023031907A1 publication Critical patent/WO2023031907A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication

Definitions

  • the present invention relates to the field of secure remote access systems and methods.
  • Secure remote access is an umbrella under which a number of security strategies reside. These strategies are directed to any security policy or solution that prevents unauthorized access to an internal network or sensitive data.
  • a system for providing secure remote access comprising: an internal authentication system of an organization, the internal authentication system comprising an internal authentication system processing circuitry; a remote workstation remote from the internal authentication system, the remote workstation comprising a remote workstation processing circuitry; wherein the remote workstation processing circuitry is configured to: (a) perform a Basic Input/Output System (BIOS) check, (b) authenticate a user logging in to the remote workstation using user credentials, (c) obtain hardware identification information identifying at least part of the hardware of the remote workstation, and (d) obtain software information by executing one or more software checks for validating software installed on the remote workstation; upon the BIOS check and the user authentication being successful, the remote workstation processing circuitry is further configured to establish a Virtual Private Network (VPN) tunnel between the remote workstation and the internal authentication system of the organization; after successful establishment of the VPN tunnel, the remote workstation processing circuitry is further configured to send the hardware identification information and the
  • VPN Virtual Private Network
  • the user credentials include at least one of: (a) a username (b) a password, (c) biometric information, (d) facial recognition, or (e) a Hardware Security Module (HSM) generated identifier.
  • HSM Hardware Security Module
  • the remote workstation further comprises an agent configured to collect one or more BIOS events logs and send the collected BIOS events logs to the internal authentication system.
  • the VPN tunnel is configured to allow only input obtained using a keyboard or a mouse connected to the remote workstation to be sent from the remote workstation to the internal authentication system.
  • the hardware identification information includes identification information identifying at least one of: one or more hard disks connected to the remote workstation, one or more Read Only Memory (ROM) modules of the remote workstation, one or more Central Processing Units (CPUs) of the remote workstation.
  • ROM Read Only Memory
  • CPUs Central Processing Units
  • the hardware identification information includes identification information identifying at least one external hardware device detachably connected to the remote workstation.
  • the hardware identification information is obtained by a log agent configured to collect the hardware identification information and send the collected hardware identification information to the internal authentication system.
  • the software information includes information associated with one or more software components installed on the remote workstation.
  • the software information is obtained by one or more of: (a) executing one or more executables on the remote workstation, (b) executing a DLLs integrity check on the remote workstation, (c) executing one or more file name change identification checks, (d) executing one or more file deletion identification checks.
  • the software information is obtained by a log agent configured to collect the software information and send the collected software information to the internal authentication system.
  • the limited access to the at least one component in the secured system of the organization is performed using the second user credentials stored on a logical electronic vault.
  • the remote workstation further comprises a control agent configured to block external devices connection to the remote workstation.
  • the remote workstation further comprises anti-virus software.
  • the internal authentication system further comprises firewall software.
  • the remote workstation further comprises an agent configured to prevent the remote workstation from performing one or more of: (a) file renaming of at least part of the files stored on the remote workstation, (b) file deletion of at least part of the files stored on the remote workstation, or (c) file execution of at least part of the files stored on the remote workstation.
  • a session conducted via the VPN tunnel is monitored by a human operator and wherein the human operator can provide a termination instruction to the VPN tunnel, thereby terminating the connection between the remote workstation and the internal authentication system.
  • a session conducted via the VPN tunnel is recorded and stored on a data repository.
  • the VPN channel is established only if a request to establish secure remote access is pre-approved by an internal user.
  • the pre-approval defines a time window for the secure remote access, and wherein the VPN channel is establishable only during the time-window.
  • a method for providing secure remote access comprising: in a remote workstation remote from an internal authentication system of an organization: (a) performing a Basic Input/Output System (BIOS) check, (b) authenticating a user logging in to the remote workstation using user credentials, (c) obtaining hardware identification information identifying at least part of the hardware of the remote workstation, and (d) obtaining software information by executing one or more software checks for validating software installed on the remote workstation; establishing a Virtual Private Network (VPN) tunnel between the remote workstation and the internal authentication system; sending the hardware identification information and the software information to the internal authentication system; and, in the internal authentication system of an organization: validating the remote workstation by (a) validating the hardware identification information utilizing reference hardware information, and (b) validating the software information using reference software information; providing the remote workstation with limited access to at least one component of a secured system of the organization via the VPN tunnel and a second secure connection established between
  • BIOS Basic Input/Output System
  • the user credentials include at least one of: (a) a username (b) a password, (c) biometric information, (d) facial recognition, or (e) a Hardware Security Module (HSM) generated identifier.
  • HSM Hardware Security Module
  • the remote workstation further comprises an agent configured to collect one or more BIOS events logs and send the collected BIOS events logs to the internal authentication system.
  • the VPN tunnel is configured to allow only input obtained using a keyboard or a mouse connected to the remote workstation to be sent from the remote workstation to the internal authentication system.
  • the hardware identification information includes identification information identifying at least one of: one or more hard disks connected to the remote workstation, one or more Read Only Memory (ROM) modules of the remote workstation, one or more Central Processing Units (CPUs) of the remote workstation.
  • ROM Read Only Memory
  • CPUs Central Processing Units
  • the hardware identification information includes identification information identifying at least one external hardware device detachably connected to the remote workstation.
  • the hardware identification information is obtained by a log agent configured to collect the hardware identification information and send the collected hardware identification information to the internal authentication system.
  • the software information includes information associated with one or more software components installed on the remote workstation.
  • the software information is obtained by one or more of: (a) executing one or more executables on the remote workstation, (b) executing a DLLs integrity check on the remote workstation, (c) executing one or more file name change identification checks, (d) executing one or more file deletion identification checks.
  • the software information is obtained by a log agent configured to collect the software information and send the collected software information to the internal authentication system.
  • the limited access to the at least one component in the secured system of the organization is performed using the second user credentials stored on a logical electronic vault.
  • the remote workstation further comprises a control agent configured to block external devices connection to the remote workstation.
  • the remote workstation further comprises anti-virus software.
  • the internal authentication system further comprises firewall software.
  • the remote workstation further comprises an agent configured to prevent the remote workstation from performing one or more of: (a) file renaming of at least part of the files stored on the remote workstation, (b) file deletion of at least part of the files stored on the remote workstation, or (c) file execution of at least part of the files stored on the remote workstation.
  • a session conducted via the VPN tunnel is monitored by a human operator and wherein the human operator can provide a termination instruction to the VPN tunnel, thereby terminating the connection between the remote workstation and the internal authentication system.
  • a session conducted via the VPN tunnel is recorded and stored on a data repository.
  • the VPN channel is established only if a request to establish secure remote access is pre-approved by an internal user.
  • the pre-approval defines a time window for the secure remote access, and wherein the VPN channel is establishable only during the time-window.
  • a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor to perform a secure remote access method, the secure remote access comprising one or more components, the method comprising: in a remote workstation remote from an internal authentication system of an organization: (a) performing a Basic Input/Output System (BIOS) check, (b) authenticating a user logging in to the remote workstation using user credentials, (c) obtaining hardware identification information identifying at least part of the hardware of the remote workstation, and (d) obtaining software information by executing one or more software checks for validating software installed on the remote workstation; establishing a Virtual Private Network (VPN) tunnel between the remote workstation and the internal authentication system; sending the hardware identification information and the software information to the internal authentication system; and, in the internal authentication system of the organization: validating the remote workstation by (a) validating the hardware identification information utilizing reference hardware
  • VPN Virtual Private Network
  • FIG. 1 is a schematic illustration of an environment of a secure remote access system, in accordance with the presently disclosed subject matter
  • Fig. 2 is a block diagram schematically illustrating one example of an internal authentication system, in accordance with the presently disclosed subject matter
  • Fig. 3 is a block diagram schematically illustrating one example of a remote workstation, in accordance with the presently disclosed subject matter.
  • Fig. 4 is a flowchart illustrating one example of a sequence of operations carried out by a remote workstation and an internal authentication system, in accordance with the presently disclosed subject matter.
  • should be expansively construed to cover any kind of electronic device with data processing capabilities, including, by way of non-limiting example, a personal desktop/laptop computer, a server, a computing system, a communication device, a smartphone, a tablet computer, a smart television, a processor (e.g. digital signal processor (DSP), a microcontroller, a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), etc.), a group of multiple physical machines sharing performance of various tasks, virtual servers co-residing on a single physical machine, any other electronic computing device, and/or any combination thereof.
  • DSP digital signal processor
  • FPGA field programmable gate array
  • ASIC application specific integrated circuit
  • non-transitory is used herein to exclude transitory, propagating signals, but to otherwise include any volatile or non-volatile computer memory technology suitable to the application.
  • the phrase “for example,” “such as”, “for instance” and variants thereof describe non-limiting embodiments of the presently disclosed subject matter.
  • Reference in the specification to “one case”, “some cases”, “other cases” or variants thereof means that a particular feature, structure or characteristic described in connection with the embodiment(s) is included in at least one embodiment of the presently disclosed subject matter.
  • the appearance of the phrase “one case”, “some cases”, “other cases” or variants thereof does not necessarily refer to the same embodiment(s).
  • Figs. 2 and 3 illustrate a general schematic of the system architecture in accordance with an embodiment of the presently disclosed subject matter.
  • Each module in Figs. 2 and 3 can be made up of any combination of software, hardware and/or firmware that performs the functions as defined and explained herein.
  • the modules in Figs. 2 and 3 may be centralized in one location or dispersed over more than one location.
  • the system may comprise fewer, more, and/or different modules than those shown in Figs. 2 and 3.
  • Any reference in the specification to a method should be applied mutatis mutandis to a system capable of executing the method and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that once executed by a computer result in the execution of the method.
  • Any reference in the specification to a system should be applied mutatis mutandis to a method that may be executed by the system and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that may be executed by the system.
  • Any reference in the specification to a non-transitory computer readable medium should be applied mutatis mutandis to a system capable of executing the instructions stored in the non-transitory computer readable medium and should be applied mutatis mutandis to method that may be executed by a computer that reads the instructions stored in the non-transitory computer readable medium.
  • the service agreements may include additional costs associated with transporting the aforementioned service provider to the location of the purchased component (flying costs, living costs, etc.) in cases where there is no service branch of the company at the vicinity of the purchased component’s location.
  • a company situated in Israel purchasing a component from, for example, Siemens (based in Germany), would have to pay Siemens a substantive amount of money, as part of the service agreement, for the transportation of a Siemens service provider from Germany to Israel in cases of need.
  • the presently disclosed subject matter aims to provide a Multi-Factor Authentication system for controlled remote access.
  • This system would make redundant the need of transporting a service provider to the location of the component needing care and would allow the service provider to interact with the purchased component remotely (thus saving the costs involved in bringing the service provider to the location of the purchased component) while keeping the highest cybersecurity standards (e.g., military standards).
  • FIG. 1 showing a schematic illustration of an environment of the secure remote access system, in accordance with the presently disclosed subject matter.
  • environment 100 includes an internal authentication system 200 in communication with a secured system 300 and a remote workstation 400 situated, for example, at a location remote from the location of the secured system 300.
  • Both the internal authentication system 200 and the secured system 300 can be, for example, part of an organization network such that the secured system 300 may be inaccessible from outside the organizational network.
  • a user using the remote workstation 400 does not have direct access to the secured system 300, as he is not found in the vicinity of the secured system 300, nor can he easily reach the vicinity of secured system 300.
  • the remote workstation 400 and by virtue of its location also the location of the user, can be, for example, in another city, state, country, continent, side of the world from the secured system 300, making it impossible for the user at the location of the remote workstation 400 to reach the secured system 300 in cases where immediate attention is needed.
  • the secured system 300 is located at a different location than the remote workstation 400, the user is required to operate the secured system 300 from afar.
  • Fig. 2 is a block diagram schematically illustrating one example of the internal authentication system 200, in accordance with the presently disclosed subject matter.
  • internal authentication system 200 (also interchangeably referred to herein as “system 200”) includes a processing circuitry 202 linked to a data repository 204 and a network interface 206.
  • the system 200 further includes an authentication module 208, which operates in conjunction with the processing circuitry 202 and data repository 204 to perform the presently disclosed subject matter. All of the components 202, 204, 206, and 208 are linked to each other so as to be in direct and/or indirect electronic and/or data communication with each other.
  • the processing circuitry 202 can be one or more processing units (e.g., central processing units), microprocessors, microcontrollers (e.g., microcontroller units (MCUs)), or any other computing devices or modules, including multiple and/or parallel and/or distributed processing units, which are adapted to independently or cooperatively process data for controlling relevant system 200 resources and for enabling operations related to system's 200 resources.
  • processing units e.g., central processing units
  • microprocessors e.g., microcontroller units (MCUs)
  • MCUs microcontroller units
  • the data repository 204 (e.g., a database, a storage system, a memory including Read Only Memory - ROM, Random Access Memory - RAM, or any other type of memory, etc.) can be configured to store data, optionally including, inter alia, user credentials, hardware identification information (e.g., hard disks, Read Only Memory (ROM) modules, Central Processing Units (CPUs), external hardware devices detachably connected, etc.), software information (e.g., checksums of various software, etc.), software checks, BIOS events logs, VPN sessions, time windows, and the like.
  • Data repository 204 can be further configured to enable retrieval and/or update and/or deletion of the stored data. It is to be noted that in some cases, data repository 204 can be distributed, while the system 200 has access to the information stored thereon, e.g., via a wired or wireless network to which system 200 is able to connect (utilizing its network interface 206).
  • the network interface 206 e.g., a network card, a WiFi client, a LiFi client, 3G/4G client, or any other component
  • a network card e.g., a Wi-Fi client, a Wi-Fi client, or any other component
  • the authentication module 208 is configured to execute one or more authentication processes, as further detailed herein, inter alia with reference to Fig. 4.
  • Fig. 3 is a block diagram schematically illustrating one example of the remote workstation 400, in accordance with the presently disclosed subject matter.
  • remote workstation 400 (also interchangeably referred to herein as “system 400”) includes a processing circuitry 402 linked to a data repository 404 and a network interface 406.
  • the system 400 further includes an authentication module 408, which operates in conjunction with the processing circuitry 402 and data repository 404 to perform the presently disclosed subject matter. All of the components 402, 404, 406, and 408 are linked to each other so as to be in direct and/or indirect electronic and/or data communication with each other.
  • the processing circuitry 402 can be one or more processing units (e.g., central processing units), microprocessors, microcontrollers (e.g., microcontroller units (MCUs)), or any other computing devices or modules, including multiple and/or parallel and/or distributed processing units, which are adapted to independently or cooperatively process data for controlling relevant system 400 resources and for enabling operations related to system's 400 resources.
  • processing units e.g., central processing units
  • microprocessors e.g., microcontroller units (MCUs)
  • MCUs microcontroller units
  • the data repository 404 (e.g., a database, a storage system, a memory including Read Only Memory - ROM, Random Access Memory - RAM, or any other type of memory, etc.) configured to store data, optionally including, inter alia, user credentials, hardware identification information (e.g., hard disks, Read Only Memory (ROM) modules, Central Processing Units (CPUs), external hardware devices detachably connected, etc.), software information (e.g., checksums of various software, etc.), software checks, BIOS events logs, VPN sessions, time windows, and the like.
  • Data repository 404 can be further configured to enable retrieval and/or update and/or deletion of the stored data. It is to be noted that in some cases, data repository 404 can be distributed, while the system 400 has access to the information stored thereon, e.g., via a wired or wireless network to which system 400 is able to connect (utilizing its network interface 406).
  • the network interface 406 (e.g., a network card, a WiFi client, a LiFi client, 3G/4G client, or any other component) enables system 400 to communicate over a network with external systems and handles inbound and outbound communications from such systems.
  • the authentication module 408 is configured to execute one or more authentication procedures, as further detailed herein, inter alia with reference to Fig. 4.
  • Fig. 4 there is shown a flowchart illustrating one example of a sequence of operations carried out for authenticating and enabling a predefined and limited interaction between remote workstation 400 and secured system 300, in accordance with the presently disclosed subject matter.
  • the secure remote access system can be configured to perform a computer-implemented process 500, e.g., using authentication modules 208 and 408.
  • the remote workstation 400 through its authentication module 408, performs a Basic Input/Output System (BIOS) check, and authenticates a user logging into the remote workstation using user credentials (block 502).
  • BIOS Basic Input/Output System
  • the Basic Input/Output System (BIOS) check includes executing a BIOS integrity measurement mechanism on the remote workstation 400 and validating the results.
  • a logging mechanism can be utilized to track changes to the BIOS, and such logging mechanism can be used to verify that no deviation from the original configuration of the remote workstation 400 has been made.
  • the remote workstation 400 can utilize, for example, an agent configured to collect the one or more BIOS events logs and send the collected BIOS events logs to the internal authentication system 200 for verification that no changes have been made to the remote workstation’s 400 BIOS.
  • the user authentication can prompt the user logging into the remote workstation 400 to supply user credentials.
  • the user credentials can be, for example, at least one of: a username, a password, biometric information (e.g., fingerprint, retina scan, etc.), facial recognition, or a Hardware Security Module (HSM) generated identifier, or any other means that can be used to identify the user logging into the remote workstation 400.
  • biometric information e.g., fingerprint, retina scan, etc.
  • HSM Hardware Security Module
  • the remote workstation 400 In addition to the Basic Input/Output System (BIOS) check and the user authentication, the remote workstation 400 also obtains hardware identification information identifying at least part of the hardware of the remote workstation 400 (e.g., hard disks, Read Only Memory (ROM) modules, Central Processing Units (CPUs), external hardware devices detachably connected, etc.) and software information (e.g., checksums of various software, etc.) by executing one or more software checks for validating software installed on the remote workstation 400 (e.g., at least one of: an anti-virus software, firewall software, and the like).
  • hardware identification information identifying at least part of the hardware of the remote workstation 400
  • ROM Read Only Memory
  • CPUs Central Processing Units
  • software information e.g., checksums of various software, etc.
  • an attempt to establish a Virtual Private Network (VPN) tunnel, through, for example, an encrypted link, between the remote workstation 400 and the internal authentication system 200 is made (block 504).
  • the VPN tunnel is directed, for example, to allow only input obtained using a keyboard or a mouse connected to the remote workstation 400 to be sent from the remote workstation 400 to the internal authentication system 200.
  • the VPN tunnel is established only if a request to establish secure remote access is pre-approved by an internal user.
  • the internal user can be, for example, the person who ordered a service provider to assist in handling e.g., a malfunction, while the request to establish the secure remote access may be sent by the service provider through the remote workstation 400.
  • a time window for the secure remote access may be defined such that the VPN tunnel is establishable only during this specific time-window. This enables to verify that the connection between the remote workstation 400 and internal authentication system 200 was an authorized connection within an authorized time frame.
  • the remote workstation 400 sends hardware identification information and software information to the internal authentication system 200 through a session conducted via the VPN tunnel (block 506).
  • the session can be, for example, recorded and stored on data repository 204 and/or monitored by a human operator that can provide a termination instruction to the VPN tunnel so as to immediately terminate the connection between the remote workstation 400 and the internal authentication system 200 in case of any suspicion.
  • the hardware identification information sent by the remote workstation 400 can include identification information identifying at least one of: one or more hard disks connected to the remote workstation, one or more Read Only Memory (ROM) modules of the remote workstation 400, one or more Central Processing Units (CPUs) of the remote workstation 400, and one or more external hardware device detachably connected to the remote workstation 400.
  • the identification information is obtained, for example, by a log agent configured to collect the hardware identification information and send the collected hardware identification information to the internal authentication system 200.
  • the software information sent by the remote workstation 400 includes information associated with one or more software components installed on the remote workstation 400, which is obtained, for example, by one or more of: (a) executing one or more executables on the remote workstation, (b) executing a DLLs integrity check on the remote workstation, (c) executing one or more file name change identification checks, (d) executing one or more file deletion identification checks.
  • the software information may be obtained by a log agent configured to collect the software information and send the collected software information to the internal authentication system 200. This enables to verify that no deviation from the original configuration of the remote workstation 400 has been made and that the remote workstation was not compromised.
  • the internal authentication system 200 validates the remote workstation 400, through authentication module 208, by (a) validating the hardware identification information utilizing reference hardware information, and (b) validating the software information using reference software information (block 508).
  • the internal authentication system 200 Upon successful validation of the remote workstation 400 by the internal authentication system 200, the internal authentication system 200 provides the remote workstation 400 with limited access to at least one component of the secured system 300.
  • the limited access is achieved by generating a secure communication channel between the internal authentication system 200 and the secured system 300 (block 510), which along with the VPN tunnel established between the remote workstation 400 and the internal authentication system 200, create an indirect communication between the remote workstation 400 and the secured system 300.
  • the communication channel is established, for example, using second user credentials that are different from the credentials initially entered by the user.
  • the second user credentials may be, for example, stored on a logical electronic vault, making them unknown to the user of the remote workstation 400.
  • additional checks can be performed by remote workstation 400 using at least one of: a control agent configured to block external devices connection to the remote workstation 400, an agent configured to prevent the remote workstation 400 from performing one or more of: (a) file renaming of at least part of the files stored on the remote workstation 400, (b) file deletion of at least part of the files stored on the remote workstation 400, or (c) file execution of at least part of the files stored on the remote workstation 400.
  • a control agent configured to block external devices connection to the remote workstation 400
  • an agent configured to prevent the remote workstation 400 from performing one or more of: (a) file renaming of at least part of the files stored on the remote workstation 400, (b) file deletion of at least part of the files stored on the remote workstation 400, or (c) file execution of at least part of the files stored on the remote workstation 400.

Abstract

The presently disclosed subject matter aims to provide a multi-factor authentication system for controlled remote access. The system is intended to eliminate the need to transport a service provider to the location of a component in need of care, as it allows the service provider to interact with said component remotely (thereby saving the costs associated with bringing the service provider to the location of the purchased component), while maintaining the highest cyber security standards (for example, military standards, and the like).

Description

A SECURE REMOTE ACCESS SYSTEM AND METHOD
TECHNICAL FIELD
The present invention relates to the field of secure remote access systems and methods.
BACKGROUND
Secure remote access is an umbrella under which a number of security strategies reside. These strategies are directed to any security policy or solution that prevents unauthorized access to an internal network or sensitive data.
With the proliferation of internet- connected devices, an organization’s workforce is no longer limited to a single location. Instead, an organization may have employees connecting to their internal network and accessing sensitive data from locations worldwide. This rise in the number of endpoints (laptops, servers, tablets, smartphones) requiring access to corporate networks substantially broadens the range of attackable targets for malicious actors.
To address these ever-growing threats, there is a need in the art for a new secure remote access system and method.
GENERAL DESCRIPTION
In accordance with a first aspect of the presently disclosed subject matter, there is provided a system for providing secure remote access, the system comprising: an internal authentication system of an organization, the internal authentication system comprising an internal authentication system processing circuitry; a remote workstation remote from the internal authentication system, the remote workstation comprising a remote workstation processing circuitry; wherein the remote workstation processing circuitry is configured to: (a) perform a Basic Input/Output System (BIOS) check, (b) authenticate a user logging in to the remote workstation using user credentials, (c) obtain hardware identification information identifying at least part of the hardware of the remote workstation, and (d) obtain software information by executing one or more software checks for validating software installed on the remote workstation; upon the BIOS check and the user authentication being successful, the remote workstation processing circuitry is further configured to establish a Virtual Private Network (VPN) tunnel between the remote workstation and the internal authentication system of the organization; after successful establishment of the VPN tunnel, the remote workstation processing circuitry is further configured to send the hardware identification information and the software information to the internal authentication system; and wherein the internal authentication system processing circuitry is configured to validate the remote workstation by (a) validating the hardware identification information utilizing reference hardware information, and (b) validating the software information using reference software information; upon the remote workstation validation being successful, the internal authentication system processing circuitry is further configured to provide the remote workstation with limited access to at least one component of a secured system of the organization via the VPN tunnel and a second secure connection established between the internal authentication system and the secured system, wherein the second secured connection is established using second user credentials, other than the user credentials.
In some cases, the user credentials include at least one of: (a) a username (b) a password, (c) biometric information, (d) facial recognition, or (e) a Hardware Security Module (HSM) generated identifier.
In some cases, the remote workstation further comprises an agent configured to collect one or more BIOS events logs and send the collected BIOS events logs to the internal authentication system.
In some cases, the VPN tunnel is configured to allow only input obtained using a keyboard or a mouse connected to the remote workstation to be sent from the remote workstation to the internal authentication system.
In some cases, the hardware identification information includes identification information identifying at least one of: one or more hard disks connected to the remote workstation, one or more Read Only Memory (ROM) modules of the remote workstation, one or more Central Processing Units (CPUs) of the remote workstation.
In some cases, the hardware identification information includes identification information identifying at least one external hardware device detachably connected to the remote workstation. In some cases, the hardware identification information is obtained by a log agent configured to collect the hardware identification information and send the collected hardware identification information to the internal authentication system.
In some cases, the software information includes information associated with one or more software components installed on the remote workstation.
In some cases, the software information is obtained by one or more of: (a) executing one or more executables on the remote workstation, (b) executing a DLLs integrity check on the remote workstation, (c) executing one or more file name change identification checks, (d) executing one or more file deletion identification checks.
In some cases, the software information is obtained by a log agent configured to collect the software information and send the collected software information to the internal authentication system.
In some cases, the limited access to the at least one component in the secured system of the organization is performed using the second user credentials stored on a logical electronic vault.
In some cases, the remote workstation further comprises a control agent configured to block external devices connection to the remote workstation.
In some cases, the remote workstation further comprises anti-virus software.
In some cases, the internal authentication system further comprises firewall software.
In some cases, the remote workstation further comprises an agent configured to prevent the remote workstation from performing one or more of: (a) file renaming of at least part of the files stored on the remote workstation, (b) file deletion of at least part of the files stored on the remote workstation, or (c) file execution of at least part of the files stored on the remote workstation.
In some cases, a session conducted via the VPN tunnel is monitored by a human operator and wherein the human operator can provide a termination instruction to the VPN tunnel, thereby terminating the connection between the remote workstation and the internal authentication system.
In some cases, a session conducted via the VPN tunnel is recorded and stored on a data repository.
In some cases, the VPN channel is established only if a request to establish secure remote access is pre-approved by an internal user. In some cases, the pre-approval defines a time window for the secure remote access, and wherein the VPN channel is establishable only during the time-window.
In accordance with a second aspect of the presently disclosed subject matter, there is provided a method for providing secure remote access, the method comprising: in a remote workstation remote from an internal authentication system of an organization: (a) performing a Basic Input/Output System (BIOS) check, (b) authenticating a user logging in to the remote workstation using user credentials, (c) obtaining hardware identification information identifying at least part of the hardware of the remote workstation, and (d) obtaining software information by executing one or more software checks for validating software installed on the remote workstation; establishing a Virtual Private Network (VPN) tunnel between the remote workstation and the internal authentication system; sending the hardware identification information and the software information to the internal authentication system; and, in the internal authentication system of an organization: validating the remote workstation by (a) validating the hardware identification information utilizing reference hardware information, and (b) validating the software information using reference software information; providing the remote workstation with limited access to at least one component of a secured system of the organization via the VPN tunnel and a second secure connection established between the internal authentication system and the secured system, wherein the second secured connection is established using second user credentials, other than the user credentials.
In some cases, the user credentials include at least one of: (a) a username (b) a password, (c) biometric information, (d) facial recognition, or (e) a Hardware Security Module (HSM) generated identifier.
In some cases, the remote workstation further comprises an agent configured to collect one or more BIOS events logs and send the collected BIOS events logs to the internal authentication system.
In some cases, the VPN tunnel is configured to allow only input obtained using a keyboard or a mouse connected to the remote workstation to be sent from the remote workstation to the internal authentication system.
In some cases, the hardware identification information includes identification information identifying at least one of: one or more hard disks connected to the remote workstation, one or more Read Only Memory (ROM) modules of the remote workstation, one or more Central Processing Units (CPUs) of the remote workstation.
In some cases, the hardware identification information includes identification information identifying at least one external hardware device detachably connected to the remote workstation.
In some cases, the hardware identification information is obtained by a log agent configured to collect the hardware identification information and send the collected hardware identification information to the internal authentication system.
In some cases, the software information includes information associated with one or more software components installed on the remote workstation.
In some cases, the software information is obtained by one or more of: (a) executing one or more executables on the remote workstation, (b) executing a DLLs integrity check on the remote workstation, (c) executing one or more file name change identification checks, (d) executing one or more file deletion identification checks.
In some cases, the software information is obtained by a log agent configured to collect the software information and send the collected software information to the internal authentication system.
In some cases, the limited access to the at least one component in the secured system of the organization is performed using the second user credentials stored on a logical electronic vault.
In some cases, the remote workstation further comprises a control agent configured to block external devices connection to the remote workstation.
In some cases, the remote workstation further comprises anti-virus software.
In some cases, the internal authentication system further comprises firewall software.
In some cases, the remote workstation further comprises an agent configured to prevent the remote workstation from performing one or more of: (a) file renaming of at least part of the files stored on the remote workstation, (b) file deletion of at least part of the files stored on the remote workstation, or (c) file execution of at least part of the files stored on the remote workstation.
In some cases, a session conducted via the VPN tunnel is monitored by a human operator and wherein the human operator can provide a termination instruction to the VPN tunnel, thereby terminating the connection between the remote workstation and the internal authentication system.
In some cases, a session conducted via the VPN tunnel is recorded and stored on a data repository.
In some cases, the VPN channel is established only if a request to establish secure remote access is pre-approved by an internal user.
In some cases, the pre-approval defines a time window for the secure remote access, and wherein the VPN channel is establishable only during the time-window.
In accordance with a third aspect of the presently disclosed subject matter, there is provided a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor to perform a secure remote access method, the secure remote access comprising one or more components, the method comprising: in a remote workstation remote from an internal authentication system of an organization: (a) performing a Basic Input/Output System (BIOS) check, (b) authenticating a user logging in to the remote workstation using user credentials, (c) obtaining hardware identification information identifying at least part of the hardware of the remote workstation, and (d) obtaining software information by executing one or more software checks for validating software installed on the remote workstation; establishing a Virtual Private Network (VPN) tunnel between the remote workstation and the internal authentication system; sending the hardware identification information and the software information to the internal authentication system; and, in the internal authentication system of the organization: validating the remote workstation by (a) validating the hardware identification information utilizing reference hardware information, and (b) validating the software information using reference software information; providing the remote workstation with limited access to at least one component of a secured system of the organization via the VPN tunnel and a second secure connection established between the internal authentication system and the secured system, wherein the second secured connection is established using second user credentials, other than the user credentials. BRIEF DESCRIPTION OF THE DRAWINGS
In order to understand the presently disclosed subject matter and to see how it may be carried out in practice, the subject matter will now be described, by way of nonlimiting examples only, with reference to the accompanying drawings, in which:
Fig. 1 is a schematic illustration of an environment of a secure remote access system, in accordance with the presently disclosed subject matter;
Fig. 2 is a block diagram schematically illustrating one example of an internal authentication system, in accordance with the presently disclosed subject matter;
Fig. 3 is a block diagram schematically illustrating one example of a remote workstation, in accordance with the presently disclosed subject matter; and,
Fig. 4 is a flowchart illustrating one example of a sequence of operations carried out by a remote workstation and an internal authentication system, in accordance with the presently disclosed subject matter.
DETAILED DESCRIPTION
In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the presently disclosed subject matter. However, it will be understood by those skilled in the art that the presently disclosed subject matter may be practiced without these specific details. In other instances, well- known methods, procedures, and components have not been described in detail so as not to obscure the presently disclosed subject matter.
In the drawings and descriptions set forth, identical reference numerals indicate those components that are common to different embodiments or configurations.
Unless specifically stated otherwise, as apparent from the following discussions, it is appreciated that throughout the specification discussions utilizing terms such as “obtaining“, “performing“, “sending“, “providing“, “validating”, “establishing”, “collecting”, “authenticating”, “preventing”, “allowing”, “blocking” or the like, include action and/or processes of a computer that manipulate and/or transform data into other data, said data represented as physical quantities, e.g. such as electronic quantities, and/or said data representing the physical objects. The terms “computer”, “processor”, “processing resource”, “processing circuitry”, and “controller” should be expansively construed to cover any kind of electronic device with data processing capabilities, including, by way of non-limiting example, a personal desktop/laptop computer, a server, a computing system, a communication device, a smartphone, a tablet computer, a smart television, a processor (e.g. digital signal processor (DSP), a microcontroller, a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), etc.), a group of multiple physical machines sharing performance of various tasks, virtual servers co-residing on a single physical machine, any other electronic computing device, and/or any combination thereof.
The operations in accordance with the teachings herein may be performed by a computer specially constructed for the desired purposes or by a general-purpose computer specially configured for the desired purpose by a computer program stored in a non-transitory computer readable storage medium. The term "non-transitory" is used herein to exclude transitory, propagating signals, but to otherwise include any volatile or non-volatile computer memory technology suitable to the application.
As used herein, the phrase "for example," "such as", "for instance" and variants thereof describe non-limiting embodiments of the presently disclosed subject matter. Reference in the specification to "one case", "some cases", "other cases" or variants thereof means that a particular feature, structure or characteristic described in connection with the embodiment(s) is included in at least one embodiment of the presently disclosed subject matter. Thus, the appearance of the phrase "one case", "some cases", "other cases" or variants thereof does not necessarily refer to the same embodiment(s).
It is appreciated that, unless specifically stated otherwise, certain features of the presently disclosed subject matter, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the presently disclosed subject matter, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable sub-combination.
In embodiments of the presently disclosed subject matter, fewer, more and/or different stages than those shown in Fig. 4 may be executed. In embodiments of the presently disclosed subject matter one or more stages illustrated in Fig. 4 may be executed in a different order and/or one or more groups of stages may be executed simultaneously. Figs. 2 and 3 illustrate a general schematic of the system architecture in accordance with an embodiment of the presently disclosed subject matter. Each module in Figs. 2 and 3 can be made up of any combination of software, hardware and/or firmware that performs the functions as defined and explained herein. The modules in Figs. 2 and 3 may be centralized in one location or dispersed over more than one location. In other embodiments of the presently disclosed subject matter, the system may comprise fewer, more, and/or different modules than those shown in Figs. 2 and 3.
Any reference in the specification to a method should be applied mutatis mutandis to a system capable of executing the method and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that once executed by a computer result in the execution of the method.
Any reference in the specification to a system should be applied mutatis mutandis to a method that may be executed by the system and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that may be executed by the system.
Any reference in the specification to a non-transitory computer readable medium should be applied mutatis mutandis to a system capable of executing the instructions stored in the non-transitory computer readable medium and should be applied mutatis mutandis to method that may be executed by a computer that reads the instructions stored in the non-transitory computer readable medium.
By way of introduction, nowadays, enterprises purchasing components from companies worldwide have to pay millions of dollars in service agreements in situations where a malfunction in the purchased component occurs and the service of a service provider, e.g., a technician or an engineer, on behalf of the company is required. Aside from the cost for the service provider’s work, the service agreements may include additional costs associated with transporting the aforementioned service provider to the location of the purchased component (flying costs, living costs, etc.) in cases where there is no service branch of the company at the vicinity of the purchased component’s location.
In a particular example, a company situated in Israel purchasing a component from, for example, Siemens (based in Germany), would have to pay Siemens a substantive amount of money, as part of the service agreement, for the transportation of a Siemens service provider from Germany to Israel in cases of need.
The presently disclosed subject matter aims to provide a Multi-Factor Authentication system for controlled remote access. This system would make redundant the need of transporting a service provider to the location of the component needing care and would allow the service provider to interact with the purchased component remotely (thus saving the costs involved in bringing the service provider to the location of the purchased component) while keeping the highest cybersecurity standards (e.g., military standards).
Bearing this in mind, attention is drawn to Fig. 1, showing a schematic illustration of an environment of the secure remote access system, in accordance with the presently disclosed subject matter.
In the schematic illustration, environment 100 includes an internal authentication system 200 in communication with a secured system 300 and a remote workstation 400 situated, for example, at a location remote from the location of the secured system 300. Both the internal authentication system 200 and the secured system 300 can be, for example, part of an organization network such that the secured system 300 may be inaccessible from outside the organizational network. In fact, according to the presently disclosed subject matter, a user using the remote workstation 400 does not have direct access to the secured system 300, as he is not found in the vicinity of the secured system 300, nor can he easily reach the vicinity of secured system 300. The remote workstation 400, and by virtue of its location also the location of the user, can be, for example, in another city, state, country, continent, side of the world from the secured system 300, making it impossible for the user at the location of the remote workstation 400 to reach the secured system 300 in cases where immediate attention is needed.
Given the fact that the secured system 300 is located at a different location than the remote workstation 400, the user is required to operate the secured system 300 from afar.
Attention is now drawn to the components of the internal authentication system 200.
Fig. 2 is a block diagram schematically illustrating one example of the internal authentication system 200, in accordance with the presently disclosed subject matter.
In accordance with the presently disclosed subject matter, internal authentication system 200 (also interchangeably referred to herein as “system 200”) includes a processing circuitry 202 linked to a data repository 204 and a network interface 206. The system 200 further includes an authentication module 208, which operates in conjunction with the processing circuitry 202 and data repository 204 to perform the presently disclosed subject matter. All of the components 202, 204, 206, and 208 are linked to each other so as to be in direct and/or indirect electronic and/or data communication with each other.
The processing circuitry 202 can be one or more processing units (e.g., central processing units), microprocessors, microcontrollers (e.g., microcontroller units (MCUs)), or any other computing devices or modules, including multiple and/or parallel and/or distributed processing units, which are adapted to independently or cooperatively process data for controlling relevant system 200 resources and for enabling operations related to system's 200 resources.
The data repository 204 (e.g., a database, a storage system, a memory including Read Only Memory - ROM, Random Access Memory - RAM, or any other type of memory, etc.) can be configured to store data, optionally including, inter alia, user credentials, hardware identification information (e.g., hard disks, Read Only Memory (ROM) modules, Central Processing Units (CPUs), external hardware devices detachably connected, etc.), software information (e.g., checksums of various software, etc.), software checks, BIOS events logs, VPN sessions, time windows, and the like. Data repository 204 can be further configured to enable retrieval and/or update and/or deletion of the stored data. It is to be noted that in some cases, data repository 204 can be distributed, while the system 200 has access to the information stored thereon, e.g., via a wired or wireless network to which system 200 is able to connect (utilizing its network interface 206).
The network interface 206 (e.g., a network card, a WiFi client, a LiFi client, 3G/4G client, or any other component) enables system 200 to communicate over a network with external systems and handles inbound and outbound communications from such systems, such as secured system 300, remote workstation 400, etc.
The authentication module 208 is configured to execute one or more authentication processes, as further detailed herein, inter alia with reference to Fig. 4.
Attention is now drawn to the components of the remote workstation 400.
Fig. 3 is a block diagram schematically illustrating one example of the remote workstation 400, in accordance with the presently disclosed subject matter.
In accordance with the presently disclosed subject matter, remote workstation 400 (also interchangeably referred to herein as “system 400”) includes a processing circuitry 402 linked to a data repository 404 and a network interface 406. The system 400 further includes an authentication module 408, which operates in conjunction with the processing circuitry 402 and data repository 404 to perform the presently disclosed subject matter. All of the components 402, 404, 406, and 408 are linked to each other so as to be in direct and/or indirect electronic and/or data communication with each other.
The processing circuitry 402 can be one or more processing units (e.g., central processing units), microprocessors, microcontrollers (e.g., microcontroller units (MCUs)), or any other computing devices or modules, including multiple and/or parallel and/or distributed processing units, which are adapted to independently or cooperatively process data for controlling relevant system 400 resources and for enabling operations related to system's 400 resources.
The data repository 404 (e.g., a database, a storage system, a memory including Read Only Memory - ROM, Random Access Memory - RAM, or any other type of memory, etc.) configured to store data, optionally including, inter alia, user credentials, hardware identification information (e.g., hard disks, Read Only Memory (ROM) modules, Central Processing Units (CPUs), external hardware devices detachably connected, etc.), software information (e.g., checksums of various software, etc.), software checks, BIOS events logs, VPN sessions, time windows, and the like. Data repository 404 can be further configured to enable retrieval and/or update and/or deletion of the stored data. It is to be noted that in some cases, data repository 404 can be distributed, while the system 400 has access to the information stored thereon, e.g., via a wired or wireless network to which system 400 is able to connect (utilizing its network interface 406).
The network interface 406 (e.g., a network card, a WiFi client, a LiFi client, 3G/4G client, or any other component) enables system 400 to communicate over a network with external systems and handles inbound and outbound communications from such systems.
The authentication module 408 is configured to execute one or more authentication procedures, as further detailed herein, inter alia with reference to Fig. 4.
Turning to Fig. 4, there is shown a flowchart illustrating one example of a sequence of operations carried out for authenticating and enabling a predefined and limited interaction between remote workstation 400 and secured system 300, in accordance with the presently disclosed subject matter. Accordingly, the secure remote access system can be configured to perform a computer-implemented process 500, e.g., using authentication modules 208 and 408.
For this purpose, the remote workstation 400, through its authentication module 408, performs a Basic Input/Output System (BIOS) check, and authenticates a user logging into the remote workstation using user credentials (block 502).
The Basic Input/Output System (BIOS) check includes executing a BIOS integrity measurement mechanism on the remote workstation 400 and validating the results. In some cases, in addition to, or as an alternative for the BIOS check, a logging mechanism can be utilized to track changes to the BIOS, and such logging mechanism can be used to verify that no deviation from the original configuration of the remote workstation 400 has been made. The remote workstation 400 can utilize, for example, an agent configured to collect the one or more BIOS events logs and send the collected BIOS events logs to the internal authentication system 200 for verification that no changes have been made to the remote workstation’s 400 BIOS.
The user authentication can prompt the user logging into the remote workstation 400 to supply user credentials. The user credentials can be, for example, at least one of: a username, a password, biometric information (e.g., fingerprint, retina scan, etc.), facial recognition, or a Hardware Security Module (HSM) generated identifier, or any other means that can be used to identify the user logging into the remote workstation 400.
In addition to the Basic Input/Output System (BIOS) check and the user authentication, the remote workstation 400 also obtains hardware identification information identifying at least part of the hardware of the remote workstation 400 (e.g., hard disks, Read Only Memory (ROM) modules, Central Processing Units (CPUs), external hardware devices detachably connected, etc.) and software information (e.g., checksums of various software, etc.) by executing one or more software checks for validating software installed on the remote workstation 400 (e.g., at least one of: an anti-virus software, firewall software, and the like).
Upon the BIOS check and the user authentication being successful, an attempt to establish a Virtual Private Network (VPN) tunnel, through, for example, an encrypted link, between the remote workstation 400 and the internal authentication system 200 is made (block 504). The VPN tunnel is directed, for example, to allow only input obtained using a keyboard or a mouse connected to the remote workstation 400 to be sent from the remote workstation 400 to the internal authentication system 200. In some cases, the VPN tunnel is established only if a request to establish secure remote access is pre-approved by an internal user. The internal user can be, for example, the person who ordered a service provider to assist in handling e.g., a malfunction, while the request to establish the secure remote access may be sent by the service provider through the remote workstation 400. As part of the pre-approval process, a time window for the secure remote access may be defined such that the VPN tunnel is establishable only during this specific time-window. This enables to verify that the connection between the remote workstation 400 and internal authentication system 200 was an authorized connection within an authorized time frame.
The remote workstation 400 sends hardware identification information and software information to the internal authentication system 200 through a session conducted via the VPN tunnel (block 506). The session can be, for example, recorded and stored on data repository 204 and/or monitored by a human operator that can provide a termination instruction to the VPN tunnel so as to immediately terminate the connection between the remote workstation 400 and the internal authentication system 200 in case of any suspicion.
The hardware identification information sent by the remote workstation 400 can include identification information identifying at least one of: one or more hard disks connected to the remote workstation, one or more Read Only Memory (ROM) modules of the remote workstation 400, one or more Central Processing Units (CPUs) of the remote workstation 400, and one or more external hardware device detachably connected to the remote workstation 400. The identification information is obtained, for example, by a log agent configured to collect the hardware identification information and send the collected hardware identification information to the internal authentication system 200.
The software information sent by the remote workstation 400 includes information associated with one or more software components installed on the remote workstation 400, which is obtained, for example, by one or more of: (a) executing one or more executables on the remote workstation, (b) executing a DLLs integrity check on the remote workstation, (c) executing one or more file name change identification checks, (d) executing one or more file deletion identification checks. Alternatively or additionally, the software information may be obtained by a log agent configured to collect the software information and send the collected software information to the internal authentication system 200. This enables to verify that no deviation from the original configuration of the remote workstation 400 has been made and that the remote workstation was not compromised.
As information sent by remote workstation 400 reaches internal authentication system 200, the internal authentication system 200 validates the remote workstation 400, through authentication module 208, by (a) validating the hardware identification information utilizing reference hardware information, and (b) validating the software information using reference software information (block 508).
Upon successful validation of the remote workstation 400 by the internal authentication system 200, the internal authentication system 200 provides the remote workstation 400 with limited access to at least one component of the secured system 300. The limited access is achieved by generating a secure communication channel between the internal authentication system 200 and the secured system 300 (block 510), which along with the VPN tunnel established between the remote workstation 400 and the internal authentication system 200, create an indirect communication between the remote workstation 400 and the secured system 300.
The communication channel is established, for example, using second user credentials that are different from the credentials initially entered by the user. The second user credentials may be, for example, stored on a logical electronic vault, making them unknown to the user of the remote workstation 400.
In some cases, additional checks can be performed by remote workstation 400 using at least one of: a control agent configured to block external devices connection to the remote workstation 400, an agent configured to prevent the remote workstation 400 from performing one or more of: (a) file renaming of at least part of the files stored on the remote workstation 400, (b) file deletion of at least part of the files stored on the remote workstation 400, or (c) file execution of at least part of the files stored on the remote workstation 400.
It is to be noted, with reference to Fig. 4, that some of the blocks can be integrated into a consolidated block or can be broken down to a few blocks and/or other blocks may be added. It is to be further noted that some of the blocks are optional. It should be also noted that whilst the flow diagram is described also with reference to the system elements that realizes them, this is by no means binding, and the blocks can be performed by elements other than those described herein. It is to be understood that the presently disclosed subject matter is not limited in its application to the details set forth in the description contained herein or illustrated in the drawings. The presently disclosed subject matter is capable of other embodiments and of being practiced and carried out in various ways. Hence, it is to be understood that the phraseology and terminology employed herein are for the purpose of description and should not be regarded as limiting. As such, those skilled in the art will appreciate that the conception upon which this disclosure is based may readily be utilized as a basis for designing other structures, methods, and systems for carrying out the several purposes of the present presently disclosed subject matter. It will also be understood that the system according to the presently disclosed subject matter can be implemented, at least partly, as a suitably programmed computer. Likewise, the presently disclosed subject matter contemplates a computer program being readable by a computer for executing the disclosed method. The presently disclosed subject matter further contemplates a machine -readable memory tangibly embodying a program of instructions executable by the machine for executing the disclosed method.

Claims

CLAIMS:
1. A system for providing secure remote access, the system comprising: an internal authentication system of an organization, the internal authentication system comprising an internal authentication system processing circuitry; a remote workstation remote from the internal authentication system, the remote workstation comprising a remote workstation processing circuitry; wherein the remote workstation processing circuitry is configured to: (a) perform a Basic Input/Output System (BIOS) check, (b) authenticate a user logging in to the remote workstation using user credentials, (c) obtain hardware identification information identifying at least part of the hardware of the remote workstation, and (d) obtain software information by executing one or more software checks for validating software installed on the remote workstation; upon the BIOS check and the user authentication being successful, the remote workstation processing circuitry is further configured to establish a Virtual Private Network (VPN) tunnel between the remote workstation and the internal authentication system of the organization; after successful establishment of the VPN tunnel, the remote workstation processing circuitry is further configured to send the hardware identification information and the software information to the internal authentication system; and wherein the internal authentication system processing circuitry is configured to validate the remote workstation by (a) validating the hardware identification information utilizing reference hardware information, and (b) validating the software information using reference software information; upon the remote workstation validation being successful, the internal authentication system processing circuitry is further configured to provide the remote workstation with limited access to at least one component of a secured system of the organization via the VPN tunnel and a second secure connection established between the internal authentication system and the secured system, wherein the second secured connection is established using second user credentials, other than the user credentials.
2. The system of claim 1, wherein the user credentials include at least one of: (a) a username (b) a password, (c) biometric information, (d) facial recognition, or (e) a Hardware Security Module (HSM) generated identifier.
3. The system of claim 1, wherein the remote workstation further comprises an agent configured to collect one or more BIOS events logs and send the collected BIOS events logs to the internal authentication system.
4. The system of claim 1, wherein the VPN tunnel is configured to allow only input obtained using a keyboard or a mouse connected to the remote workstation to be sent from the remote workstation to the internal authentication system.
5. The system of claim 1, wherein the hardware identification information includes identification information identifying at least one of: one or more hard disks connected to the remote workstation, one or more Read Only Memory (ROM) modules of the remote workstation, one or more Central Processing Units (CPUs) of the remote workstation.
6. The system of claim 1, wherein the hardware identification information includes identification information identifying at least one external hardware device detachably connected to the remote workstation.
7. The system of claim 1, wherein the hardware identification information is obtained by a log agent configured to collect the hardware identification information and send the collected hardware identification information to the internal authentication system.
8. The system of claim 1, wherein the software information includes information associated with one or more software components installed on the remote workstation.
9. The system of claim 8, wherein: the software information is obtained by one or more of: (a) executing one or more executables on the remote workstation, (b) executing a DLLs integrity check on the remote workstation, (c) executing one or more - 19 - file name change identification checks, (d) executing one or more file deletion identification checks.
10. The system of claim 1, wherein the software information is obtained by a log agent configured to collect the software information and send the collected software information to the internal authentication system.
11. The system of claim 1, wherein the limited access to the at least one component in the secured system of the organization is performed using the second user credentials stored on a logical electronic vault.
12. The system of claim 1, wherein the remote workstation further comprises a control agent configured to block external devices connection to the remote workstation.
13. The system of claim 1, wherein the remote workstation further comprises antivirus software.
14. The system of claim 1, wherein the internal authentication system further comprises firewall software.
15. The system of claim 1, wherein the remote workstation further comprises an agent configured to prevent the remote workstation from performing one or more of: (a) file renaming of at least part of the files stored on the remote workstation, (b) file deletion of at least part of the files stored on the remote workstation, or (c) file execution of at least part of the files stored on the remote workstation.
16. The system of claim 1, wherein a session conducted via the VPN tunnel is monitored by a human operator and wherein the human operator can provide a termination instruction to the VPN tunnel, thereby terminating the connection between the remote workstation and the internal authentication system. - 20 -
17. The system of claim 1, wherein a session conducted via the VPN tunnel is recorded and stored on a data repository.
18. The system of claim 1, wherein the VPN channel is established only if a request to establish secure remote access is pre-approved by an internal user.
19. The system of claim 18, wherein the pre-approval defines a time window for the secure remote access, and wherein the VPN channel is establishable only during the time- window.
20. A method for providing secure remote access, the method comprising: in a remote workstation remote from an internal authentication system of an organization:
(a) performing a Basic Input/Output System (BIOS) check, (b) authenticating a user logging in to the remote workstation using user credentials, (c) obtaining hardware identification information identifying at least part of the hardware of the remote workstation, and (d) obtaining software information by executing one or more software checks for validating software installed on the remote workstation; establishing a Virtual Private Network (VPN) tunnel between the remote workstation and the internal authentication system; sending the hardware identification information and the software information to the internal authentication system; and, in the internal authentication system of an organization: validating the remote workstation by (a) validating the hardware identification information utilizing reference hardware information, and (b) validating the software information using reference software information; providing the remote workstation with limited access to at least one component of a secured system of the organization via the VPN tunnel and a second secure connection established between the internal authentication system and the secured system, wherein the second secured connection is established using second user credentials, other than the user credentials. - 21 -
21. The method of claim 20, wherein the user credentials include at least one of: (a) a username (b) a password, (c) biometric information, (d) facial recognition, or (e) a Hardware Security Module (HSM) generated identifier.
22. The method of claim 20, wherein the remote workstation further comprises an agent configured to collect one or more BIOS events logs and send the collected BIOS events logs to the internal authentication system.
23. The method of claim 20, wherein the VPN tunnel is configured to allow only input obtained using a keyboard or a mouse connected to the remote workstation to be sent from the remote workstation to the internal authentication system.
24. The method of claim 20, wherein the hardware identification information includes identification information identifying at least one of: one or more hard disks connected to the remote workstation, one or more Read Only Memory (ROM) modules of the remote workstation, one or more Central Processing Units (CPUs) of the remote workstation.
25. The method of claim 20, wherein the hardware identification information includes identification information identifying at least one external hardware device detachably connected to the remote workstation.
26. The method of claim 20, wherein the hardware identification information is obtained by a log agent configured to collect the hardware identification information and send the collected hardware identification information to the internal authentication system.
27. The method of claim 20, wherein the software information includes information associated with one or more software components installed on the remote workstation.
28. The method of claim 27, wherein: the software information is obtained by one or more of: (a) executing one or more executables on the remote workstation, (b) executing a DLLs integrity check on the remote workstation, (c) executing one or more - 22 - file name change identification checks, (d) executing one or more file deletion identification checks.
29. The method of claim 20, wherein the software information is obtained by a log agent configured to collect the software information and send the collected software information to the internal authentication system.
30. The method of claim 20, wherein the limited access to the at least one component in the secured system of the organization is performed using the second user credentials stored on a logical electronic vault.
31. The method of claim 20, wherein the remote workstation further comprises a control agent configured to block external devices connection to the remote workstation.
32. The method of claim 20, wherein the remote workstation further comprises antivirus software.
33. The method of claim 20, wherein the internal authentication system further comprises firewall software.
34. The method of claim 20, wherein the remote workstation further comprises an agent configured to prevent the remote workstation from performing one or more of: (a) file renaming of at least part of the files stored on the remote workstation, (b) file deletion of at least part of the files stored on the remote workstation, or (c) file execution of at least part of the files stored on the remote workstation.
35. The method of claim 20, wherein a session conducted via the VPN tunnel is monitored by a human operator and wherein the human operator can provide a termination instruction to the VPN tunnel, thereby terminating the connection between the remote workstation and the internal authentication system. - 23 -
36. The method of claim 20, wherein a session conducted via the VPN tunnel is recorded and stored on a data repository.
37. The method of claim 20, wherein the VPN channel is established only if a request to establish secure remote access is pre-approved by an internal user.
38. The method of claim 37, wherein the pre-approval defines a time window for the secure remote access, and wherein the VPN channel is establishable only during the time- window.
39. A non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor to perform a secure remote access method, the secure remote access comprising one or more components, the method comprising: in a remote workstation remote from an internal authentication system of an organization:
(a) performing a Basic Input/Output System (BIOS) check, (b) authenticating a user logging in to the remote workstation using user credentials, (c) obtaining hardware identification information identifying at least part of the hardware of the remote workstation, and (d) obtaining software information by executing one or more software checks for validating software installed on the remote workstation; establishing a Virtual Private Network (VPN) tunnel between the remote workstation and the internal authentication system; sending the hardware identification information and the software information to the internal authentication system; and, in the internal authentication system of the organization: validating the remote workstation by (a) validating the hardware identification information utilizing reference hardware information, and (b) validating the software information using reference software information; providing the remote workstation with limited access to at least one component of a secured system of the organization via the VPN tunnel and a second secure connection established between the internal authentication system and the secured - 24 - system, wherein the second secured connection is established using second user credentials, other than the user credentials.
PCT/IL2022/050877 2021-08-30 2022-08-11 A secure remote access system and method WO2023031907A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202163238235P 2021-08-30 2021-08-30
US63/238,235 2021-08-30

Publications (1)

Publication Number Publication Date
WO2023031907A1 true WO2023031907A1 (en) 2023-03-09

Family

ID=85412154

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2022/050877 WO2023031907A1 (en) 2021-08-30 2022-08-11 A secure remote access system and method

Country Status (1)

Country Link
WO (1) WO2023031907A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6636898B1 (en) * 1999-01-29 2003-10-21 International Business Machines Corporation System and method for central management of connections in a virtual private network
US20090037654A1 (en) * 2007-07-30 2009-02-05 Stroz Friedberg, Inc. System, method, and computer program product for detecting access to a memory device
WO2014062337A1 (en) * 2012-10-15 2014-04-24 Citrix Systems, Inc. Providing virtualized private network tunnels
US20150200934A1 (en) * 2010-06-30 2015-07-16 Google Inc. Computing device integrity verification
US9258295B1 (en) * 2012-08-31 2016-02-09 Cisco Technology, Inc. Secure over-the-air provisioning for handheld and desktop devices and services

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6636898B1 (en) * 1999-01-29 2003-10-21 International Business Machines Corporation System and method for central management of connections in a virtual private network
US20090037654A1 (en) * 2007-07-30 2009-02-05 Stroz Friedberg, Inc. System, method, and computer program product for detecting access to a memory device
US20150200934A1 (en) * 2010-06-30 2015-07-16 Google Inc. Computing device integrity verification
US9258295B1 (en) * 2012-08-31 2016-02-09 Cisco Technology, Inc. Secure over-the-air provisioning for handheld and desktop devices and services
WO2014062337A1 (en) * 2012-10-15 2014-04-24 Citrix Systems, Inc. Providing virtualized private network tunnels

Similar Documents

Publication Publication Date Title
US11550895B2 (en) Systems and mechanism to control the lifetime of an access token dynamically based on access token use
JP6207697B2 (en) Safe mobile framework
US11784823B2 (en) Object signing within a cloud-based architecture
US20140281539A1 (en) Secure Mobile Framework With Operating System Integrity Checking
CN111314340B (en) Authentication method and authentication platform
US10505925B1 (en) Multi-layer authentication
US11855993B2 (en) Data shield system with multi-factor authentication
EP3149882A1 (en) Secure mobile framework with operating system integrity checking
Almarhabi et al. A Proposed Framework for Access Control in the Cloud and BYOD Environment
US20220311776A1 (en) Injecting risk assessment in user authentication
US20140337926A1 (en) Systems and methods for on-demand provisioning of user access to network-based computer applications and programs
WO2023031907A1 (en) A secure remote access system and method
US11533306B2 (en) Processes and method for safe of use, monitoring and management of device accounts in terminal manner
US20220311777A1 (en) Hardening remote administrator access
US11012433B2 (en) Method and system for modifying network connection access rules using multi-factor authentication (MFA)
US20240007279A1 (en) System and method for managing fragmented encryption keys for granting access
Foltz et al. Secure Endpoint Device Agent Architecture.
Ismoilxon o‘g‘li ACTIVE AND PASSIVE MEANS ENSURING INFORMATION SECURITY IN CLASSIFIED OBJECTS
Business RFI Response National Institute of Standards and Technology Request for Information (RFI) Docket# 130208119-3119-01 Developing a Framework to Improve Critical Infrastructure Cybersecurity

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22863786

Country of ref document: EP

Kind code of ref document: A1