FR2981179A1 - METHOD FOR ACCESSING A SYSTEM OF INFORMATION PROVIDED BEHIND A COMPUTER GATEWAY - Google Patents

Abstract

The invention relates to a method for accessing an information system disposed behind a computer gateway, from a terminal and via an Internet-type communication network. According to the invention: an executable file is opened from the terminal so as to generate a client application that opens a html reader, establishes a secure connection with a server application installed in the gateway and calculates a unique identification signature of the terminal, the server application generates and displays a web page on the html reader, this web page requiring a pin code; once a pin code is entered, this pin code is transmitted and the signature to the gateway, - the gateway connects to a strong authentication server which, if necessary, generates a one-time password (OTP) after reception of the code pin and signature, - this one-time password and signature allow terminal access to the information system via the gateway.

Description

- 1 - "Method for accessing an information system located behind a computer gateway." The present invention relates to a method for accessing an information system disposed behind a computer gateway, from a terminal and via an Internet type communication network. Currently, most companies have an information system that employees have access to work with. When a user is traveling outside the company, it is necessary to ensure completely secure access to the information system. Many solutions exist to remotely access a company's resources. The present invention aims to allow the connection to an information system regardless of the terminal used. Another object of the invention is to guarantee a particularly secure connection impervious to any data leakage and any attack of the information system. At least one of the above-mentioned objects is achieved with a method for accessing an information system disposed behind a computer gateway, from a terminal and via an Internet type communication network. According to the invention, the following steps are carried out: an executable file is opened from the terminal so as to generate a client application which opens a html reader, establishes a secure connection with a server application installed in the gateway and calculates a signature unique identification of the terminal, - the server application, said server for virtual office, generates and displays a web page on the html reader, this web page requiring a pin code; once a pin code is entered, this pin code and the signature 30 are transmitted to the gateway, the gateway connects to a strong authentication server which generates a one-time password (OTP, for "One Time Password ") after receiving the pin code and the signature, - 2 - this one-time password is then sent to the gateway which returns the same password accompanied by the signature to the authentication server to open the password. a session, the authentication server then authorizes access of the terminal to the information system via the gateway. With the method according to the invention, a secure and authenticated connection is established. A first identification is distinguished when the authentication server receives the pin code and the signature. A second identification occurs when the authentication server receives the password and the signature. According to one embodiment of the invention, once authorized access, the communication between the terminal and the gateway is done by display offset in a secure tunnel. The display offset avoids the transfer of data, including malicious data that could pass from the user terminal to the information system. According to the invention, the html reader is a specific reader generated from the executable. As a result, we do not use the terminal browser but a lightweight html reader contained in the executable file. This html reader is only used during connection operations and not for access to the information system once the connection is established. According to an advantageous characteristic of the invention, the server application, called virtual desktop server, is configured to execute several sessions, each in an isolated virtual environment. Thus, different sessions of the same user or of several users are partitioned from one another. With isolated sessions, the integrity of data and applications of the information system is preserved. A virtual desktop server is a server for accessing a virtual desktop, but also other applications such as web applications or published applications. Advantageously, once authorized access, communication between the gateway and the information system can be done by means of a browser installed on the bridge. In particular, the server application, called virtual desktop server, generates and has on the terminal at least one shortcut, - 3 - each shortcut to access a given browser installed on the gateway. The virtual desktop server can include multiple browsers to access the information system. Each browser can be configured to access a set of specific elements of the information system. We thus define several browsers, each dedicated to accessing a type of applications of the information system; these applications include web browsing, published applications and an information system desktop. Browsers are run in the gateway and not locally in the user terminal. This guarantees the integrity of the user terminal against any malicious act from the Internet for example. The virtual desktop server notably allows a user terminal to access web, Citrix® or TSE applications of the information system. According to an advantageous embodiment of the invention, the signature is an identifier developed from the hardware and software characteristics of the terminal. In the method according to the invention, a signature based on the terminal is preferably used instead of a cryptographic token (smart card, USB security key, security token) because the latter involves a heavy implementation.

According to another advantageous embodiment of the invention, the executable file is disposed in a portable storage means connected to the terminal. This storage means can be a USB key (standard), a smartphone ("smartphone"). One can thus use any terminal to connect securely to an information system. This terminal can be a computer of a cybercafé never connected to the information system. Of course, the various features, shapes and embodiments of the invention may be associated with each other in various combinations to the extent that they are not incompatible or exclusive of each other. Other advantages and features of the invention will appear on examining the detailed description of an embodiment which is in no way limitative, and the appended drawings, in which: FIG. 1 is a diagrammatic illustration A simplified schematic illustration of a secure access computer gateway according to the invention is shown in FIG. 2. FIG. 3 is a diagrammatic illustration of the present invention. simplified version of an authentication process according to the prior art, - Figure 4 is a simplified schematic illustration of an authentication process according to the invention, - Figure 5 is a simplified schematic illustration of a housing of secure access integrating an information system. In Figures 1 to 5, the various elements common to the various variants or embodiments have the same references. FIG. 1 shows a simplified diagram of a system for accessing information systems according to the invention. There is an information system 1 of a company. This information system is represented by physical or virtual servers comprising all the components of a conventional information system including an application publication, storage means, centralized management means IP addresses, a manager of printing and application of administration of the information system of the company, business applications, (non-exclusive and non-exhaustive list). This information system is integrated in a local area network 2 which may be a wired or wireless local area network or a wide area network. User terminals 3 can access the information system 1 via the local network. The gateway of the invention aims to develop the following uses: individual mobility, - team mobility, collaborative work, - telecommuting, and - sedentary work. Furthermore, the system according to the invention makes it possible to distribute an information system and to set up an application publication in "SaaS" mode for "Software as a Service", an application as a service allowing the use of an application without installing it locally. To do this, a new secure access gateway 4 is used, linked on the one hand to the information system 1, and on the other hand to the Internet (5). The secure access gateway 4 is intended to allow access to the information system 1 from terminals 6 to 9 of different types. These terminals can be known from the information system 1 because belonging for example to the local network 2, but they can advantageously be any other user terminal. Other terminals 10 and a second local area network 11 constitute a remote site without its own information system. The gateway 4 makes it possible to propose to this site all the network accesses and the connection means available on the local site 2, but through an Internet or WAN link (direct Internet access, remote access, guest access, segregation of the client networks The distribution of the information system is obtained by integrating all or part of the information system into an infrastructure box 12 which will be described in more detail below. Several infrastructure boxes can be connected in a group or "cluster" 13 comprising all or part of the information system. The user terminals 6 to 9 connecting to the information system 1 can also access, via the gateway 4, a SaaS application publishing server 14 to benefit from a certain number of applications without downloading them. locally on the user terminal. These terminals 6 to 9 can also access via gateway 4 to a storage server 15. A centralized service management module 16 and a centralized supervision module 17 for the security of exchanges in the system are provided.

In Figure 2, we see a little more in detail the contents of the secure access gateway 4 according to the invention. This is a box containing a concentrator 25 which is connected to a local network architecture, simply represented here by the local network 2. This concentrator allows access to the user terminals connected to the local network 2. It is Usually acts on the company's terminals. It also manages access rights to defined services. The firewall 26 makes it possible to pass authorized communications from the local network 2 via the concentrator 25 or from the remote terminals 6 to 9 (in FIG. 1) via the Internet 5, to a processing unit 27 and / or to the information system 1. The firewall can also be used to control communications to the Internet (standard navigation with URL filtering, antivirus and intruder probe) as well as the establishment of IPSEC tunnels. destination of different sites or administration. In particular, the communications from the Internet are directed to the processing unit 27 for establishment of secure communication and for strong authentication of the terminals and users. Depending on the remote terminal 6 to 9, the communication is directed to a virtual office server 28, a nomadic server 29 or a voice server 30. Each of the virtual servers 28 to 30 closely interacts with an authentication server 31. By way of non-limiting example, the virtual office server can be obtained from the Common It's Virtual Browser® product, the Login People® product which is an authentication server, as well as an interface developed to enable the virtual desktop server to be used. interaction between the Virtual Browser® product and the Login People® product. A Virtual Browser product is notably described in the document WO 2010136317. The server for nomad can also be nonlimitingly implemented by means of the Nomadio® product from the company Ibelem as a dialer 29A, associated with the product IPDIVA® as a 29B remote access application, these products being adapted to collaborate with the Login People® as a strong authentication server. These virtual servers are advantageously arranged in a demilitarized zone to protect the information system against any malicious intrusion.

When a user is within the local network 2, he can connect through his terminal to the hub 25 for identification. The latter identifies the user as well as the network or networks for which he has a right of access. When this user is outside the local network 2, if he uses an unknown terminal, that is to say not listed in the local network, such as for example the machine of a cyber café or a computer staff, it is the servers for virtual office and authentication that will intervene. When this user is outside the local network 2, if he uses a known terminal, the hub 25 intervenes for the identification of the terminal. The implementation of the virtual desktop server responds to the problem of connecting to the information system whatever the terminal used and to guarantee that this connection does not allow the data leak or the attack of the system. information. This mode allows collaborative work (access to the shared space and access to the user's personal information system while ensuring that no transfer can be made from one space to another). As previously mentioned, the virtual desktop server can be implemented using the connected-mode Virtual Browser® product allowing access to web mode applications from a virtual browser installed on a DMZ (Demilitarized Zone). firewall. Access to this virtual browser is done by means of executables stored either on a terminal (PDA, Smartphone) or USB type key (standard key), external disks 15 or others. The authentication server can be implemented with the product LOGIN PEOPLE® for performing strong authentication without the use of a cryptographic "token" or specific cryptographic mechanism. This solution relies on specific parameters of a terminal in order to make its identification unique and not falsifiable. In virtual desktop mode, the virtual desktop server and the authentication server are interoperable. In practice, the virtual desktop access process may be as described below. The user launches a virtual desktop executable stored either on the terminal or on a USB key. This executable does not require any installation or special privilege. The communication between the terminal and the gateway is encrypted, and authenticated in the case of certificate use. The encryption is performed via OPENSSL. Once the communication is established, the user has access to the virtual desktop server and to the various services authorized to him according to his profile. The choice of a service automatically opens a specific session on the information system concerned. By default, there is no transfer of information between the client and the virtual desktop server. We can consider a data exchange depending on the context. Regarding the implementation of the authentication server from the product Login People®, the authentication of the terminal is done using several parameters intrinsic to the terminal. This authentication is performed by means of an extension module or "plugin" installed in a browser (ActiveX / Java Applet or specific components depending on browsers).

FIG. 3 shows an authentication process according to the prior art in which user terminals 40 want to access an information system 39 through an authentication server 37 (ID_BOX) and a VPNSSL gateway 38. connection is usually made through a web page. In step 32, the user enters a PIN code and sends this pin code and the signature of the terminal used for the connection (from his smartphone, his USB key, his terminal, ...). The authentication server verifies the pin code and signature and returns to the user in step 33 a one-time password (OTP). A VPNSSL client (not shown) installed on the terminal retrieves the OTP and returns in step 34 the identifier of the terminal to the VPNSSL gateway 38. The latter returns, in step 35 for verification, the OTP to the terminal. authentication gateway, usually according to the RADIUS protocol. The communication is thus authenticated and encrypted. The VPNSSL gateway 38 authorizes access to the information system in step 36. In FIG. 4, this authentication process is modified in combination with the secure access process by the virtual desktop server. The combined process is terminal independent (zero adhesion) and works on all terminals. It allows user and terminal authentication uniquely and before accessing the information system. Communication can be established wired or radio (WiFi, 3G, ...). Single sign-on (SSO) at the information system level is also possible. In practice, the implementation can be done, without this being limited to the mentioned products, through the development of one or more interfaces for dialogue between Virtual Browser® and Login People® products. Other developments and / or products may be envisaged in order to implement the functions defined according to the invention. The interfaces make the two products interoperable. In particular, in the conventional case, the generation of the signature resulting from Login people® requires the implementation of a software component integrated in the browser on the client computer. Or Virtual Browser® uses a centrally installed browser, so not on the client machine. With the interface between Virtual Browser () and Login People®, the signature fingerprint is retrieved without installing a software component on the client machine. In Figure 4, the terminal 40 to be identified is the one having access to an executable file adapted to initiate a connection with the virtual desktop server (Virtual Browser®). This executable file is stored in the terminal 40 or in any storage means such as a USB key. The terminal 40 is a device capable of connecting to the Internet, it may be a smartphone or a PC (any OS confused). No installation is necessary on the terminal. - When the user opens the executable file, a modified Virtual Browser® client module runs and connects in step 41 to the modified Virtual Browser® server (virtual desktop server) 28. By modified Virtual Browser® means a Virtual Browser® type application associated with an interface (a dedicated application) allowing the exchange of data between the Virtual Browser® application and another application such as, for example, the Login People® application. The communication is secured by SSL but not authenticated. In step 42, the virtual desktop server 28 requests a unique identifier or signature of the terminal. A specific web page opens. The terminal signature is calculated by running a local program to the client and integrated into the modified Virtual Browser® client module. A pin code is requested from the user. The user enters the pin code. In steps 43 and 44, the pin code and the signature are transmitted for authentication to the authentication server 31 via the virtual desktop server. - 10 - - The authentication server generates in step 45 a unique password called OTP (for "One Time Password") and transmits it to the virtual desktop server. In step 46, the valid virtual desktop server returns the password and the signature to the authentication server 31 to request a login. User groups may be retrieved from an LDAP server (not shown). In step 47, the authentication server authorizes the opening of a session for the virtual office according to the rights of the user. In step 48, the terminal 40 accesses the information system, in particular to web applications, desktop and published applications. When the user uses his usual terminal of the company, this terminal contains a client module able to communicate with a server module in a client-server mode with data exchange. The login process can be as follows: The user initiates a connection by activating a connection wizard. This connection wizard is for example a client module able to communicate with a server module forming the dialer 29A, the client-server set 20 can for example be obtained from the product Nomadio®. The connection wizard installed on the user terminal detects and proposes all possible means of communication of the terminal: 3G, WiFi, ... The user chooses a communication mode. The wizard may indicate a preferential mode according to various parameters such as, for example, the place of connection, the quality, the time of the connection, etc. The connection wizard points the firewall 26 which directs the connection to the connection. composer 29. The latter initiates a strong authentication process by interfacing with the authentication server 31. The latter retrieves a unique identifier of the terminal. This identifier has been developed from software and hardware characteristics 30 to identify simply and quickly each terminal. When the authentication is completed and accepted, the remote access application 29B is launched, for example the product IPDIVA® so as to set up an SSL VPN tunnel between a client application in the user terminal and the server part. The user terminal is then connected to a software gateway in the information system to enable the user terminal to access the various elements of the remote access application contained in the processing unit. information system with data exchange. The authentication server uses an identifier of the terminal, this identifier being a lightweight identifier, unlike conventionally used certificate or token systems, which are identifiers that are heavy in terms of size and handling. In Figure 5, there is shown a secure access gateway 4 integrated into an infrastructure box 50 comprising an information system. This is a case which, in addition to all the components of the gateway 4 of FIGS. 1 and 2, furthermore comprises: a firewall 51 connected with the firewall 26 (FIG. 2) present in the gateway 4 to enable and monitor the communication between the gateway 4 and the other elements of the infrastructure box; an integrated information system 52 comprising in particular an application publication, a web server associated with an http relay, a folder and print server, means for centralized management of IP addresses (DNS, DHCP, AD) , and an administration application for managing the publication of applications; a NAS network storage server 53 ("Network Attached Storage") for managing disk spaces; a switch 54 for managing the communication between the different elements of the infrastructure box, it also makes it possible to cascade several infrastructure boxes of the same type; a processing unit or electronic card 55 for administering the other elements of the infrastructure box; and another processing unit or electronic card 56 for managing the power supply of the infrastructure box, in particular stopping and sequential startup of the elements of the infrastructure box; for example, a start sequence may be the following: the switch 54, the processing unit 55, a NAS network storage server 53, the integrated information system 52, and the secure access gateway 4; stopping in the opposite direction. - 1 2 - The cascading of the infrastructure boxes makes it possible to create a redundant system. The different services are thus always available in case of failure of one of the infrastructure boxes.

In a general manner and in addition to the above, and in accordance with FIGS. 1 to 4, the system according to the invention can be defined in the form of kits that can be implemented for each family of equipment to be taken into account. The system according to the invention comprises in particular the following families: - Client equipment family (remote or local): o For the nomadic kit: nomadic access kit allowing an office of the company to access the resources of the enterprise, with an infrastructure box integrating an information system, the SaaS server and the Store server. The kit includes dialer, secure communication and strong authentication. o For the virtual desktop kit: A solution that allows a user to access corporate resources, an infrastructure appliance that includes an information system, the SaaS server, and the Store server. It also allows you to store and use data stored in a secure space. o For the mobile voice kit (Smartphone): identical solution to the server for virtual office and / or server for nomad but dedicated to the world of smartphones. - Infrastructure equipment family o The infrastructure package integrating an information system: an integrated information system (network - published applications - storage) that is scalable (stacking or networking) offering voice image data services, integrating security services (communications security (voice and data), Internet access security, data security (encryption and DLP (Data Loss Prevention) / Backup / - 13 - Synchronization), high availability ), which can be easily deployed. o The secure access gateway: Shared access gateway, allowing client solutions to access a customer information system. Access gateway allowing a remote site to integrate into the architecture of the system according to the invention without specific deployment on the remote site while retaining the features offered in the infrastructure box integrating an information system (multi VLAN access guest, LAN to LAN access) - Service family o SaaS server: Portal for access to service mode applications (application publishing and remote execution) and compatible with client family solutions. The SaaS server is shared between several companies while ensuring a partitioning of communications and data and access. It is compatible with strong authentication solutions. o Store server: A library of virtualized applications that can be: - used by the SaaS server (from infrastructure and client solutions) - downloaded and used by the products of the client family - used on a client station without specific installation - Family Management o The centralized management server of services: centralized management console allowing the complete administration of the system. Customer Administration, Infrastructure, and Services. Management includes service management and configuration / deployment of different solutions. o The centralized monitoring server for the security of exchanges in the system (alarm reporting, correlation, log management, vulnerability). This server also provides security management (configuration of firewalls, links - 14 - inter systems, security policy and compliance, patch management ....) We will now detail below, some principles implemented at the hardware and application level: The system according to the invention is a coherent solution but adaptable because designed in brick mode. The technical architecture of the system according to the invention is based on bricks providing the various functions of an information system ranging from communication (network architecture) to the provision of application in SAAS or local mode (virtualization of application, application publishing) by integrating strong authentication mechanisms and storage / backup of secure data either in the central infrastructure or on a remote support (nomad, virtual office, Smartphone). Communications Architecture: All communications between the various elements of the system are secure (encryption and authentication).

This communication architecture between the different elements is provided by several IPSEC (for "Internet Protocol Security") and / or SSL (for "Secure Socket Layer") tunnels depending on the elements to be connected. All communications are managed from the centralized service management server. An architecture according to the invention can be built either on the Internet or on a private network, or both. The minimum throughput depends on the services requested. The local network architectures, implemented in the gateway and in the infrastructure box, allow the provision of several networks for different uses divided into three classes: - Access to the local information system: allows a user to access from any extension to the local IS - 15 - - Guest access: allows a person to access the Internet (in guest mode) by providing communication control and connection data backup - LAN to LAN access. Provides a group of users with an extension of their corporate network without using remote access. Each network class can be subdivided into several isolated classes of each other. Network architectures rely on VLAN technologies and rely on WiFi or wired architectures or both, making deployment quick and easy. All client / infrastructure communications are encrypted and authenticated by different mechanisms based on network typology.

System virtualization: The various servers of the system work on specific equipment, integrated to measure but of common base. The basic systems running on the different devices rely on OS virtualization technologies, allowing a simple evolution and interoperability of the elements between them (in a given family). VMWare virtualization software solution that offers high availability and load sharing capabilities can be used. Information system: The information system can be for example a Microsoft system (Active Directory / File / Print ...) with an architecture in the infrastructure box able to interact with the architecture of the SaaS server (setting up of rights approval solution between two disjointed Windows architectures: federation of identities) Strong authentication: Several strong authentication mechanisms can be used: - Strong certificate-based authentication (software or hardware) - Strong authentication without certificate (for example, fingerprint terminal) - 1 6 - The enrollment of users or the creation of certificates can be either external to the system or integrated into the architecture. Strong authentication coupled with unique identification (SSO) allows a given user 5 to access data and networks using only one authentication sequence. Identity federation mechanisms enable a user to access distributed systems that do not have user base consistency without replaying the authentication mechanisms The implemented certificates can also be used for data encryption. Storage: The infrastructure box integrating the information system offers storage capacity per user, which can evolve and be distributed over several boxes. Synchronization mechanisms make it possible to ensure the high availability of data in case of malfunction of one of the infrastructures. The data can also be backed up / synchronized on specific servers while guaranteeing the same level of security (confidentiality / integrity) of the initial data. The storage architecture also makes it possible to synchronize in two directions data stored on a local station (nomad and smartphone) or on a key (virtual office) keeping the same security levels. In this case, the data synchronization requires the terminal to be connected to a system architecture (partial or complete). Voice Solution: The system offers a default secure voice solution (voice encryption) that allows you to either loop back to an IPBX (IP PBX) 30 enterprise or to have your own access to switched networks (this applies to infrastructure box only). The voice infrastructures are compatible with the infrastructure box and the gateway and work on all the clients of the system as well as on standard telephones (TOIP for "Telephony over Internet Protocol"). 35 - 1 7 - Data protection: Specific bricks allow to protect the data stored in the various products of the system. Data protection includes the protection of the data itself (confidentiality / integrity) as well as the audit / control of the use thereof. Application Publishing: The SaaS server and infrastructure appliance provide application publishing solutions that allow a user to access an application without installation on the remote machine. This solution is compatible with all system clients and wherever the application is located. The application virtualization mechanisms are identical for the infrastructure appliance and the SaaS server.

Virtualization of the terminal: This solution coupled with the application publication allows a user to access the information system from any terminal or from a specific terminal but belonging to another information system. The solution guarantees by default that no data can be stored on the client computer. This is a default configuration that can be changed based on the group to which the client node belongs (Adaptive policy based on context). The usage policy may be related to the strong authentication mechanism.

Virtualized application This is a solution for virtualizing applications to run locally (on a user's computer) without having to install these applications. The applications are available for download from, for example, the Store server.

Security: All elements of the range enjoy the same level of security. This ensures a consistent level of security. This level is defined according to known risks and user requirements. Security is global. In the case where the latter applies to an existing information system, it can either be independent of the latter with a specification of the security level for the interfaces, or integrated with user security mechanisms. . Security includes: - Security systems and applications (patch management, update, compliance control, control tools management, ...) - Data security (encryption, backup, access control ...) ) - User management and associated rights.

Administration / supervision This solution covers the supervision and the administration of the various elements of the system: - Provisioning of the user accounts - Start of stoppage of service - Addition of additional service - Surveillance of the systems - Put into production.

Modularity of the range The gateway can be integrated into the infrastructure box or used independently. Of course, the invention is not limited to the examples which have just been described and many adjustments can be made to these examples without departing from the scope of the invention.

Claims (9)

REVENDICATIONS1. Method for accessing an information system disposed behind a computer gateway, from a terminal and via an Internet-type communication network, characterized in that the following steps are performed: an executable file is opened from the terminal so as to generate a client application that opens a html reader, establishes a secure connection with a server application installed in the gateway and calculates a unique identification of the terminal, the server application generates and displays a web page on the html reader, this page web requesting a pin code; once a pin code is entered, this pin code is transmitted and the signature to the gateway, the gateway connects to a strong authentication server which, if necessary, generates a one-time password (OTP) after receiving the pin code and the signature, this one-time password is then sent to the gateway that returns the same password accompanied by the signature to the authentication server to open a session, the authentication server then authorizes terminal access to the information system via the gateway. 2. Method according to claim 1, characterized in that once authorized access, the communication between the terminal and the gateway is done by remote display in a secure tunnel. 3. Method according to claim 1 or 2, characterized in that once the authorized access, the communication between the gateway and the information system is done by means of a browser installed on the bridge. 4. Method according to any one of the preceding claims, characterized in that once authorized access to the information system, the server application generates and has on the terminal at least one shortcut, each shortcut allowing access a given browser installed on the gateway. - 20 - 5. Method according to claim 4, characterized in that each browser in the gateway is dedicated to accessing a type of applications of the information system, these applications including web browsing, published applications or a system desktop. information. 6. Method according to any one of the preceding claims, characterized in that the html reader is a specific reader generated from the executable. 7. Method according to any one of the preceding claims, characterized in that the signature is an identifier developed from the hardware and software characteristics of the terminal. 8. Method according to any one of the preceding claims, characterized in that the executable file is disposed in a portable storage means connected to the terminal. 9. A method according to any one of the preceding claims, characterized in that the server application is configured to execute multiple sessions, each in an isolated virtual environment.