30. Pre-authorizing Remote Login v1.1

A. Manually authorizing remote login


When I was working at Bestech, which developed a system to provide required airflow to underground miners, Bestech support staff sometimes has dialed in the mining office to collect data for statistic and maintenance.

I noticed that username and password couldn’t be secured to outsiders, so it’s risky to the Bestech system if a hacker uses its allocated username and password to login and change the airflow system.

It would be more secured if Bestech support staff called the local mining IT to inform that they would login to collect data. The local IT would open a port or gate to Bestech support staff. After the collection or maintenance, the Bestech staff would inform the local IT, so that port or gate could be closed to outsiders.
This protocol would lift responsibility of Bestech support staff from external hackers and make system more secured.
If there were many users often remote login through a gate, then internal IT staff would only remove that userid from remote access. The gate should be close if nobody used it.
B. Automate authorizing remote login
In highly secured organizations, technical staff also remote login to perform their tasks sometimes. Internal IT could offer manual authorizing remote login as above or automate authorizing remote login as specified below.
In both remote login methods, users should use a tool such as VPN to enhance security.
The internal server would offer 1 or 2 special encryption algorithms in addition to common pool of encryption algorithms to laptops that required to rlogin regularly, thus calling an internal IT staff would be troublesome or time consuming. There would be a common set of encryption algorithms that would be available to all users having access the internal networks by either method.
The VPN protocol would be a little bit different for regular access laptops 
-         The laptop would send a message to request connection with internal server

-         The internal server would exchange messages to authenticate its userid and password by using the special pool of encryption algorithms.

-         After successful authentication, the server would inform the laptop a gate for that user entering internal system by a message.

-         The special pool of encryption would be used during communications

-         When the laptop logout, it would inform the internal server by a message to remove its userid and close the gate, if needed.
It would be easier to provide two different gates or ports to manually and automatically rlogin users due to controlling software and different pools of encryption algorithms.

To add another layer of security to prevent a case that hackers have replicated the ID of the automated laptop in order to remote login to the internal server, we could add another layer of validation, i.e. staff must inform IT before bringing a laptop home for rlogin. IT would add that laptop ID in the Internet gateway for rlogin. When that staff done with rlogin work from home, s/he should inform IT to remove that ID off from the Internet gateway. This protocol would eliminate the case of replicating ID of a laptop.

IT could also identify the authorized ISP for that laptop, if needed. For example, that laptop could only rlogin from only one ISP such as Bell Canada. If the laptop used another ISP such as Cogeco, Rogers, or Telus, it would fail in remote login.

No comments:

Post a Comment