When
I was working at Bestech, which developed a system to provide required airflow
to underground miners, Bestech support staff sometimes has dialed in the mining
office to collect data for statistic and maintenance.
I
noticed that username and password couldn’t be secured to outsiders, so it’s
risky to the Bestech system if a hacker uses its allocated username and
password to login and change the airflow system.
It
would be more secured if Bestech support staff called the local mining IT to
inform that they would login to collect data. The local IT would open a port or
gate to Bestech support staff. After the collection or maintenance, the Bestech
staff would inform the local IT, so that port or gate could be closed to
outsiders.
This
protocol would lift responsibility of Bestech support staff from external
hackers and make system more secured.
If
there were many users often remote login through a gate, then internal IT staff
would only remove that userid from remote access. The gate should be close if
nobody used it.
B.
Automate authorizing remote login
In
highly secured organizations, technical staff also remote login to perform
their tasks sometimes. Internal IT could offer manual authorizing remote login
as above or automate authorizing remote login as specified below.
In
both remote login methods, users should use a tool such as VPN to enhance
security.
The
internal server would offer 1 or 2 special encryption algorithms in addition to
common pool of encryption algorithms to laptops that required to rlogin regularly,
thus calling an internal IT staff would be troublesome or time consuming. There
would be a common set of encryption algorithms that would be available to all
users having access the internal networks by either method.
The
VPN protocol would be a little bit different for regular access laptops
-
The laptop would send a message to request connection with
internal server
-
The internal server would exchange messages to authenticate its
userid and password by using the special pool of encryption algorithms.
-
After successful authentication, the server would inform the laptop a gate
for that user entering internal system by a message.
-
The special pool of encryption would be used during communications
-
When the laptop logout, it would inform the internal server by a
message to remove its userid and close the gate, if needed.
It would be easier to provide two different
gates or ports to manually and automatically rlogin users due to controlling
software and different pools of encryption algorithms.
To add another layer of security
to prevent a case that hackers have replicated the ID of the automated laptop
in order to remote login to the internal server, we could add another layer of
validation, i.e. staff must inform IT before bringing a laptop home for rlogin.
IT would add that laptop ID in the Internet gateway for rlogin. When that staff
done with rlogin work from home, s/he should inform IT to remove that ID off
from the Internet gateway. This protocol would eliminate the case of
replicating ID of a laptop.
IT could also identify the
authorized ISP for that laptop, if needed. For example, that laptop could only
rlogin from only one ISP such as Bell Canada. If the laptop used another ISP
such as Cogeco, Rogers, or Telus, it would fail in remote login.
No comments:
Post a Comment