Zero Trust
VNC Remote Desktop
Single Sign On.
Multi Factor Authentication.
Tablet, Mobile, Laptop: Any Device.
Industrial PC, HMI, jump box
No VPN. Any network.
Any user, team, contractor, manufacturer
Achieve via Zero Trust VNC Remote Desktop
The Challenge
Securing and Simplifying VNC for Industrial Control Systems Remote Access
Industrial Control Systems Human Machine Interfaces such as Rockwell Automation’s PanelView commonly use VNC as a means of remote graphical viewing and control. However, from a cyber security standpoint, VNC is nearly impossible to trust. It supports a single eight-character password. The encryption is weak. There is no username. The protocol is not encrypted.
Nonetheless, the promise of remotely using these Industrial PC, Panels, HMI’s is strong. Lower mean-time-to-repair. Lower cost. Increased uptime. Increased team job satisfaction.
Three of the key VNC challenges solved by Agilicus AnyX and its Zero Trust VNC Remote Desktop are:
Minimal Authentication
Team members. Contractors. Vendors. System Integrators. Outsourced maintenance. Manufacturer support. There is a wide variety of people who have a legitimate need to access, and they work for a variety of companies. VNC does not support individual users. It has a single 8-character password with minimal encryption
No Encryption
Modern security requires strong encryption. VNC is a non-encrypted protocol, not carried over HTTP. It cannot be simply reverse-proxied to add SSL.
Being unencrypted means it can be trivially intercepted, either for observation, or for modification.
Strong encryption is a baseline security control required.
Complex Remote Access
Running on a fixed port, with negligible built-in firewall and access control list capabilities, it can be complex to expose, discover, use individual VNC resources.
A VPN or other jumpbox merely moves the problem around. VNC should not be accessible on the local network, let alone remote.
The Solution
Agilicus AnyX: Zero Trust VNC Remote Desktop for Industrial Control Systems
Agilicus AnyX provides a unique Zero Trust architecture which is ideal for remote desktop access. It allows you to safely use, simply use, remote desktop resources. To use them as a first-party employee. To use them as third-party. On any device, tablet, laptop, phone. On any network. Without a VPN. With perfect per-user authentication and audit.
Take an existing VNC resource. Close down all network access to it: inbound and outbound. Use Agilicus AnyX to make it HTTPS-based, outbound only, going through any inspecting firewall as required by your corporate IT. Assign its use to any person, regardless of identity provider, to use from anywhere, regardless of network. Do this without any other network changes
Key features to highlight include:
ANY DEVICE
No software to install. Works in any web browser. Tablet, Mobile. Desktop. Windows. Linux. Mac.
Stop the truck, pull over, pull out tablet, 1 click sign in, solve the issue.
NO PASSWORDS
VNC passwords are weak. 8 characters, low encryption, not unique per user.
Agilicus AnyX provides Single Sign On with existing enterprise credentials, per user. No passwords to remember or share.
1-CLICK SIGN IN
No passwords to remember or share. No network addresses to disseminate. Each user sees an icon for each desktop they have permission to.
REQUEST ON DEMAND
Contractors and support staff can request access when needed, you will receive a push-notification to accept or reject.
AUTOMATIC PASSWORD STUFFING
Weak as it is, VNC still has a built in password. Once you have authenticated via single-sign-on a user, what value is there in now having them remember and enter this additional fact? Agilicus AnyX can fill in the value without disclosing it to the user.
HTML BROWSER ACCESS
No client to install or license. Works with any browser, no matter how locked down the device.
Any browser means any device, whether BYOD or managed, owned or partner.
MULTI FACTOR AUTHENTICATION
Securely sign-in as you to do any enterprise application. Use code-based or biometric-based second factor authentication. Regardless of user type: multi factor for employees, contractors, vendor support.
STRONG ENCRYPTION
VNC protocol is converted to HTTPS over WebSocket, with strong SSL/TLS encryption. Full compliance for your security controls.
Data Flow
Zero Trust VNC Remote Desktop Theory Of Operation
The Agilicus Connector runs inside the network where it has access to the VNC Server. In some cases this means running on the same machine (in which case you can entirely block access locally). In others a switch is used to facilitate micro-segmentation. This Connector makes an outbound connection using HTTPS to the Agilicus AnyX cloud.
A user opens their browser. If they are not signed in, they are challenged to prove their identity, optionally with multifactor authentication. This identity is compared against permissions, and, an access token (JWT) is generated. A connection is generated to the Agilicus AnyX cloud, presenting this access token. This connection is then forwarded to the ultimate VNC server via reverse tunnelling down the HTTPS outbound connection.
The end user sees this as a simple click on an icon in a browser. The desktop appears instantly. Zero Trust VNC Remote Desktop.
Get In Touch
Ready To Learn More?
Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.
info@agilicus.com, +1 519 953-4332
300-87 King St W, Kitchener, ON, Canada. N2G 1A7
info@partner.com, +1 555 555-5555
1 Main Street, Townsville, ON, Canada. POST-CODE