Zero Trust

VNC Remote Desktop

Single Sign On.
Multi Factor Authentication.
Tablet, Mobile, Laptop: Any Device.
Industrial PC, HMI, jump box
No VPN. Any network.
Any user, team, contractor, manufacturer


The Challenge

Securing and Simplifying VNC for Industrial Control Systems Remote Access

Industrial Control Systems Human Machine Interfaces such as Rockwell Automation’s PanelView commonly use VNC as a means of remote graphical viewing and control. However, from a cyber security standpoint, VNC is nearly impossible to trust. It supports a single eight-character password. The encryption is weak. There is no username. The protocol is not encrypted.

Nonetheless, the promise of remotely using these Industrial PC, Panels, HMI’s is strong. Lower mean-time-to-repair. Lower cost. Increased uptime. Increased team job satisfaction.

Three of the key VNC challenges solved by Agilicus AnyX are:

Minimal Authentication
Team members. Contractors. Vendors. System Integrators. Outsourced maintenance. Manufacturer support. There is a wide variety of people who have a legitimate need to access, and they work for a variety of companies.
VNC does not support individual users. It has a single 8-character password with minimal encryption
No Encryption
Modern security requires strong encryption. VNC is a non-encrypted protocol, not carried over HTTP. It cannot be simply reverse-proxied to add SSL.
Being unencrypted means it can be trivially intercepted, either for observation, or for modification.
Strong encryption is a baseline security control required.
Complex Remote Access
Running on a fixed port, with negligible built-in firewall and access control list capabilities, it can be complex to expose, discover, use individual VNC resources.
A VPN or other jumpbox merely moves the problem around. VNC should not be accessible on the local network, let alone remote.

The Solution

Agilicus AnyX: Zero Trust For VNC Remote Desktop Industrial Control Systems

Agilicus AnyX provides a unique Zero Trust architecture which is ideal for remote desktop access. It allows you to safely use, simply use, remote desktop resources. To use them as a first-party employee. To use them as third-party. On any device, tablet, laptop, phone. On any network. Without a VPN. With perfect per-user authentication and audit.

Take an existing VNC resource. Close down all network access to it: inbound and outbound. Use Agilicus AnyX to make it HTTPS-based, outbound only, going through any inspecting firewall as required by your corporate IT. Assign its use to any person, regardless of identity provider, to use from anywhere, regardless of network. Do this without any other network changes

Key features to highlight include:

No software to install. Works in any web browser. Tablet, Mobile. Desktop. Windows. Linux. Mac.
Stop the truck, pull over, pull out tablet, 1 click sign in, solve the issue.
No passwords to remember or share. No network addresses to disseminate. Each user sees an icon for each desktop they have permission to.
Weak as it is, VNC still has a built in password. Once you have authenticated via single-sign-on a user, what value is there in now having them remember and enter this additional fact? Agilicus AnyX can fill in the value without disclosing it to the user.
Securely sign-in as you to do any enterprise application. Use code-based or biometric-based second factor authentication. Regardless of user type: multifactor for employees, contractors, vendor support.
VNC passwords are weak. 8 characters, low encryption, not unique per user.
Agilicus AnyX provides Single Sign On with existing enterprise credentials, per user. No passwords to remember or share.
Contractors and support staff can request access when needed, you will receive a push-notificaation to accept or reject.
No client to install or license. Works with any browser, no matter how locked down the device.
Any browser means any device, whether BYOD or managed, owned or partner.
VNC protocol is converted to HTTPS over WebSocket, with strong SSL/TLS encryption. Full compliance for your security controls.

Data Flow

VNC Remote Desktop Theory Of Operation

The Agilicus Connector runs inside the network where it has access to the VNC Server. In some cases this means running on the same machine (in which case you can entirely block access locally). In others a switch is used to facilitate micro-segmentation. This Connector makes an outbound connection using HTTPS to the Agilicus AnyX cloud.

A user opens their browser. If they are not signed in, they are challenged to prove their identity, optionally with multifactor authentication. This identity is compared against permissions, and, an access token (JWT) is generated. A connection is generated to the Agilicus AnyX cloud, presenting this access token. This connection is then forwarded to the ultimate VNC server via reverse tunnelling down the HTTPS outbound connection.

The end user sees this as a simple click on an icon in a browser. The desktop appears instantly.

VNC Remote Desktop Data Flow

Would You Like To Learn More?

Agilicus Has The Expertise

The Agilicus team has the expertise, and loves to discuss Zero Trust implementations.

The Chat button on the lower left goes directly to the team, and, we invite you to speak with us.