Zero Trust
VNC Remote Desktop
Single Sign On.
Multi Factor Authentication.
Tablet, Mobile, Laptop: Any Device.
Industrial PC, HMI, jump box
No VPN. Any network.
Any user, team, contractor, manufacturer
The Challenge
Securing and Simplifying VNC for Industrial Control Systems Remote Access
Industrial Control Systems Human Machine Interfaces such as Rockwell Automation’s PanelView commonly use VNC as a means of remote graphical viewing and control. However, from a cyber security standpoint, VNC is nearly impossible to trust. It supports a single eight-character password. The encryption is weak. There is no username. The protocol is not encrypted.
Nonetheless, the promise of remotely using these Industrial PC, Panels, HMI’s is strong. Lower mean-time-to-repair. Lower cost. Increased uptime. Increased team job satisfaction.
Three of the key VNC challenges solved by Agilicus AnyX are:
VNC does not support individual users. It has a single 8-character password with minimal encryption
Being unencrypted means it can be trivially intercepted, either for observation, or for modification.
Strong encryption is a baseline security control required.
A VPN or other jumpbox merely moves the problem around. VNC should not be accessible on the local network, let alone remote.
The Solution
Agilicus AnyX: Zero Trust For VNC Remote Desktop Industrial Control Systems
Agilicus AnyX provides a unique Zero Trust architecture which is ideal for remote desktop access. It allows you to safely use, simply use, remote desktop resources. To use them as a first-party employee. To use them as third-party. On any device, tablet, laptop, phone. On any network. Without a VPN. With perfect per-user authentication and audit.
Take an existing VNC resource. Close down all network access to it: inbound and outbound. Use Agilicus AnyX to make it HTTPS-based, outbound only, going through any inspecting firewall as required by your corporate IT. Assign its use to any person, regardless of identity provider, to use from anywhere, regardless of network. Do this without any other network changes
Key features to highlight include:
Stop the truck, pull over, pull out tablet, 1 click sign in, solve the issue.
Agilicus AnyX provides Single Sign On with existing enterprise credentials, per user. No passwords to remember or share.
Any browser means any device, whether BYOD or managed, owned or partner.
Data Flow
VNC Remote Desktop Theory Of Operation
The Agilicus Connector runs inside the network where it has access to the VNC Server. In some cases this means running on the same machine (in which case you can entirely block access locally). In others a switch is used to facilitate micro-segmentation. This Connector makes an outbound connection using HTTPS to the Agilicus AnyX cloud.
A user opens their browser. If they are not signed in, they are challenged to prove their identity, optionally with multifactor authentication. This identity is compared against permissions, and, an access token (JWT) is generated. A connection is generated to the Agilicus AnyX cloud, presenting this access token. This connection is then forwarded to the ultimate VNC server via reverse tunnelling down the HTTPS outbound connection.
The end user sees this as a simple click on an icon in a browser. The desktop appears instantly.
Would You Like To Learn More?
Agilicus Has The Expertise
The Agilicus team has the expertise, and loves to discuss Zero Trust implementations.
The Chat button on the lower left goes directly to the team, and, we invite you to speak with us.