WO2017121998A1 - Commande d'accès à des dispositifs à distance - Google Patents

Commande d'accès à des dispositifs à distance Download PDF

Info

Publication number
WO2017121998A1
WO2017121998A1 PCT/GB2017/050049 GB2017050049W WO2017121998A1 WO 2017121998 A1 WO2017121998 A1 WO 2017121998A1 GB 2017050049 W GB2017050049 W GB 2017050049W WO 2017121998 A1 WO2017121998 A1 WO 2017121998A1
Authority
WO
WIPO (PCT)
Prior art keywords
session
user
remote device
server
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/GB2017/050049
Other languages
English (en)
Inventor
Andrew Steven Harris
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Osirium Ltd
Original Assignee
Osirium Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Osirium Ltd filed Critical Osirium Ltd
Publication of WO2017121998A1 publication Critical patent/WO2017121998A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party

Definitions

  • the invention relates to methods and apparatus for controlling access to a remote device within a computer network from a user device, which may be outside the computer network.
  • the invention may relate to methods and apparatus for controlling access to the remote device such that credentials for the remote device are not accessible from the user device.
  • a computer network within an organisation will typically contain a number of devices, termed remote devices herein, which may include PCs and servers, but also switches, routers, wireless access points, IP cameras, projectors, network attached storage and so on.
  • Each remote device will have a management interface, which may be web- based or may be accessed as one or more applications running on general purpose operating systems such as Windows or Linux.
  • a remote device in this context may itself be an application running on a physical component or over the Internet.
  • Remote devices may be controlled by users logging in to user or admin accounts from user devices. Some remote devices may provide only a single management user or admin account, while others may allow many accounts with various levels of functionality, or even integrate directly with organisational user directories. Each user or admin account will typically require user credentials for each user attempting to gain access to one or more remote devices.
  • user credentials encompasses any data that may be used to log in to a user or admin account for controlling a device. Accordingly, user credentials may comprise a user ID and/or secure data, such as a text string or password, identifying that user.
  • Known solutions may be provided by simply storing remote device credentials in a database.
  • a user may transmit a request to the database and then receive remote device credentials allowing access to one or more remote devices as part of a network administration role.
  • a user may keep a physical record of remote device credentials for accessing a remote device as part of a network administration role in what may be termed a "run book".
  • the user consults the run book to identify remote device credentials allowing access to devices within the computer network.
  • a server for controlling access to a remote device from a user device, the server comprising: a session establishing means, which may be a session establisher, configured to establish a first session, between a client of the user device and the server, the session establisher being further configured to control a transmitter to transmit remote device credentials to the remote device for establishing a second session, between the server and the remote device, such that the second session is established; and a session controlling means, which may be a session connector, configured to connect the first and second sessions, such that the client does not have access to the remote device credentials.
  • a session establishing means which may be a session establisher, configured to establish a first session, between a client of the user device and the server, the session establisher being further configured to control a transmitter to transmit remote device credentials to the remote device for establishing a second session, between the server and the remote device, such that the second session is established
  • a session controlling means which may be a session connector, configured to connect the first and second sessions, such that the client does not have access
  • the server further comprises a receiving means, which may be a receiver configured to receive from the client a request to establish the first session, the request comprising user credentials for a user; and a user determining means, which may be a user determiner, configured to determine whether the user is an authorised user based on the received user credentials, wherein the session establisher is configured to establish the first session in dependence on the user being an authorised user.
  • a receiving means which may be a receiver configured to receive from the client a request to establish the first session, the request comprising user credentials for a user
  • a user determining means which may be a user determiner, configured to determine whether the user is an authorised user based on the received user credentials, wherein the session establisher is configured to establish the first session in dependence on the user being an authorised user.
  • the user credentials provide two factor authorisation.
  • the user determiner is configured to determine whether the user is authorised to access the remote device, and wherein the session establisher is configured to control the transmitter to transmit remote device credentials to the remote device for establishing the second session, in dependence on the user being an authorised user.
  • the server further comprises a one instance enforcing means, which may be a one instance enforcer, configured to determine whether there is an existing first session established for the user and, if there is an existing first session, to end the existing first session before establishing the requested first session.
  • a one instance enforcing means which may be a one instance enforcer, configured to determine whether there is an existing first session established for the user and, if there is an existing first session, to end the existing first session before establishing the requested first session.
  • the first session comprises an encrypted session.
  • the encrypted session is one of a secure shell, SSH, or secure sockets layer, SSL, tunnel.
  • the first session comprises a non-encrypted session running within the encrypted session.
  • the session establisher is configured to establish the first session with a client in a first network, and to establish the second session with a remote device in a second network.
  • the server further comprises a receiver configured to receive from the remote device, in response to the transmitted remote device credentials, session establishment data for establishing the second session, and wherein the session establisher is configured to establish the second session based on the received session establishment data.
  • the session establisher is configured to establish the first session in a first context of an operating system running on the server, and to establish the second session in a second context of the operating system, wherein one of the first or second contexts is unable to access memory associated with the other of the first or second contexts.
  • the session connector is configured to connect the first and second sessions at a socket level.
  • a system comprising a server as described herein, and a user device comprising the client, the client further comprising: a session establishing means, which may be a session establisher configured to control a transmitter to transmit a request to the server for establishing the first session, the request comprising user credentials for the user.
  • the client further comprises a one instance enforcing means, which may be a one instance enforcer, configured to determine whether there is an existing first session established for the user and, if there is an existing first session, to end the existing first session before controlling the transmitter to transmit the request.
  • a one instance enforcing means which may be a one instance enforcer, configured to determine whether there is an existing first session established for the user and, if there is an existing first session, to end the existing first session before controlling the transmitter to transmit the request.
  • the client further comprises a port generating means, which may be a port generator configured to generate an ephemeral port at the user device, wherein the transmitted requested comprises data for establishing the first session via the ephemeral port.
  • a port generating means which may be a port generator configured to generate an ephemeral port at the user device, wherein the transmitted requested comprises data for establishing the first session via the ephemeral port.
  • the client further comprises a session recorder
  • a method or use on a server for controlling access to a remote device from a user device comprising: establishing, at a session establisher, a first session, between a client of the user device and the server, controlling, by the session establisher, a transmitter to transmit remote device credentials to the remote device for establishing a second session, between the server and the remote device, such that the second session is established; and connecting, by a session connector, the first and second sessions, such that the client does not have access to the remote device credentials.
  • a computer program comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out a method disclosed herein.
  • a carrier containing the computer program above, wherein the carrier is one of an electronic signal, optical signal, radio signal, or non-transitory computer readable storage medium.
  • Figure 1 is an architecture diagram showing a device network and a workstation network
  • Figure 2 shows a schematic diagram of a server
  • Figure 3 shows a schematic diagram of a user device
  • Figure 4 shows a signalling diagram of a method for controlling access to a remote device from a user device.
  • the remote device may be one of many remote devices owned by an organisation and may provide access to one or more secure elements of the organisation's network. In such cases, it is desirable for a user not to know the remote device credentials that allow access to the remote device.
  • the methods and apparatus disclosed herein allow a user device to access a remote device without revealing the remote device credentials to the user device.
  • methods and apparatus disclosed provide one to one mapping between an authorised user and an authorised session on a remote device.
  • a goal is to prevent any direct connection to the remote device and to prevent the intercept of any remote device credentials from the user or the authorised user's system. This may be achieved by one or more of a series of indirections and enforcement points that combine to map a session between the authorised user's system and the remote device (for the purposes of system management etc.) via a server.
  • Exemplary arrangements disclosed comprise a server between a user device and a remote device that may connect a first session established with the user device and a second session established with the remote device such that the user device has access to the remote device.
  • the server may combine networking techniques and mathematical techniques together to increase the degree of separation between the first and second sessions.
  • the remote device credentials can never enter the authorised user's system. Therefore, the remote device credentials cannot be:
  • Exemplary methods and apparatus may also include 'gear-lever' technology that allows an organisation to move from a 'no-touch' server deployment through several distinct stages to the environment described herein.
  • FIG. 1 shows an architecture diagram of a device network 100 and a workstation network 102.
  • the device network 100 comprises a remote device 104 and a server 106 for controlling access to the remote device 104.
  • the device network 100 may comprise other systems and/or remote devices 108, which may be in data communications with the remote device 104.
  • the workstation network 102 comprises a user device 110, in this case external to the device network 100.
  • the user device 1 10 comprises a client 1 12.
  • the client 112 is configured to be in data communications with the server 106.
  • the data communications may be via a public network, such as the Internet, and may use Internet Protocol (IP).
  • IP Internet Protocol
  • the client 1 12 may be accessed by one or more ephemeral ports 1 14 that are accessible only for a limited amount of time.
  • the ephemeral ports 114 may be established using a "loopback" IP address in the 127.x.x.x range. Using such an IP address means that the data link layer is not used to transmit data between the client 1 12 of the user device 1 10 and the server 106. Data communications between the client 1 12 and the server 106 may make use of the ephemeral ports and/or the loopback IP address. Therefore, any malware installed on the user device is unable to intercept communications between the client 1 12 and the server 106.
  • a user may access the client 1 12 via a system admin tool 1 16 and optionally the ephemeral port 1 14.
  • the server 106 is configured to establish data communications with the client 1 12 of the user device 1 10 and with the remote device 104, but is configured to isolate each of those data communication such that remote device credentials are not available to the user device 1 10. The operation of the server 106 is discussed in greater detail below.
  • FIG 2 shows a schematic representation of a server 200, which may be a server 106 in the architecture diagram of Figure 1.
  • the server 200 comprises a transmitter 202 and a receiver 204.
  • the transmitter 202 and receiver 204 may be in data communication with other network entities within the device network 100 and/or the workstation network 102, such as remote devices 104, user devices 110, servers and/or functions in those networks, and are configured to transmit and receive data accordingly.
  • the server 200 further comprises a memory 206 and a processor 208.
  • the memory 206 may comprise a non-volatile memory and/or a volatile memory.
  • the memory 206 may have a computer program 210 stored therein.
  • the computer program 210 may be configured to undertake the methods disclosed herein.
  • the computer program 210 may be loaded in the memory 206 from a non-transitory computer readable medium 212, on which the computer program is stored.
  • the processor 208 is configured to undertake one or more of the functions of a session establisher 214, session connector 216, user determiner 218 and one instance enforcer 220, as set out below.
  • Each of the transmitter 202 and receiver 204, memory 206, processor 208, session establisher 214, session connector 216, user determiner 218 and one instance enforcer 220 is in data communication with the other features 202, 204, 206, 208, 210, 214, 216, 218, 220 of the server 200.
  • the server 200 can be implemented as a combination of computer hardware and software.
  • the session establisher 214, session connector 216, user determiner 218 and one instance enforcer 220 may be implemented as software configured to run on the processor 208.
  • the memory 206 stores the various programs/executable files that are implemented by a processor 208, and also provides a storage unit for any required data.
  • the programs/executable files stored in the memory 206, and implemented by the processor 208, can include the session establisher 214, session connector 216, user determiner 218 and one instance enforcer 220, but are not limited to such.
  • FIG 3 shows a schematic representation of a user device 300, which may be a user device 1 10 in the architecture diagram of Figure 1.
  • the user device 300 comprises a transmitter 302 and a receiver 304.
  • the transmitter 302 and receiver 304 may be in data communication with other network entities within the device network 100 and/or the workstation network 102, such as the server 106, UEs, servers and/or functions in those networks and are configured to transmit and receive data accordingly.
  • the user device 300 further comprises a memory 306 and a processor 308.
  • the memory 306 may comprise a non-volatile memory and/or a volatile memory.
  • the memory 306 may have a computer program 310 stored therein.
  • the computer program 310 may be configured to undertake the methods disclosed herein.
  • the computer program 310 may be loaded in the memory 306 from a non-transitory computer readable medium 312, on which the computer program is stored.
  • the processor 308 is configured to undertake one or more of the functions of a client 314, session establisher 314, one instance enforcer 318, port generator 320 and session recorder 322, as set out below.
  • Each of the transmitter 302 and receiver 304, memory 306, processor 308, client 314, session establisher 314, one instance enforcer 318, port generator 320 and session recorder 322 is in data communication with the other features 302, 304, 306, 308, 310, 314, 316, 318, 320, 322 of the user device 300.
  • the user device 300 can be implemented as a combination of computer hardware and software.
  • the client 314, session establisher 314, one instance enforcer 318, port generator 320 and session recorder 322 may be implemented as software configured to run on the processor 308.
  • the memory 306 stores the various programs/executable files that are implemented by a processor 308, and also provides a storage unit for any required data.
  • the programs/executable files stored in the memory 306, and implemented by the processor 308, can include the client 314, session establisher 314, one instance enforcer 318, port generator 320 and session recorder 322, but are not limited to such.
  • Figure 4 shows a signalling diagram of a method for controlling access to a remote device 104 by a user device 300, 1 10 via a server 200, 106.
  • a user logs in 400 to the client 314 of the user device 300 using the sysadmin tool 116.
  • the user may supply user credentials to the client 314.
  • the user credentials identify the user and allow the authentication of the user, that is, the establishment of whether the user is authorised to access the remote device 104.
  • the user credentials may provide two factor authentication, in that the user needs to be in possession of a token that provides an additional code.
  • the one instance enforcer 318 may determine whether the user is already logged in to the server 200. This may be done by maintaining a local store of users logged in and/or by data communication with the server 200. If the user is currently logged in then the one instance enforcer 318 logs the current instance of the user out and logs in the user according to the log in credentials just received. This means that users can move from user device to user device without having to log off first. In addition, if the user credentials fall into another individual's hands and that other individual attempts to log in using those credentials, whether for honest or malicious means, the true user is logged out and so is alerted. The breach of security can therefore be rectified.
  • the log in of the user may be on one of the ephemeral ports 1 14. That is, the port generator 320 of the client 314 may generate one or more ephemeral ports 114, as set out above.
  • the client 314 may therefore provide the session(s) that is established with the server 200 to users via local ephemeral ports 1 14 using the 127.X.X.X IP addresses. This means that any scan by a third party of the 127.x.x.x IP addresses will be inconclusive, for example, because of the high number of possible ports onto which the user may be logged on.
  • the client 314 connects the user's tool chain to a 127.x.x.x: Ephemeral port. Opportunistic connections to those ports simply timeout so that any attacker finds no evidence of a session.
  • the session establisher 316 of the client 314 controls the transmitter 302 to transmit a request 402 to establish a communications session to the server 200.
  • the request may comprise the user credentials.
  • the receiver 204 of the server 200 receives the request.
  • the session establisher 214 of the server 200 establishes a communications session between the client 314 and the server 200.
  • the user determiner 218 of the server 200 may determine whether the user is entitled to access the remote device 104, based on the user credentials in the request.
  • the session establisher 214 may establish the session with the client 314 in dependence on the user credentials identifying the user as being authorised to access the remote device 104.
  • the server 200 may have access, e.g. the server 200 may store locally, a database of authorised users. Such a database may identify one or more roles that have access to one or more remote device 104 in the device network 100 and may further identify users authorised to act in those roles.
  • the session between the client 314 to the server 200 may be an encrypted session, such as a tunnelled secure shell (SSH) or Secure Sockets Layer (SSL) session.
  • SSL Secure Sockets Layer
  • Telnet unsecured protocols
  • Telnet is wrapped in an encrypted session, such as SSH or SSL, which prevents 'on the wire' monitoring.
  • the SSH or SSL session may be authenticated against the user's credentials, as previously described.
  • the client 314 may also comprise a session recorder 322 configured to implement session recording. If this session recording is interrupted for any reason, the session recorder may be configured to terminate the session.
  • the session establisher 214 of the server 200 controls the transmitter 202 to transmit remote device credentials for the remote device 104 to the remote device 104.
  • the transmitted remote device credentials are part of communications 406 between the server 200 and the remote device 104 to set up a session therebetween.
  • the session establisher 214 establishes a session 408 with the remote device 104 and performs a login to the remote device 104 using the remote device credentials.
  • the remote device 104 may be on a separate network to the user device 300.
  • the server 200 may receive from the remote device 104 session establishment data for establishing the second session.
  • the server 200 may also receive from the remote device 104 data instructing a credential change for the remote device 104.
  • the session establisher 214 may generate updated credentials for the remote device 104.
  • the updated credentials may be transmitted to the remote device 104 where they may be stored for future session establishment. In this way, no user input is required to update the credentials for logging into the remote device 104.
  • the session establisher 214 may establish the sessions 404 and 408 in different contexts of an operating system, for example LINUX, running on the server 106. Memory of one context cannot be accessed by another context, which means that the session 404 between the server 106 and the user device 110 is unable to obtain the remote device login credentials from the session 408 between the server 106 and the remote device 104.
  • an operating system for example LINUX
  • the one instance enforcer 220 of the server 200 may also enforce a one instance policy, as set out above. That is, the one instance policy may be implemented at the user device 300 and/or the server 200.
  • a session connector 216 connects 410 the two established sessions 404, 408, such that the user device 300 has access to the remote device 104.
  • the session connection isolates the remote device credentials from the session established with the user device 300, for example using separate contexts as explained above.
  • the session connector may, for example, connect the sessions 404, 408 at a socket level such that each session is able to request that the other session undertake some task, but is unable to access the memory of the other session.
  • the methods and apparatus disclosed herein do not act as a 'router' between networks or between the user device 300 and the remote device 104.
  • the methods and apparatus disclosed set up sessions and connect those sessions within the server 200.
  • the remote device 104 could be configured (or fire walled) to accept only network connections from the server 200.
  • the server 200 may have previously created a device account and set its privileges based on the required role. In a 'managed' mode there will be a device account created for each authorised user at each role for every profile that contains the authorised users and the remote device. In essence the device account may be specific for the role defined in each profile the authorised user is a member of. In a network of systems, the accounts are specific to those systems and cannot be used to make implicit jumps or file mappings to other systems.
  • a computer program may be configured to provide any of the above described methods.
  • the computer program may be provided on a computer readable medium.
  • the computer program may be a computer program product.
  • the product may comprise a non-transitory computer usable storage medium.
  • the computer program product may have computer-readable program code embodied in the medium configured to perform the method.
  • the computer program product may be configured to cause at least one processor to perform some or all of the method.
  • These computer program instructions may be provided to a processor circuit of a general purpose computer circuit, special purpose computer circuit, and/or other programmable data processing circuit to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable data processing apparatus, transform and control transistors, values stored in memory locations, and other hardware components within such circuitry to implement the functions/acts specified in the block diagrams and/or flowchart block or blocks, and thereby create means (functionality) and/or structure for implementing the functions/acts specified in the block diagrams and/or flowchart block(s).
  • Computer program instructions may also be stored in a computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer- readable medium produce an article of manufacture including instructions which implement the functions/acts specified in the block diagrams and/or flowchart block or blocks.
  • a tangible, non-transitory computer-readable medium may include an electronic, magnetic, optical, electromagnetic, or semiconductor data storage system, apparatus, or device. More specific examples of the computer-readable medium would include the following: a portable computer diskette, a random access memory (RAM) circuit, a read-only memory (ROM) circuit, an erasable programmable read-only memory (EPROM or Flash memory) circuit, a portable compact disc read-only memory (CD- ROM), and a portable digital video disc read-only memory (DVD/Blu-ray).
  • RAM random access memory
  • ROM read-only memory
  • EPROM or Flash memory erasable programmable read-only memory
  • CD- ROM compact disc read-only memory
  • DVD/Blu-ray portable digital video disc read-only memory
  • the computer program instructions may also be loaded onto a computer and/or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer and/or other programmable apparatus to produce a computer-implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks.
  • the invention may be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.) that runs on a processor, which may collectively be referred to as "circuitry," "a module” or variants thereof. It should also be noted that in some alternate implementations, the functions/acts noted in the blocks may occur out of the order noted in the flowcharts.
  • two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved.
  • the functionality of a given block of the flowcharts and/or block diagrams may be separated into multiple blocks and/or the functionality of two or more blocks of the flowcharts and/or block diagrams may be at least partially integrated.
  • other blocks may be added/inserted between the blocks that are illustrated. The skilled person will be able to envisage other embodiments without departing from the scope of the appended claims.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un serveur (200) pour commander l'accès à un dispositif à distance à partir d'un dispositif d'utilisateur, le serveur comprenant : un dispositif d'établissement de session (214) configuré pour établir une première session, entre un client du dispositif d'utilisateur et le serveur, le dispositif d'établissement de session étant en outre configuré pour amener un émetteur (202) à émettre des justificatifs d'identité de dispositif à distance au dispositif à distance afin d'établir une seconde session, entre le serveur et le dispositif à distance, de telle sorte que la seconde session est établie, et un connecteur de session (216) configuré pour connecter les première et seconde sessions, de telle sorte que le client n'a pas accès aux justificatifs d'identité de dispositif à distance.
PCT/GB2017/050049 2016-01-11 2017-01-10 Commande d'accès à des dispositifs à distance Ceased WO2017121998A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1600448.3 2016-01-11
GBGB1600448.3A GB201600448D0 (en) 2016-01-11 2016-01-11 Controlling access to remote devices

Publications (1)

Publication Number Publication Date
WO2017121998A1 true WO2017121998A1 (fr) 2017-07-20

Family

ID=55445815

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2017/050049 Ceased WO2017121998A1 (fr) 2016-01-11 2017-01-10 Commande d'accès à des dispositifs à distance

Country Status (2)

Country Link
GB (1) GB201600448D0 (fr)
WO (1) WO2017121998A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113905080A (zh) * 2021-09-27 2022-01-07 深信服科技股份有限公司 一种管理方法、设备、系统及存储介质

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1274002A2 (fr) * 2001-07-02 2003-01-08 Seiko Epson Corporation Méthode pour imprimer sur un réseau
US20100058064A1 (en) * 2008-08-27 2010-03-04 Microsoft Corporation Login authentication using a trusted device
US20110296510A1 (en) * 2010-05-27 2011-12-01 Microsoft Corporation Protecting user credentials using an intermediary component
US20140289830A1 (en) * 2013-03-22 2014-09-25 Robert K. Lemaster Method and system of a secure access gateway
US20150271162A1 (en) * 2014-03-18 2015-09-24 Cyber-Ark Software Ltd. Systems and methods for controlling sensitive applications

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1274002A2 (fr) * 2001-07-02 2003-01-08 Seiko Epson Corporation Méthode pour imprimer sur un réseau
US20100058064A1 (en) * 2008-08-27 2010-03-04 Microsoft Corporation Login authentication using a trusted device
US20110296510A1 (en) * 2010-05-27 2011-12-01 Microsoft Corporation Protecting user credentials using an intermediary component
US20140289830A1 (en) * 2013-03-22 2014-09-25 Robert K. Lemaster Method and system of a secure access gateway
US20150271162A1 (en) * 2014-03-18 2015-09-24 Cyber-Ark Software Ltd. Systems and methods for controlling sensitive applications

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113905080A (zh) * 2021-09-27 2022-01-07 深信服科技股份有限公司 一种管理方法、设备、系统及存储介质

Also Published As

Publication number Publication date
GB201600448D0 (en) 2016-02-24

Similar Documents

Publication Publication Date Title
US11647003B2 (en) Concealing internal applications that are accessed over a network
US11503043B2 (en) System and method for providing an in-line and sniffer mode network based identity centric firewall
US10938800B2 (en) System and method for secure access of a remote system
US10630725B2 (en) Identity-based internet protocol networking
US9729514B2 (en) Method and system of a secure access gateway
CN101437022B (zh) 服务器发起的安全网络连接
JP2023514736A (ja) 安全な通信のための方法及びシステム
JP2022533890A (ja) 異なる認証クレデンシャルを有する認証トークンに基づいてセッションアクセスを提供するコンピューティングシステムおよび方法
US20180198786A1 (en) Associating layer 2 and layer 3 sessions for access control
US10848489B2 (en) Timestamp-based authentication with redirection
US20120084562A1 (en) Methods and systems for updating a secure boot device using cryptographically secured communications across unsecured networks
US9548982B1 (en) Secure controlled access to authentication servers
EP1942629A1 (fr) Procédé et système pour une sécurité orientée objet multiniveaux dans une architecture orientée service
EP3895043B1 (fr) Authentification par horodatage avec redirection
EP4323898B1 (fr) Procédés et systèmes implémentés par ordinateur pour établir et/ou commander une connectivité de réseau
US20170034216A1 (en) Authorizing application access to virtual private network resource
US20160261576A1 (en) Method, an apparatus, a computer program product and a server for secure access to an information management system
US20230006988A1 (en) Method for selectively executing a container, and network arrangement
US12255887B2 (en) Early termination of secure handshakes
US10404684B1 (en) Mobile device management registration
US11431761B2 (en) Systems and methods for network management
US20220278960A1 (en) Systems and methods for dynamic access control for devices over communications networks
WO2017121998A1 (fr) Commande d'accès à des dispositifs à distance
CN117768137A (zh) 远程办公系统和在远程办公系统中提供安全机制的方法
US20200336486A1 (en) Double factor, asynchronous and asymmetric authentication system and method for accessing a company server through internet protocol

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17700875

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17700875

Country of ref document: EP

Kind code of ref document: A1