All Categories
Resources
Secure Lobby Overview

Secure Lobby Overview

An overview of Byos Secure Lobby

Overview

The Byos Secure Lobby enables for secure remote access of endpoints inside of a protected microsegment created by the Byos µGateway. At a high level, it enables:

  • Secure remote monitoring, updating, patching, troubleshooting
  • Increased control over 3rd-party access to endpoints
  • No network or endpoint exposure, reducing risk of lateral infections
  • Reduced trips onsite for maintenance saving operational expenses

How does it work?

The Secure Lobby creates a secure connection between the deployed μGateway devices and the Byos Management Console using an outbound connection, originating from inside of the corporate network perimeter, so as to not interfere with local network configurations.

  1. First, the Network Admin or Service Technician initiates the Secure Lobby connection in the Byos Management Console. Upon receiving the command from the Management Console, the Byos μGateway then establishes an outgoing 4096 RSA-encrypted connection with the Secure Lobby, which is not impacted by the corporate network firewall and does not require weakening the perimeter security of the main network.
  1. The user then connects their computer to the Secure Lobby using an encrypted connection.

Once the user is inside of the Secure Lobby, the Byos μGateway allows traffic to and from the protected endpoint, allowing the user to interact with the endpoint directly.

With Byos Secure Lobby, you can communicate with remote TCP/IP endpoints as if you were directly connected to them in the local network. This communication is two way (you can push and pull data from endpoints), and can be done on any port/service that the endpoint is listening on. Discovery of those endpoints (and their open ports) is done automatically by Byos at each edge, and the granular management of access is handled centrally from our cloud-based Management Console.

What is it used for?

  • Controlling 3rd-party access to endpoints, like contractors or service technicians that need to remotely access the endpoints, without giving blanket access to the network.
  • Collaboration between employees on public networks
  • Moving data from one place to another in a highly secure manner, without exposing the endpoints or the traffic to the local or public internet.
  • Performing updates, troubleshooting, or maintenance to endpoints, without being on site.
  • In the event of a cyber incident, Byos microsegments can be isolated from the internet so that instead of being taken offline completely, the endpoint can remain operational. This helps to remediate, without completely disrupting operations.
  • Discovering endpoints inside of the microsegments for better asset management capabilities of downstream Level 0/1/2 TCP-capable devices.

What are the benefits?

  • Operational benefit: Whenever there is an action needed to be done to an endpoint inside of a microsegment (a critical patch, resolving an alarm, a firmware update), the customer doesn't have to travel on site to triage the issue, which means faster time to service any issue that arises. They can simply log in remotely, perform an action, and log out, moving to a more scheduled, proactive maintenance/service model.
  • Security benefit: The Byos solution adds a layer of modern security to very old controller technology (and thus typically insecure), and makes it so the customer, and only the customer can access these controllers. This is a major improvement to previous ways of connecting remotely, which usually involved public Static IPs and VPNs because it reduces the likelihood that the entire network is accessible from the internet or the 3rd party contractor's computer. Less time bothering on-site IT people, more secure communications, and therefore less risk of a cybersecurity incident for the customer. For more technical information on the concept of network security using Microsegmentation, you can read here: https://www.byos.io/blog/what-is-microsegmentation
 

How to Use Secure Lobby

Basic Operation

  • Group Policy controlled - A Secure Lobby connection is determined by which Group Policy the specific Edge is assigned.
    • All Edges in a group policy will create tunnelled connections to Secure Lobby using the Same Private IP address (172.20.0X
  • SL Tunnel On/Off - By default, the connection between the Byos Secure Edge and the network is a plain TLS connection.
    • Secure Lobby, which is a Layer 2 Tunnelled connection, is established on top, for secure access of resources.
    • In the Group Policy settings, turn Secure Lobby on to enable the tunnel.
    • Once the SL connection is established. All traffic from inside microsegment goes through the tunnel and will leave at the Byos SL Exit Node, continuing to the final destination
    • The Exit Node will be in a location chosen by the customer upon activation of their Management Console.
    • Edge Device traffic will not flow through the SL connection.
    • If a device is down, and SL is turned on from the management console, no microsegment-originated traffic will reach SL until the tunnel is re-established. This is for security reasons - if an attacker can disrupt the SL connection, it presents a risk if packets are still able to flow to the network.
  • Internet On/Off - Internet access per edge can be disabled by the Group policy setting.
    • When disabled, the endpoints inside of the microsegment will not be able to route to the internet.
    • If Internet Access is off and the SL connection is on, the endpoints in the microsegment will not be able to reach the internet, but they still will be able to route traffic to SL.
  • Restrict outbound traffic - in the Group Policy Settings, administrators can enable the Secure Lobby connection to only allow inbound traffic. This is meant to prevent unauthorized traffic from leaving the microsegment as to meet Zero Trust principles of least privileged access.

Asset Discovery

  • Active network and port discovery of endpoints - At the click of a button, the Byos Secure Edge will perform and active discovery of the endpoints inside of its microsegment. It will display the endpoint’s details to the administrator including - IP, port, service, name and description.
    • If a desired endpoint is not discovered, manual endpoints can be added.
  • Adding endpoints manually - Adding an endpoint to be visible in Secure Lobby consists of enabling the route. This is done by simply clicking a button and inputting the description, port and service you wish the endpoint to communicate over in Secure Lobby.

Secure Lobby Guest Access

  • Guests - Guests in the Byos Networks are non-administrator roles, who can be given specific, granular access to endpoints inside of byos-protected microsegments.
    • Guest Access is controlled from the Management Console.
    • Guests access the Byos microsegments using an OVPN connection.
    • To create a guest in the MC - Administrators input the Guests’ username, description, and email address
      • Upon submission, the Guest is sent and email with an OVPN file and credentials
      • The Guest uploads the OVPN file to their OVPN client, authenticates, and turns on the Guest connection to SL. The guest now has the ability to communicate to the endpoint if both: a) the SL tunnel is on and b) the Route has been established from the Edge to the Endpoint
      • The Administrator will have to tell the Guest which private IP address and which endpoint/port/service they will be able to access.
  • Managing Secure Lobby Guests - administrators can see various details in the MC about the Guests they have enabled in their network.
    • The date the Guest was last active in SL
    • The IP address the Guest had last connected from
    • As the administrator you can
      • Reset the guest’s password
      • Delete the Guest from the network
      • Download the Guest’s OVPN file
 
Did this answer your question?
😞
😐
🤩

Last updated on May 13, 2022

SIEM Configuration (Beta) Secure Lobby Setup Guide