1. Field of the Invention
The present invention concerns the field of access to a high-security network, and more particularly a device affording secure access, for example for management and maintenance operations.
2. Description of the Background Art
In many fields, sensitive sites are managed by an information system requiring a high security level and therefore high-security access control. Examples that can be cited are nuclear power stations, space installations, aircraft, both civil and military, submarines, etc.
The information systems that manage these sites share a constraint of high reliability and safety requirements. Security takes several forms, integrity, confidentiality, availability, reliability, anti-intrusion and traceability of interventions, among other things. These systems comply with strict specifications aiming at ensuring this security level.
In particular, it is said of a system, an apparatus or even a user, that it/he is trusted if it/he meets the specifications and is managed according to the prescribed safety procedures. On the other hand, a system or apparatus not complying with these procedures is non-trusted.
High-security information systems must therefore be trusted and comply with the safety specifications. During their normal operation, these systems are typically isolated and their security level can therefore be guaranteed.
However, these systems must undergo maintenance operations. These maintenance operations comprise management of the system, changes in parameters and adaptations. They also comprise recovery of operational data (log data). Finally, they comprise the updating of software modules to enable the system to develop. These actions are very tricky in terms of security, since a trusted system is modified and it is therefore essential to guarantee that the reliability of the system cannot be compromised during this operation.
These maintenance operations require the connection of a system external to the high-security system. This external system must then itself be trusted, meaning be managed according to accurate specifications consistent with the high-security system in order to guarantee the trusting of the maintenance operation.
FIG. 1 describes such a system. The high-security system 1.1 is composed of a communications network 1.3 that connects several sub-systems, typically computers 1.4 and 1.5 responsible for managing the site. An access point 1.6 is also connected to the communications network. This access point enables a terminal 1.7 dedicated to the maintenance of the system to be connected on demand. The connection between the maintenance terminal 1.7 and the access point 1.6 may be made by a wired connection such as an Ethernet connection, or a wireless connection such as WiFi or the like. Generally the access point 1.6 has a firewall for limiting the flows of data passing through the link 1.8 to the flows strictly necessary and provided for the maintenance of the system. The maintenance terminal is typically a portable computer that is connected to the network of the secure system. Typically, when the connection link 1.8 is not a direct wired link, for example when it is a wireless link or a link through a network, the connection 1.8 is protected by means of an encrypted tunnel between the terminal 1.7 and the access point 1.6.
The trusted perimeter is defined as the boundary separating the high-security system and its peripherals on one hand, all the elements of which must all be trusted, and on the other hand, the external apparatus and networks not complying with the same constraints.
Maintenance of the security rules requires the trusted perimeter 1.1 then to be extended to a trusted perimeter 1.1 plus 1.2, which comprises the maintenance apparatus. Typically the maintenance apparatus is said to be trusted and must comply with strict management rules. Typically this apparatus must comprise only the prescribed software modules and must be manipulated solely by authorised persons who are duly identified. It must be stored in a restricted-access space, a safe for example, outside the maintenance operations. These rules described here are merely a non-exhaustive example of the rules applicable in a particular case. In all cases, the management of this maintenance apparatus proves to be a difficult and constraining process to manage for the operator of the high-security system.