About Network Connector

Prev Next

The Segura® Network Connector enables users to initiate sessions on devices located in networks without connectivity to Segura, or in environments with overlapping IP addresses.
In addition, the Network Connector supports all connection types available in Segura, including RDP, SSH, Telnet, HTTP/HTTPS, and others.

This solution is composed of the Network Connector Server and the Agent.

image

Alert

The device that has the agent installed must be able to see Segura for the connection to be made.

Alert

When modifying the destination of the request for a tunnel established by the Agent, the Network Connector becomes incompatible with the use of certificates. This is because, in this context, certificates depend on the destination of the request to perform one of the necessary validations.


Disconnected Systems

The Segura® Network Connector enables secure credential management in disconnected environments such as air-gapped networks, DMZs, industrial OT, or isolated segments. The connector is installed as a gateway within the protected segment, ensuring encrypted communication with the SEGURA® platform—without the need for local agents on the assets.

Key Capabilities

  • Secure Communication: uses outbound TLS/SSH channels to ensure that only the connector initiates secure communication with the Segura® solution, never the other way around, complying with firewall and network segmentation policies.
  • Centralized Management: enables credential discovery, rotation, and distribution across all devices and applications in the isolated segment through the connector.
  • Agentless: no need to install agents on each server, device, or appliance, reducing operational effort and potential points of failure.
  • Compatibility: supports Windows, Linux, network appliances, databases, applications, OT/IoT, internal cloud proxies, and more.
  • High Availability: supports redundant deployments for operational continuity and failover.

Operational Flow

  1. Deploy the Network Connector: install in the isolated segment following security and hardening best practices.
  2. Policy Configuration: define which assets/devices will have credentials managed by the connector.
  3. Operation Execution: credential discovery, rotation, onboarding, and remote access are performed via the connector, without direct exposure of the vault to the isolated network.

Use Cases

  • Closed data centers and industrial OT environments.
  • DMZs, SCADA/ICS zones, and defense environments.
  • Remote sites or branches without persistent connectivity.

Break-Glass & Offline Credential Workflow

Segura® provides robust mechanisms for emergency (“break-glass”) access and offline workflows, which are essential in fully isolated environments without connectivity to the central vault for extended periods.

Key Capabilities

  • Secure Credential Export: generates encrypted, signed, and controlled credential reports for emergency use in air-gapped or network blackout scenarios.
  • Scheduled Rotation: supports synchronized, periodic rotation policies with automatic updates when connectivity is restored.
  • Logging and Audit: all break-glass actions are logged locally and synchronized with the central vault when possible.
  • Just-in-Time Access: enables temporary offline approvals, including dual authentication (MFA) upon reconnection.

Operational Procedure

  1. Planning: define critical credentials and assets for offline export, and schedule rotation and revalidation periods.
  2. Execution: an authorized administrator extracts an encrypted credential file, with a validity period and integrity hash.
  3. Controlled Use: emergency access is documented; actions are synchronized with the vault upon the next connection.
  4. Recertification: regular audits of break-glass access, with renewal policies and automatic blocking after use.

Application Examples

  • Disaster recovery, network blackouts, or loss of communication with the central vault.