Transcript Presentation - Traversix Virtual Connectivity Network

Virtual Connectivity Network
Virtual Connectivity Networks –
Improving Usability and Enhancing
Security for Remote Access
Jim Kokal
Wavetrix
President/CEO
National Manufacturing Week 2006
Chicago, IL
Agenda
• Trends and Applications
• Inbound Connection Oriented
Architecture
• Outbound Connection Oriented
Architecture
• Virtual Connectivity Networks
• Summary/Questions
Networking Trends
• Network complexity is growing
– Security requirements are increasing
– System integration is increasing within an
organization, to customers, and to suppliers
• Regulatory Issues
– HIPAA, Sarbanes-Oxley, etc., add additional
requirements
• LAN
– Old Paradigm: Inherently trusted user
– New Paradigm: Inherently untrusted user
• Treat an internal and external user identically
M2M Remote Access Applications
•
•
•
•
•
Status and Maintenance Checks
Diagnostics
Configuration and Administration
Software Upgrade
Log File Retrieval
Remote Access Methodologies
• Inbound Connection via the Internet
– Definition: Client originates a connection to the
serial server
– Requires Firewall(s)/Router(s) reconfiguration
– Port Forwarding is the most common
implementation
• Outbound Connection via the Internet
– Definition: Serial server originates connection to a
known point
– Gateway provides connection point
– Creates a Virtual Connectivity Network
Inbound Connection Systems
• Client (i.e. PC) originates connection to
the serial server
– Telnet or Virtual Serial Port
– Requires advance provisioning
• Serial Server
– Static IP address
– Authenticates user (username/password)
Inbound Connection Architecture
Internet
Firewall
Firewall
PC with
VSP/Telnet
LAN
LAN
Serial
Server
Serial-Enabled
Device
• User connects remotely using the Internet to
serial server inside the firewall of an organization
– Requires advance provisioning
– Port Forwarding is the most common technology
Port Forwarding Illustration
Firewall/
Router
Web Page
Request
8
192.168.0.15
0
WAN
Web Server
Remote Connection
Request
12
192.168.0.7
5
5
Serial
Server
Port Forwarding Table
WAN TCP Port
LAN IP Address:Port
80
192.168.0.15:80
1255
192.168.0.7:1255
Serial-Enabled
Device
LAN
• Web servers are the most common example
Installation Issues
• Provisioning IP address routing is resource
intensive
– They must be setup and tested
– Maintained through upgrades/replacements
– At a third party, time and politics drive the process
• Username/password is in serial server
• Must know IP address (and port number) of
serial server
– Multiple serial servers within a single facility
require each to have their own port number
Administrative Issues
• Serial servers are individually managed
– To reduce complexity, a single
username/password is often used for all users
• Serial server configuration information (IP
address, port number) must be disseminated
– Users must keep track of this information
– Updates must sent whenever the information
changes
• Complexity grows dramatically as the size of
deployment grows
Virtual Connectivity Network Motivation
• Outbound connections are generally
permitted
– Examples: Requesting a web page, retrieving email
• Requires no changes to the firewall or router
– Mimics existing network processes
– Traverses the firewall like other processes
• Faster, simpler deployment
• Reduces technician skill level requirements
– Requires minimal “Networking” training
VCN Architectural Changes
• Serial server needs a connection point
– Client isn’t always there and is usually not
visible from the Internet
• Solution: Add a connectivity gateway
– Moves the client connection from locally at
the serial server, to the gateway on the
Internet
– Provides a central point for access control
and privilege administration
VCN Architecture
Connectivity
Gateway
Internet
Firewall
Firewall
PC with
VSP/Telnet
LAN
LAN
Serial
Server
Serial-Enabled
Device
• The gateway provides a central point for all connections
– Serial server connects to the Gateway
– Client Software connects to the Gateway
– Gateway establishes a connection between them when
instructed
VCN Elements
• Serial Server
– Originates and maintains a constant connection to the
connectivity gateway
– Serial server can have a DHCP or Static IP address
• Connectivity Gateway
– Specific purpose appliance that resides on the Internet
• Client
– Creates a connection with connectivity gateway
– Connectivity gateway authenticates and then connects the
client to the requested serial server
Enhanced Security
• Bi-lateral Authentication
– User
• Individual username/password
– Device
• Can use very strong machine-to-machine techniques
• Data Transfer
– Encryption
• Administration
– Individually controlled privileges/access
Centralized Administration
• Single point to control access to all serial
servers
• User privileges are individually defined and
controlled
• Enables a serial server to be shared across
organizational boundaries
• Inherently disseminates any changes to a
serial servers configuration information
Gateway Considerations
• High reliability/availability
– Mission criticality
• Subscription or Hosted
– Deployment size
• Internal Operated vs. Host Facility
– Facility capability
• Power, Internet feed redundancy
– Human resource requirements
Summary
• Outbound connections simplify remote
access especially at third party facilities
– Firewall traversal eliminates the need for
reconfiguration
– Central administration improves security
and control
Thank You
Questions?
Virtual Connectivity Network
www,traversix.com
Presenter
• Jim Kokal is President/CEO and Co-Founder of Wavetrix, a
leading product development company. He has over 18 years
experience in developing, marketing, and selling communication
and networking systems At Wavetrix, he has led the creation of
Traversix Virtual Connectivity Network product to address the
needs of customers in remote access market.. Prior to
Wavetrix, he was the Director of Marketing at Broadband
Gateways and at Blue Wave Systems (now Motorola) he
successfully created and launched the Softband™ software
radio product line. He holds an MBA from the University of
California at Los Angeles, and a MSEE/BSEE from the
University of Illinois.
Virtual Connectivity Network
LAN Based Access
PC with
Virtual Serial Port
/Telnet
Internet
Firewall
LAN
Serial
Server
Serial-Enabled
Device
• Client (i.e. PC) originates connection to the serial server
– Telnet or Virtual Serial Port
• Serial Server
– Static IP address
− Authenticates user (username/password)
LAN Based Issues
• Security
– Usually not encrypted
• Encryption often based on pre-shared key
– Username/Password
• Located in the serial server
• IP administration
– Static IP address for the serial server
– Within the same subnet, no additional
configuration required
• Outside the subnet requires routers/firewalls be
reconfigured to establish a connection between the PC
and the serial server