Virtual Connectivity Network

Virtual Connectivity Networks – Improving Usability and Enhancing

Security for Remote Access

Jim KokalWavetrix

President/CEO

National Manufacturing Week 2006Chicago, IL

Agenda

• Trends and Applications

• Inbound Connection Oriented Architecture

• Outbound Connection Oriented Architecture

• Virtual Connectivity Networks

• Summary/Questions

Networking Trends

• Network complexity is growing– Security requirements are increasing– System integration is increasing within an

organization, to customers, and to suppliers • Regulatory Issues

– HIPAA, Sarbanes-Oxley, etc., add additional requirements

• LAN– Old Paradigm: Inherently trusted user– New Paradigm: Inherently untrusted user

• Treat an internal and external user identically

M2M Remote Access Applications

• Status and Maintenance Checks

• Diagnostics

• Configuration and Administration

• Software Upgrade

• Log File Retrieval

Remote Access Methodologies

• Inbound Connection via the Internet– Definition: Client originates a connection to the

serial server– Requires Firewall(s)/Router(s) reconfiguration– Port Forwarding is the most common

implementation• Outbound Connection via the Internet

– Definition: Serial server originates connection to a known point

– Gateway provides connection point– Creates a Virtual Connectivity Network

Inbound Connection Systems

• Client (i.e. PC) originates connection to the serial server– Telnet or Virtual Serial Port– Requires advance provisioning

• Serial Server– Static IP address– Authenticates user (username/password)

Inbound Connection Architecture

• User connects remotely using the Internet to serial server inside the firewall of an organization– Requires advance provisioning – Port Forwarding is the most common technology

Internet

Serial-EnabledDevice

PC withVSP/Telnet

Firewall Firewall

SerialServer

LANLAN

Port Forwarding Illustration

• Web servers are the most common example

Serial-EnabledDevicePort Forwarding Table

Web Server

WAN TCP Port LAN IP Address:Port80 192.168.0.15:801255 192.168.0.7:1255

192.168.0.15

192.168.0.7

SerialServer

55

12

08

LAN

WAN

Firewall/Router

Remote ConnectionRequest

Web PageRequest

Installation Issues

• Provisioning IP address routing is resource intensive– They must be setup and tested– Maintained through upgrades/replacements– At a third party, time and politics drive the process

• Username/password is in serial server• Must know IP address (and port number) of

serial server– Multiple serial servers within a single facility

require each to have their own port number

Administrative Issues

• Serial servers are individually managed– To reduce complexity, a single

username/password is often used for all users

• Serial server configuration information (IP address, port number) must be disseminated– Users must keep track of this information– Updates must sent whenever the information

changes

• Complexity grows dramatically as the size of deployment grows

Virtual Connectivity Network Motivation

• Outbound connections are generally permitted– Examples: Requesting a web page, retrieving e-

mail• Requires no changes to the firewall or router

– Mimics existing network processes– Traverses the firewall like other processes

• Faster, simpler deployment• Reduces technician skill level requirements

– Requires minimal “Networking” training

VCN Architectural Changes

• Serial server needs a connection point– Client isn’t always there and is usually not

visible from the Internet

• Solution: Add a connectivity gateway– Moves the client connection from locally at

the serial server, to the gateway on the Internet

– Provides a central point for access control and privilege administration

VCN Architecture

• The gateway provides a central point for all connections– Serial server connects to the Gateway– Client Software connects to the Gateway– Gateway establishes a connection between them when

instructed

Internet

Serial-EnabledDevice

PC withVSP/Telnet

ConnectivityGateway

SerialServer

LANLAN

FirewallFirewall

VCN Elements

• Serial Server– Originates and maintains a constant connection to the

connectivity gateway– Serial server can have a DHCP or Static IP address

• Connectivity Gateway– Specific purpose appliance that resides on the Internet

• Client– Creates a connection with connectivity gateway– Connectivity gateway authenticates and then connects the

client to the requested serial server

Enhanced Security

• Bi-lateral Authentication– User

• Individual username/password

– Device• Can use very strong machine-to-machine techniques

• Data Transfer– Encryption

• Administration– Individually controlled privileges/access

Centralized Administration

• Single point to control access to all serial servers

• User privileges are individually defined and controlled

• Enables a serial server to be shared across organizational boundaries

• Inherently disseminates any changes to a serial servers configuration information

Gateway Considerations

• High reliability/availability– Mission criticality

• Subscription or Hosted– Deployment size

• Internal Operated vs. Host Facility– Facility capability

• Power, Internet feed redundancy

– Human resource requirements

Summary

• Outbound connections simplify remote access especially at third party facilities– Firewall traversal eliminates the need for

reconfiguration– Central administration improves security

and control

Thank You

Questions?

Virtual Connectivity Network

www,traversix.com

Presenter

• Jim Kokal is President/CEO and Co-Founder of Wavetrix, a leading product development company. He has over 18 years experience in developing, marketing, and selling communication and networking systems At Wavetrix, he has led the creation of Traversix Virtual Connectivity Network product to address the needs of customers in remote access market.. Prior to Wavetrix, he was the Director of Marketing at Broadband Gateways and at Blue Wave Systems (now Motorola) he successfully created and launched the Softband™ software radio product line. He holds an MBA from the University of California at Los Angeles, and a MSEE/BSEE from the University of Illinois.

Virtual Connectivity Network

LAN Based Access

Serial-EnabledDevice

PC withVirtual Serial Port

/Telnet

Firewall

SerialServer

LAN

Internet

• Client (i.e. PC) originates connection to the serial server– Telnet or Virtual Serial Port

• Serial Server– Static IP address − Authenticates user (username/password)

LAN Based Issues

• Security– Usually not encrypted

• Encryption often based on pre-shared key– Username/Password

• Located in the serial server

• IP administration– Static IP address for the serial server– Within the same subnet, no additional

configuration required• Outside the subnet requires routers/firewalls be

reconfigured to establish a connection between the PC and the serial server