Wavetrix

Changing the Paradigm: Remote Access Using Outbound Connections

Remote Monitoring, Control & Automation

Orlando, FL

October 6, 2005

l Wavetrix

Agenda

• Goal

• Inbound Connection Oriented Architecture

• Outbound Connection Oriented Architecture

• Outbound Connection Systems

• Summary/Questions

l Wavetrix

Goal

• Objective:– Enable remote access regardless of location

• Issues– Firewall(s)/Router(s) reconfiguration is very

challenging when remote access is needed via the Internet

• Especially true for third party deployments

– Centralized administration of user access and privileges

– Security is of paramount importance

l Wavetrix

Remote Access Applications

• Status and Maintenance Checks

• Diagnostics

• Configuration and Administration

• Software Upgrade

• Log File Retrieval

All these applications are originated by the end userAll these applications are originated by the end user

l Wavetrix

Remote Access Methodologies

• Inbound Connection via the Internet– Definition: Client originates a connection to the

serial server– Requires Firewall(s)/Router(s) reconfiguration– Port Forwarding is the most common

implementation

• Outbound Connection via the Internet– Definition: Serial server originates connection to a

known point– Gateway provides connection point

l Wavetrix

Inbound Connection Architecture

• Client (i.e. PC) originates connection to the serial server– Telnet or Virtual Serial Port

• Serial Server– Static IP address −– Authenticates user (username/password)

• Requires firewall to be configured to route connection to serial server– Port Forwarding is the most common technology

Internet

Serial-EnabledDevice

PC withVSP/Telnet

Firewall Firewall

SerialServer

LANLAN

l Wavetrix

Port Forwarding Illustration

• Web servers are the most common example

Serial-EnabledDevicePort Forwarding Table

Web Server

WAN TCP Port LAN IP Address:Port80 192.168.0.15:801255 192.168.0.7:1255

192.168.0.15

192.168.0.7

SerialServer

55

12

08

LAN

WAN

Firewall/Router

Remote ConnectionRequest

Web PageRequest

l Wavetrix

Installation Issues

• Provisioning IP address routing is resource intensive– Static IP address for the serial server– They must be setup and tested– Maintained through upgrades/replacements– At a third party, time and politics drive the process

• Username/password is in serial server• Must know IP address (and port number) of

serial server– Multiple serial servers within a single facility

require each to have their own port number

l Wavetrix

Administrative Issues

• Serial servers are individually managed– To reduce complexity, a single

username/password is often used for all users

• Serial server configuration information (IP address, port number) must be disseminated– Users must keep track of this information– Updates must sent whenever the information

changes

• Complexity grows dramatically as the size of deployment grows

l Wavetrix

Outbound Connection Motivation

• Outbound connections are generally permitted– Examples: Requesting a web page, retrieving e-

mail

• Requires no changes to the firewall or router– Mimics existing network processes– Traverses the firewall like other processes

• Faster, simpler deployment• Reduces technician skill level requirements

– Requires minimal “Networking” training

l Wavetrix

Architectural Changes

• Serial server needs a connection point– Client isn’t always there and is usually not

visible from the Internet

• Solution: Add a connectivity gateway– Moves the client connection from locally at

the serial server, to the gateway on the Internet

– Provides a central point for access control and privilege administration

l Wavetrix

Outbound Connection Architecture

• The gateway provides a central point for all connections– Serial server connects to the Gateway– Client Software connects to the Gateway– Gateway establishes a connection between them when instructed

Internet

Serial-EnabledDevice

PC withVSP/Telnet

ConnectivityGateway

SerialServer

LANLAN

FirewallFirewall

l Wavetrix

Outbound Connection Elements

• Connectivity Server– Originates and maintains a constant connection to

the connectivity gateway– Serial server can have a DHCP or Static IP

address • Connectivity Gateway

– Specific purpose appliance that resides on the Internet

• Connectivity Client– Creates a connection with connectivity gateway– Connectivity gateway authenticates and connects

the client to the requested connectivity server

l Wavetrix

Enhanced Security

• Bi-lateral Authentication– Connectivity Client

• Individual username/password – Connectivity Server

• Can use very strong machine-to-machine techniques

• Data Transfer– Encryption

• Pre-shared or dynamic key exchange

• Administration– Privileges/Access controlled individually– Centrally managed

l Wavetrix

Centralized Administration

• Single point to control access to all connectivity servers

• User privileges are individually defined and controlled

• Enables a connectivity server to be shared across organizational boundaries

• Inherently disseminates any changes to a connectivity server’s configuration information

l Wavetrix

Deployment Examples

• PBX– Remotely administer PBX

• Sensor Gateway– Connect a sensor network (deployed at a

third party) to it application

• HVAC Management– Remotely manage/diagnose HVAC

systems

l Wavetrix

Summary

• Outbound connections simplify remote access especially at third party facilities– Firewall traversal eliminates the need for

reconfiguration– Central administration improves security

and control• Enables large scale deployments

l Wavetrix

Thank You

Questions?

Virtual Connectivity Network

www,traversix.com