A cloud over remote access
03 May 2016
For machine builders that offer remote access support and diagnostics for their installed machines, security is obviously a major concern. Security is also a concern for the IT staff at the end-user (end-customer) sites, where these machines are located. Dave Hammond, product manager for Ethernet & Communications at MAC Solutions, explores this topic
In the past, service engineers from machine suppliers would have travelled to remote sites to resolve machine issues, even if the site is located thousands of miles away.
With the advent of remote access, many IT engineers will only have experience of traditional VPN methods. Here, the end-user IT department needs to configure and maintain a dedicated, in-bound VPN tunnel, through their corporate firewall, for each machine supplier. Once through the firewall and on the site-wide network, the machine supplier’s engineer can then reach the machine control devices.
But VPN tunnels bring with them inherent security problems: the machine control devices must be connected onto the end-user site network. This will involve configuring IP addresses for these devices, and each machine will have to be modified to suit each installation.
Secondly, for each PC or laptop that is to be used for remote-access, IT must provide the machine supplier with a copy of their preferred VPN software and help to configure it. Obviously, such computers will be administered by the machine supplier and so may not meet the strict security standards that would apply for native site PCs.
Since the IT department is allowing this foreign user to access its production network, it must also take comprehensive precautions to protect its site network from the actions of this user, over which it has limited control. This can range from limiting the IP addresses that the machine supplier can access, to providing sophisticated anti-intrusion, packet-sniffing and antivirus systems.
However, there are modern cloud-based remote-access approaches available for which the above actions are not necessary: eWON Talk2M comprises an eWON VPN Router, used with the Talk2M Remote-Access Cloud service. A VPN Router can both isolate the machine network from the factory (site) network, whilst also providing firewalled connectivity between the two. Therefore, the machine devices are not directly connected to the site network and so can be configured with IP addresses to suit the machine supplier.
The ideal scenario is that the machine supplier’s engineer can only reach the devices for which they are responsible. And this is exactly what eWON Talk2M provides: once enabled, each eWON VPN router device initiates an outbound, point-to-point, secure VPN tunnel, all the way to a specific account in the Talk2M VPN Cloud. At no point can the machine-manufacturer’s engineer interact with to any other devices on the site network.
The IT department does not need to provide in-bound VPN services to the external user, which yields major security advantages. No in-bound firewall ports are exposed on the Internet, no static Internet IP addresses are required and the machine supplier does not have access to the entire site-wide network. The outbound connections can be carried over any type of media that can carry IP traffic, such as cabled Ethernet, WiFi, 3G or even satellite.
Session Authentication is widely used by major secure websites, such as on-line banking systems. Such systems typically send a unique, one-time code by SMS message to the user’s mobile phone, at the point of connection. The purpose is to prove that the person connecting is the valid, genuine user, rather than an intruder, trying to gain access, using stolen username and password data.
Such security systems are termed two-factor authentication systems, since they rely on more than one security measure to ensure secure access. It should be an intrinsic part of any remote-access methodology used by a machine-manufacturer, since it helps to add a second level of security in order to overcome poor password security or malicious intent.
- Traditional VPN methods have inherent security issues in that the machine control devices must be connected onto the end-user site network
- With modern cloud-based remote-access a VPN Router can isolate the machine network from the site network, whilst providing firewalled connectivity
- Two-factor authentication systems help add a second level of security to overcome poor password security or malicious intent