180 likes | 188 Views
Changing the Paradigm: Remote Access Using Outbound Connections. Remote Monitoring, Control & Automation Orlando, FL October 6, 2005. Agenda. Goal Inbound Connection Oriented Architecture Outbound Connection Oriented Architecture Outbound Connection Systems Summary/Questions. Goal.
E N D
Changing the Paradigm: Remote Access Using Outbound Connections Remote Monitoring, Control & Automation Orlando, FL October 6, 2005
Agenda • Goal • Inbound Connection Oriented Architecture • Outbound Connection Oriented Architecture • Outbound Connection Systems • Summary/Questions l
Goal • Objective: • Enable remote access regardless of location • Issues • Firewall(s)/Router(s) reconfiguration is very challenging when remote access is needed via the Internet • Especially true for third party deployments • Centralized administration of user access and privileges • Security is of paramount importance l
Remote Access Applications • Status and Maintenance Checks • Diagnostics • Configuration and Administration • Software Upgrade • Log File Retrieval All these applications are originated by the end user l
Remote Access Methodologies • Inbound Connection via the Internet • Definition: Client originates a connection to the serial server • Requires Firewall(s)/Router(s) reconfiguration • Port Forwarding is the most common implementation • Outbound Connection via the Internet • Definition: Serial server originates connection to a known point • Gateway provides connection point l
Inbound Connection Architecture • Client (i.e. PC) originates connection to the serial server • Telnet or Virtual Serial Port • Serial Server • Static IP address − • Authenticates user (username/password) • Requires firewall to be configured to route connection to serial server • Port Forwarding is the most common technology l
Port Forwarding Illustration • Web servers are the most common example l
Installation Issues • Provisioning IP address routing is resource intensive • Static IP address for the serial server • They must be setup and tested • Maintained through upgrades/replacements • At a third party, time and politics drive the process • Username/password is in serial server • Must know IP address (and port number) of serial server • Multiple serial servers within a single facility require each to have their own port number l
Administrative Issues • Serial servers are individually managed • To reduce complexity, a single username/password is often used for all users • Serial server configuration information (IP address, port number) must be disseminated • Users must keep track of this information • Updates must sent whenever the information changes • Complexity grows dramatically as the size of deployment grows l
Outbound Connection Motivation • Outbound connections are generally permitted • Examples: Requesting a web page, retrieving e-mail • Requires no changes to the firewall or router • Mimics existing network processes • Traverses the firewall like other processes • Faster, simpler deployment • Reduces technician skill level requirements • Requires minimal “Networking” training l
Architectural Changes • Serial server needs a connection point • Client isn’t always there and is usually not visible from the Internet • Solution: Add a connectivity gateway • Moves the client connection from locally at the serial server, to the gateway on the Internet • Provides a central point for access control and privilege administration l
Outbound Connection Architecture • The gateway provides a central point for all connections • Serial server connects to the Gateway • Client Software connects to the Gateway • Gateway establishes a connection between them when instructed l
Outbound Connection Elements • Connectivity Server • Originates and maintains a constant connection to the connectivity gateway • Serial server can have a DHCP or Static IP address • Connectivity Gateway • Specific purpose appliance that resides on the Internet • Connectivity Client • Creates a connection with connectivity gateway • Connectivity gateway authenticates and connects the client to the requested connectivity server l
Enhanced Security • Bi-lateral Authentication • Connectivity Client • Individual username/password • Connectivity Server • Can use very strong machine-to-machine techniques • Data Transfer • Encryption • Pre-shared or dynamic key exchange • Administration • Privileges/Access controlled individually • Centrally managed l
Centralized Administration • Single point to control access to all connectivity servers • User privileges are individually defined and controlled • Enables a connectivity server to be shared across organizational boundaries • Inherently disseminates any changes to a connectivity server’s configuration information l
Deployment Examples • PBX • Remotely administer PBX • Sensor Gateway • Connect a sensor network (deployed at a third party) to it application • HVAC Management • Remotely manage/diagnose HVAC systems l
Summary • Outbound connections simplify remote access especially at third party facilities • Firewall traversal eliminates the need for reconfiguration • Central administration improves security and control • Enables large scale deployments l
Thank YouQuestions? Virtual Connectivity Network www,traversix.com l