For machine builders that offer remote access support and diagnostics for their installed machines, network security is often a critical factor in the end user’s selection process, says Dave Hammond, product manager Ethernet & Communications at MAC Solutions.
Following the installation of a machine at an end user site, the machine builder or supplier is often contracted to support that machine during a fixed warranty period. If the customer site is located thousands of miles away in a different country, in the past, a service engineer from the machine supplier would have traveled to the remote site to resolve any machine issues during this warranty period.
However, solutions are now available that enable machine suppliers to support their remotely-installed machines remotely, reducing service response times and providing higher quality of service to the end user. Industrial-grade VPN (Virtual Private Network) routers can now work in conjunction with VPN connectivity systems to provide a reliable and low maintenance industrial network solution.
Security concerns of traditional VPN tunnels
Many of the IT engineers who manage the networks at end user sites will have previous experience of providing VPN tunnels to machine suppliers so that the machine supplier can support the machine during the warranty period. These types of VPN tunnels can be viewed as “traditional” VPN tunnels.
A traditional VPN tunnel typically requires the IT engineer to take the following steps:
- Connect the machine control systems onto their site IT network.
- Provide the machine supplier with a copy of the end user’s VPN software.
- Install, configure and support this VPN software on a ‘foreign’ PC (i.e. a PC over which the IT department has no control or security policy.
- Configure the site VPN Router so that the machine supplier can access only those machines that they have supplied (i.e. prevent the machine supplier accessing all other network items).
- Control the use of the VPN tunnel in order to allow only authorised access to the machine.
Many IT engineers will view the above actions as undesirable, as they can pose security risks to the end user’s network. However, there are solutions available that overcome all of these issues above.
eWON’s Talk2M solution, for example, operates in a very different way from a traditional VPN tunnel. For most Talk2M installations, there are often no tasks for an IT engineer to perform, with the end result often being a more secure system than traditional VPN tunnels.
No inbound connections
Once enabled, an eWON router device makes an outbound VPN connection from the end user site (where the machine is located) to the Talk2M VPN connectivity service, across the Internet, using TCP port 443 (HTTPS). No inbound connections into the end user’s site are required. In the end user’s Firewall or Router, TCP port 443 is probably already open in an outbound direction, since it is commonly used for web browsing.
The end user controls VPN access
Some end user companies will be concerned that a machine supplier can have access, at any time, to machines operating inside their factory. Therefore, in order to provide additional security and control, it is possible to configure the eWON VPN Router so that the Digital Input on the eWON device enables and disables the Talk2M VPN.
The digital input can easily be wired to a switch (e.g. a key-operated switch), which the end user controls. In this way, the machine builder (contractor) will only have access to the machine when the end user decides to allow them access.
Separating the machine network from the site network
With the Talk2M solution, there is no need for the machine control devices to be connected directly onto the end user’s site network. This immediately provides a significant security advantage.
The eWON VPN router separates the two networks as follows:
- The machine network devices connect to the LAN ports of the eWON.
- The eWON acts as the ‘gateway’ for the machine devices.
- The site network connects to the WAN ports of the eWON for remote access only.
Network requirements for an eWON installation
For an eWON installation, the network requirements are relatively simple: a CAT5 Ethernet cable, from the site network, plugged into the eWON WAN port. IP settings are then allocated from the site network for the eWON WAN port. These IP settings are IP address, subnet mask, gateway and DNS server(s). These can be allocated by static assignment or by DHCP. In addition, access to the Internet is required, through the site network, using only a TCP 443 port. If other ports are open, this is also OK, but these ports are not necessary.
Works with existing Proxy servers
If the site Internet connection is established through a Proxy server, then it is necessary for the eWON VPN Router to authenticate with the Proxy server in order to reach the Internet. This is achieved by configuring the settings of the eWON device with the IP address of the site Proxy Server, the Proxy Server Port, Proxy username and password.
Checking the Connection
The ‘Talk2MconnectionChecker’ software is used to test the connection between the location of where the eWON is to be installed and the Talk2M VPN Servers. The IT engineers at the end user site can perform this test prior to the installation of an eWON VPN Router. This software tests the outbound TCP 443 port connection, through the customer’s network/firewall, plus ICMP and Proxy Functions, as required. An eWON only requires TCP 443 port to be open outbound, but it can also use a UDP 1194 port (which is slightly faster than a TCP 443 port) to form the VPN to the Talk2M VPN Servers.