Using Outbound IP Connections for Remote Access

1
Using Outbound IP Connections for Remote Access

• EXPO 2005
• Chicago, IL

2
Presenter

• Jim Kokal is President/CEO and Co-Founder of
  Wavetrix, a leading product development company.
  He has over 18 years experience in developing,
  marketing, and selling communication and
  networking systems At Wavetrix, he has led the
  creation of Traversix Virtual Connectivity
  Network product to address the needs of customers
  in remote access market.. Prior to Wavetrix, he
  was the Director of Marketing at Broadband
  Gateways and at Blue Wave Systems (now Motorola)
  he successfully created and launched the
  Softband software radio product line. He holds
  an MBA from the University of California at Los
  Angeles, and a MSEE/BSEE from the University of
  Illinois.

Virtual Connectivity Network
3
Agenda

• Objective
• Remote Access Applications
• Inbound Connection Oriented Architecture
• Outbound Connection Oriented Architecture
• Outbound Connection Systems
• Summary/Questions

4
Goals

• Objective
• Enable remote access regardless of location
• Motivation
• Remote access offers enormous economic and
  service delivery benefits better, faster,
  cheaper
• Issues
• Firewall(s)/Router(s) reconfiguration is very
  challenging when remote access is needed via the
  Internet
• Especially true for third party deployments
• Centralized administration of user access and
  privileges
• Security is of paramount importance

5
Networking Trends

• Network complexity is growing
• Security requirements are increasing
• System integration is increasing within an
  organization, to customers, and to suppliers
• Regulatory Issues
• HIPAA, Sarbanes-Oxley, etc., add additional
  requirements
• LAN
• Old Paradigm Inherently trusted user
• New Paradigm Inherently untrusted user
• Treat an internal and external user identically

6
Remote Access Applications

• Status and Maintenance Checks
• Diagnostics
• Configuration and Administration
• Software Upgrade
• Log File Retrieval

7
Remote Access Methodologies

• LAN Based
• Usually constrained to one physical site, no
  outside access
• Inbound Connection via the Internet
• Definition Client originates a connection to the
  serial server
• Requires Firewall(s)/Router(s) reconfiguration
• Port Forwarding is the most common implementation
• Outbound Connection via the Internet
• Definition Serial server originates connection
  to a known point
• Gateway provides connection point

8
Inbound Connection Systems

• Client (i.e. PC) originates connection to the
  serial server
• Telnet or Virtual Serial Port
• Serial Server
• Static IP address
• Authenticates user (username/password)
• Two Configurations
• LAN vs. Internet
• Internet connection requires advance provisioning

9
LAN Based Access

• Client (i.e. PC) originates connection to the
  serial server
• Telnet or Virtual Serial Port
• Serial Server
• Static IP address - Authenticates user
  (username/password)

10
LAN Based Issues

• Security
• Usually not encrypted
• Encryption often based on pre-shared key
• Username/Password
• Located in the serial server
• IP administration
• Static IP address for the serial server
• Within the same subnet, no additional
  configuration required
• Outside the subnet requires routers/firewalls be
  reconfigured to establish a connection between
  the PC and the serial server

11
Inbound Connection Architecture

• User connects remotely using the Internet to
  serial server inside the firewall of an
  organization
• Requires advance provisioning
• Port Forwarding is the most common technology

12
Port Forwarding Illustration

• Web servers are the most common example

13
Installation Issues

• Provisioning IP address routing is resource
  intensive
• They must be setup and tested
• Maintained through upgrades/replacements
• At a third party, time and politics drive the
  process
• Username/password is in serial server
• Must know IP address (and port number) of serial
  server
• Multiple serial servers within a single facility
  require each to have their own port number

14
Administrative Issues

• Serial servers are individually managed
• To reduce complexity, a single username/password
  is often used for all users
• Serial server configuration information (IP
  address, port number) must be disseminated
• Users must keep track of this information
• Updates must sent whenever the information
  changes
• Complexity grows dramatically as the size of
  deployment grows

15
Outbound Connection Motivation

• Outbound connections are generally permitted
• Examples Requesting a web page, retrieving
  e-mail
• Requires no changes to the firewall or router
• Mimics existing network processes
• Traverses the firewall like other processes
• Faster, simpler deployment
• Reduces technician skill level requirements
• Requires minimal Networking training

16
Architectural Changes

• Serial server needs a connection point
• Client isnt always there and is usually not
  visible from the Internet
• Solution Add a connectivity gateway
• Moves the client connection from locally at the
  serial server, to the gateway on the Internet
• Provides a central point for access control and
  privilege administration

17
Outbound Connection Architecture

• The gateway provides a central point for all
  connections
• Serial server connects to the Gateway
• Client Software connects to the Gateway
• Gateway establishes a connection between them
  when instructed

18
Outbound Connection Elements

• Serial Server
• Originates and maintains a constant connection to
  the connectivity gateway
• Serial server can have a DHCP or Static IP
  address
• Connectivity Gateway
• Specific purpose appliance that resides on the
  Internet
• Client
• Creates a connection with connectivity gateway
• Connectivity gateway authenticates and then
  connects the client to the requested serial
  server

19
Enhanced Security

• Bi-lateral Authentication
• User
• Individual username/password
• Device
• Can use very strong machine-to-machine techniques
• Data Transfer
• Encryption
• Pre-shared or dynamic key exchange
• Administration
• Privileges/Access controlled individually

20
Centralized Administration

• Single point to control access to all serial
  servers
• User privileges are individually defined and
  controlled
• Enables a serial server to be shared across
  organizational boundaries
• Inherently disseminates any changes to a serial
  servers configuration information

21
Gateway Considerations

• High reliability/availability
• Mission criticality
• Subscription or Hosted
• Deployment size
• Internal Operated vs. Host Facility
• Facility capability
• Power, Internet feed redundancy
• Human resource requirements

22
Summary

• Outbound connections simplify remote access
  especially at third party facilities
• Firewall traversal eliminates the need for
  reconfiguration
• Central administration improves security and
  control

23
Thank YouQuestions?
Virtual Connectivity Network
www,traversix.com