Posted by: Mark Cooksley on August 30, 2017
As the processes and technology used in industrial settings rapidly evolve, the improved precision and efficiency of devices will need to be monitored in equally advanced ways. This need can be met with an emerging method of monitoring known as secure remote access.
Secure remote access uses a combined hardware and software system to simplify remote network access, programming and diagnostics. At a glance, it seems a cloud-based secure remote access solution would perform in essentially the same way a traditional Virtual Private Network (VPN) would. They both allow two IP-enabled devices to communicate securely with each other remotely over the internet, just as if the devices were connected over the same physical network. However, aside from this similarity, the advantages of secure remote access over traditional VPN links quickly add up.
While VPN is more widely used today and meets the general needs of interconnecting remote networks, it has several drawbacks when compared to a modern, secure remote access approach:
1. Subnet Conflicts
VPN: Networks connected via traditional VPN must not use the same local subnet. However, it’s not uncommon that a machine builder or systems integrator, who could be managing hundreds of customer installations, will encounter one or more locations using the same subnet addresses. The result is the need to juggle NAT rules in order to deal with the addressing schemes – a truly dreaded process.
Secure Remote Access: With secure remote access, all locations can use the same subnet, and all equipment can have the same IP address. The engineer and remote device are simply linked to each other.
2. Routing Challenges
VPN: Connecting two remote networks with traditional VPN via a central VPN concentrator requires configuration and management of advanced forwarding routing rules. Additionally, routing equipment usually needs to be able to support network address translator traversal (NAT-T) and User Datagram Protocol (UDP) encapsulation. Traditional VPNs are suitable for one-to-one or many-to-one connections, but not one-to-many (one engineer to many sites) or many-to-many (many engineers to many sites).
Secure Remote Access: Cloud-based systems for remote access easily administer thousands of engineers needing access to thousands of sites, including management of individual access rights.
3. Firewall Opening Challenges
VPN: Traditional IPSec-based VPNs require special ports to be open (unprotected), and therefore some firewall protocols allowed to communicate through this configuration may be exploited by attackers.
Secure Remote Access: All relay VPN connections are established inside out, and only standard Web ports are used. These encrypted connections are terminated at the central internet-based server. Through these encrypted connections, the linking between engineers and devices is dynamically established.
4. Firewall Blocking Challenges
VPN: VPN routes everything (and not just the protocols you need) unless you make the effort to create and manage a number of firewall rules.
Secure Remote Access: Defined device agents are automatically limited to only allowing access to the ports or services defined for the agent type. They are only activated when connecting to the agent representing the end device.
5. Activity Logging
VPN: The principle of traditional VPN is to connect two networks and have everything accessible between the two peers. It is possible to restrict what traffic is allowed through the VPN (the function is called Traffic Selector), but that goes against the purpose of the VPN. When you have so much traffic passing through a VPN, it is impractical to log all activity.
Secure Remote Access: Because traffic travelling between secure remote access points has to be tightly specified, it is easy to log the activity in the process. When you are connecting to someone else’s network, it is smart to have easy access to these activity logs, which is an added benefit secure remote access can provide.
6. Concentrator Management
VPN: Typical IPSec-based VPN solutions require an IT-administered concentrator, since they require networking knowledge. Also, individual concentrators must typically be installed at each service provider to avoid very complex triangular routing and firewall setups.
Secure Remote Access: The concentrator in a cloud-based solution is a central service where each service provider gets an isolated account. Here the administrator issues account certificates and controls dynamically what equipment and which sites each service engineer should be allowed to access. There is no networking or other IT skillset required.
Although the complexity cannot be removed from current processes completely, a secure remote access solution requires far less technical knowledge than traditional VPN concentrators.
Here are a few of the most apparent benefits:
Knowing the benefits of secure remote access is meaningless unless you can identify opportunities to implement it in your applications or networks.
Have you ever reported a problem with your PC to your IT department? Of course you have. What happened once you did? Did they visit your desk personally? Unless they happened to already sit next to you, then that’s doubtful. What they likely did was remotely access your PC and fix the problem. Why? Because it allowed them to respond quickly, it was an efficient use of their time, and if they are in a different geographical location, it saved travel costs.
When it comes to remote access, industrial users have the same requirements for the same reasons. Here are some ideal applications:
If any of these applications seem relevant, it should also be said that the cost of moving to secure remote access does not involve a large capital investment. And perhaps most importantly, expanding the solution does not require expansion of personnel to maintain the solution.
Although there are many remote access solutions on the market, most started as IT solutions and are now being shoehorned into industrial environments. Solutions such as these are complex for all administrators and users and a far cry from the simplicity offered by a sophisticated industrial secure remote access solution.
True secure remote access solutions are also complex, but the complexity should be moved from the user to the system administrator. This way, the knowledge is centralized among a few employees rather than being required across the entire organization.
To learn more about secure remote access, download our latest white paper "Predictive Maintenance in the Industrial Internet of Things Era."