VPNX - SSLVPN Managed Service
When your business requires the flexibility and mobility of remote access without compromising security, VPNX allows fast, mobile connectivity via a multipoint, secure private network to networks:
- behind existing firewalls or security devices.
- in temporary or mobile locations using wifi, mobile or local Internet access.
- at remote locations.
- behind satellite broadband connectivity.
VPNX – What you need to know..
VPNX is L3n's lightweight overlay multipoint site-to-site (M2M) VPN service using SSL VPN technology.
It allows fast, mobile connectivity via a multipoint, secure private network for a wide range of purposes – these are just a selection:
- Behind existing firewalls or security devices – in fact anywhere where one entity needs secure access into or behind another entity's network or infrastructure, e.g. venture capitalists needing to ensure the contractual obligations for investment are being observed, or for building management and maintenance.
- Temporary or mobile locations using wifi, mobile or local Internet access – perfect for building sites, property development and other fast, temporary secure access requirements.
For example, the system could allow secure connectivity from a remote site back to your head office: carrying CCTV coverage at night and secure Internet access during the day (allowing you to apply your policy to the Internet access) with zero touch installation and robust lightweight hardware. The VPNX Endpoints (VEPs) can even support encrypted system data partitions so the VEP cannot be accessed or used by thieves if stolen.
- Remote locations – e.g. outside broadcast, secure alarm systems or just facilitating Internet access from remote locations – but pushed securely back to your head office, enabling your security policy to be applied.
- Behind satellite broadband connectivity – L3n's testing of multipoint secure Machine 2 Machine (M2M or site-to-site) SSL VPN running over satellite broadband indicates that IPsec doesn't work as well as our lighter weight (but just as secure) SSL/TLS.
Our VPNX also uses certificate-based authentication rather than the IPsec's more common (and less secure) pre-shared key system.
How does it work?
To use the VPNX system, a managed VPNX Endpoint (VEP) hardware unit is simply connected to a wired Internet connection or is set to access a mobile/wifi connection – even inside a network, behind a firewall or other security device. The VEP will automatically call OUT to an allocated VPNX server using the same type of connection and security employed in the banking industry.
The system relies on digital certificates to ensure that the VEP is allowed to join the VPNX server (and the VEP can be sure that the VPNX server is the correct one).
Once connected, the VEP has secure, encrypted connectivity to any other validated VEPs on that same VPNX server.
Due to the automated, certificate-based access to the central VPNX server, the VEPs are therefore 'zero touch' installations. The box is simply connected to an Internet link with DHCP address allocation and powered up. Assuming any firewall in the flow allows access to banking websites, the system will access the VPNX server successfully.
The VPNX system has been tested to work well with IP, voice and video in addition to normal data within the limits of the available bandwidth.
The VPNX server
The VPNX server itself is based on an OpenVPN software backbone and is hosted in a data centre under L3n control. The server is protected using a strong software firewall that only allows valid data and protocols to travel in and out of the server. The server is controlled by L3n via encrypted access and the firewall prevents access from anywhere else.
Each customer or VEP network has its own individual VPNX server. This further enhances security.
VPNX Endpoints – VEPs
Mobile version of the
VEP encased in tough aluminium
and running on solid state hardware
There are several types and sizes of VEPs depending on the power and throughput required: the most common is the smaller, mobile unit.
The mobile unit runs an embedded copy of the Linux operating system and is very robust as it benefits from:
- solid state storage.
- a fanless motherboard for silent operation.
- a tough, light ,aluminium encasement.
- three simple LEDs for diagnostics – from left to right, one shows a heartbeat that shows the unit is running, two shows untrust traffic flow and three shows the state of the VPN tunnel. Two and three also flicker with activity.
- zero touch installation.
- logical protection by a software firewall – control is only via the secure VPNX service itself.
VPNX Management System
The VPNX management system runs on the VPNX server and checks the status of each VEP. It can alert the customer and/or L3n to any problems. As the management system runs from the VPNX server itself, it uses the secure encrypted VPNX service to manage the VEPs.
The management system also monitors the server upon which it runs and alerts L3n to the need for OS updates and/or security patches, thus ensuring the server is running with optimum security.
Secure Serial Console Access via VEPs
With the addition of USB to serial adapters the VEPs can be used to gain secure serial 'out of band' access to equipment serial ports.
When your equipment has a problem or has been accidentally mis-configured then sometimes the ONLY way back in is via it's serial console port. Using VPNX and VEPs, we can offer that 'Last Gasp' access to restore your network.
Serial console access via the VPNX service is also proving very successful when being used to configure new equipment remotely. This has saved time and money for our customers when deploying entire racks of brand new equipment and allowing 100% remote configuration and control.
High Availability VEPs
By using two VEPs onsite and implementing industry-standard dynamic routing protocols such as BGP and OSPF and also redundancy protocols such as VRRP, we can now offer VEPs in HA pairs.
Combined with using the USB to Serial adapters mentioned above we can cross connect the serial consoles on the VEPs to allow a very robust, redundant, secure access methodology where one VEP can even access it's partners serial console in order to restore service to the HA pair network and then on to the site equipment itself.
This is proving exteremely useful for remote 'bare metal' installations with unproven ISPs etc.
We can now offer VEPs with 3G/4G mobile adapters which will then allow secure access to the VPNX network via an appropriate mobile network.
Just 'drop' in a VEP, power up, connect to the VPNX network and use the secure SSLVPN access to the VEP with no wired Internet access in sight.
Combine this with the serial console access and you have a very powerful remote management system particularly suited to remote access industrial applications.