FAQ TALK2M. ewon SA Avenue de l artisanat, Braine L Alleud Belgium

Transcription

1 FAQ TALK2M ewon SA Avenue de l artisanat, Braine L Alleud Belgium

2 Q1) What is Talk2M? Talk2M are connectivity services based on a web hosted application that proposes to connect users to their machines using the Internet. This hosted application acts as a broker and relays the communication made by users on one side to their machines on the other side. It has been designed for the world of Industrial Automation. Q2) How does Talk2M works? Talk2M works by using Virtual Private Network (VPN) and tunneling. Since Talk2M receives connections from users on one side, and from machines on the other side, both sides exchange their data back and forth using tunneling technologies. Q3) What are VPN and tunneling? VPN (virtual private network) and tunneling are techniques that allow you to encrypt the data connections between yourself and another computer. This computer might belong to your organization, a trusted contact or a commercial VPN service. Tunneling encapsulates a specific stream of data within an encrypted protocol, making everything that travels through the tunnel unreadable to anyone along the way. Using a VPN or other kinds of tunnels to encrypt information can be a good way of ensuring it is not seen by anyone but yourself and people you trust. It has the additional effect of making all your different kinds of traffic look similar to an eavesdropper or to a system that is trying to block your traffic. Q4) The Talk2M service is hosted on the Internet. This means that anyone in the world can access the machine in my factory. Each ewon to which the machine is connected connects to the Talk2M server only. An authentication mechanism guarantees that each ewon talks to the Talk2M server with its own key. A similar mechanism guarantees that each user can only communicate with a specific ewon. All data that are exchanged back and forth through the Talk2M Server and the Internet is encrypted, so the data remains secure. Q5) The Talk2M service is allowing a connection from the Internet into my factory. This means I need to change the configuration of my firewall, enabling the opening of one port but I m not going to do this. Talk2M tunnels are initiated by ewons and therefore use only outgoing connections. No incoming connections are made (that means it is not Talk2M server that initiates the tunnel), so no ports need to be opened in the corporate firewall for incoming connection.

3 p 3/5 Also Talk2M is designed to be less intrusive as possible. That means it tries to use already opened outgoing ports being most usually the HTTP and its secure counterpart HTTPS ports. Q6) What are the VPN protocols used in Talk2M? Talk2M VPN protocols are Open SSL/Open VPN version 2. Q7) The Talk2M system does not use IPSec protocol, which is the ICT standard for VPN security. Why not? They are two reasons why IPSec protocol has not been chosen for implementing the Talk2M VPN and tunneling: Design reason : IPSec is a protocol based on OSI layer 3, the Network layer. It has been designed to protect IP packets exchanged between remote networks or hosts and an IPSec gateway located at the edge of your private network. OPEN VPN is a protocol based on OSI layer 7, the Application layer. It protects application streams from remote users to an SSL gateway. In other words, IPSec connects hosts to entire private networks, while SSL VPNs connect users to services and applications inside those networks, which is more the case when accessing machines remotely though local networks. Technical reason: Since one of the Talk2M goals was to design an architecture being as less intrusive as possible, the VPN protocol has to easily shifted to already existing outgoing open ports available in firewalls. The Open VPN protocols allows to switch easily the IP ports used and in network uses typically HTTPS (port 443). IPsec works with predetermined IP ports (UDP 500 and 4500). Using IPSec would have required Talk2M potential machine builders and OEM to be much more involved in the configuration of their customers networks protection systems to allow the system to work. Q8) The ewon is connected on the LAN in the factory. This means that the machine builder can access all the PLCs and all the IP devices in the factory The pointtopoint Talk2M tunnel exists between the Talk2M user and the specific ewon device, located in the machine control panel. The ewon can be configured so that only devices connected to the (green) LAN ports of the ewon device can be accessed remotely. Q9) The Talk2M tunnel can be set to be always on. This means the machinebuilder can access the PLC and make changes, without me knowing. It is possible to configure the ewon so that a switch, wired into the ewon digital input, enables & disables the VPN connection. A digital output is also available to control a relay that could also be used to physically decouple the Ethernet connection from the corporate network.

4 Q10) There are some devices connected into the (green) LAN ports of the ewon which I do not want to be remotely accessible, for security reasons. How can I do that? Each device connected to the green VPN ports of the ewon has an IP address, a subnet mask, and a gateway address configured. If the Gateway address configured in a device is the IP address of the ewon, this device will be accessible. If the Gateway address is not the IP address of the ewon (or is blank), the device will not be accessible. Q11) What happens if the Talk2M services are discontinued? The Talk2M services are owned and run by ewon, who make the Gateway devices. The Talk2M Free services is free to use and is funded by sales of the ewon units. For customers that would require a business continuity of service, Talk2M Pro, based on a mission critical hosting architecture, ensures a 99,6 % business continuity over one year. Q12) I always install a PC in the machine and use software on this PC to access the machine, such as PCAnywhere. Why is Talk2M better? Talk2M does not require a working Windows PC at the machine location, just an ewon unit. An ewon unit is more reliable than a PC, since it has no moving parts and no hard disk, and is less likely to be interfered with by engineers. A Windows PC has also a higher Total Cost of Ownership (TCOestimated to be 35 times bigger than an ewon). A PC is also more sensitive to virus and then needs to be protected raising the TCO. An ewon can also communicate with the machine and send alarms and data back to HQ. Q13) What is needed at the machine site, for the Talk2M system to work? Just a Talk2M compatible ewon unit and an access to Internet, through the local LAN or by using a dedicated line through a builtin modem (ADSL, GPRS/EDGE/3G,PSTN). If the Local LAN is used, it should allow the user to browse on this network(meaning using HTTP and HTTPS). Q14) What factorynetwork information is needed at the site, so that an ewon can be fitted on a machine? If the ewon is to use the customer LAN to connect to the Talk2M system, then it needs the same settings as a PC sitting on this network (IP address, subnet mask & gateway, plus any Proxy settings). EWON is also DHCP client so it can be assigned an address automatically.

5 Q15) How often does Talk2M go offline, for maintenance or upgrades? Talk2M is subject to occasional, planned maintenance. Users are informed in advance of these, by e- mail. Q16) What are the security protocols or level of security provided by the Talk2M Technology? Talk2M uses several levels of security: users and ewon units authenticate with the Talk2M server using SSL/TLS for session authentication and the IPSec ESP protocol for secure tunnel transport over UDP. It supports the X509 PKI (public key infrastructure) for session authentication, the TLS protocol for key exchange, the cipherindependent EVP (DES, 3DES,AES, BF) interface for encrypting tunnel data, and the HMACSHA1 algorithm for authenticating tunnel data Q17) Are there HTTP proxies that may not be compatible/supported by Talk2M? As of today, some proxies may not be supported because of their authentication mechanisms. Here is the list : Kerberos authentication Digest access authentication