InTech

JAN-FEB 2018

Issue link: http://intechdigitalxp.isa.org/i/935787

Contents of this Issue

Navigation

Page 27 of 53

connects upon a verified request from a remote user. Once both connections have been made, all data passing through this VPN tunnel is secure. Most hosted VPN solutions have a free monthly bandwidth allocation for basic operation, and then offer a premium plan for additional bandwidth. Normal troubleshooting and programming needs usually fall under the data requirements in the free plan, but extensive data moni- toring or video surveillance may require additional bandwidth, depending on the amount of data transmitted over the VPN. The router initiates communication to the server via an outbound connection through standard ports that are typically open, such as HTTPS. This usually requires no changes to the corporate IT firewall, and satisfies IT security concerns. By con- trast, traditional VPNs require inbound firewall ports to be opened, which requires IT involvement and oversight. Another advantage to a hosted VPN is the router configuration is extremely simple. Because the secure router (fig- ure 3) is connected to a predefined cloud server, the router comes preconfig- ured, requiring only the most ba - sic network in for- mation from the user. The router's internal firewall comes with a de- fault setup to keep the plant floor network separate from the corporate network . The platform and hosted servers do the complicated VPN networking be hind the scenes, so non-IT staff can easily configure it. Staff members only need to know the IP addresses of the automa - tion components connected to the local area network, and whether their ISP or corporate-wide area network router (not the hosted VPN router) provides IP ad - dresses dynamically or statically. In addition to a wired local area net- work (LAN) option, the hosted VPN should have Wi-Fi and 4G LTE connec- tivity options. Wi-Fi provides a simple access point or client connection, and allows plant personnel to access the rout- er's LAN network wirelessly, rather than opening the panel to access the physical LAN connection ports. With 4G LTE con- nectivity, users have access from remote locations without Internet access or loca- tions that will not provide access to the corporate network. This approach has a very low secu- rity risk, because the client connection to the cloud server uses the proven en - cryption standard SSL/TLS, along with TLS 1.2. The required TLS key exchange, crucial for security, is done in accordance with the industry standard 2048-bit RSA with SHA-256. In addition, some vendors have advanced user management, event logging, and two-factor authentication— which requires a second time-based pass - word generated at login—for an extra level of security at the user access level. Hosted VPN design considerations Those considering this solution must have a high level of trust in the hosted VPN ven- dor, as it will be responsible for securely storing data and making it available to only those who need it. Monthly costs incurred for high data bandwidth usage must also be considered, particularly as those costs are zero for a traditional VPN solution. The hosted VPN solution does not re- quire an IT team for support, because it is simple to implement and maintain, and most companies accept it as secure. Those companies that do not accept a hosted VPN solution for security reasons would likely not accept a traditional VPN either because of its required firewall changes. The simplicity of this solution comes at the cost of limiting some of the advanced routing features that may be required for sophisticated networks, such as machine- to-machine networking, advanced net- work address translation (NAT) configu- ration, and access control lists. However, for most users these advanced features are not required. Other design considerations depend on specific features offered by the router 28 INTECH JANUARY/FEBRUARY 2018 WWW.ISA.ORG AUTOMATION IT Figure 3. These VPN routers provide the functionality needed for cloud-based connectivity, simplifying implementation. Figure 2. The STRIDE SiteLink Secure hosted VPN has no monthly charges for remote access as long as the bandwidth stays under 5 GB per month for all users in an account.

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - JAN-FEB 2018