Virtual Private Network: Secure Remote Access To Machines Through VPN
Virtual Private Network: Secure Remote Access To Machines Through VPN
Virtual Private Network: Secure Remote Access To Machines Through VPN
SCOPE
With PLC’s and Machine Controllers having Ethernet
ports supporting the TCP/IP protocol it is very easy to
access these devices remotely. The technology used
for this is generally known as Virtual Private Networks
(VPN). A VPN connection assures the secure transfer
of data from one network or device to another
network or device over shared or public networks
like the Internet.
CONTENT
Executive Summary.......................................................................................... 2
High Level Solution.......................................................................................... 3
Ways of access....................................................................................................... 4
Remote access through VPN.. .................................................................. 4
Security.......................................................................................................................... 5
Type of data transferred................................................................................ 5
Client/server, initiator/responder. . .................................................... 6
Solution Details.. ..................................................................................................... 6
VPN use case walkthrough.. ....................................................................... 6
Connection technology.............................................................................. 8
Routing............................................................................................................................ 8
VPN technology................................................................................................... 9
Summary....................................................................................................................... 9
Business Benefits
When using remote access through VPNs both the machine builder and the end user have big benefits.
The machine builder can quickly diagnose problems on the machine, even before they happen. He can inform
the end user to take on time preventive actions or help him to solve the issue by remote assistance. Also
the end user will benefit from remote access, as the machine is easily accessible and can provide real time
production information.
The way Virtual Private Networks function any IP-type of communication can be done. Even communicate
to those devices that do not have an Ethernet connection like serial device by using IP to serial conversion.
There is almost no limit on the type of communication. Possibilities are endless.
Having remote access to a machine is the same as standing next to it, but still being on a distance.
Factory 1
Internet
Head-office
Factory 2
Service
VPN establishes a connection between two sites. The connection is secured by username and password plus
the data transferred is encrypted. This makes it unlikely that outsiders can interfere with the operation of the
machine or access production data. A VPN connection is also called a VPN tunnel as what goes in one side
comes out at the other side without any changes.
To establish a connection between different sites various standard products are available.
In this paper an overview is given of the products and technologies used, the principle of operation and an
explanation of terminology.
For instance the machine controller is registering and reporting the power consumption of a drive. At design
time of the machine the load of a drive is calculated and during commissioning a threshold is defined. The
controller of the machine monitors the current consumption of the drive against the threshold and triggers an
alarm when the current exceeds this threshold. An additional threshold could be set for a pre-alarm, warning
that inspection or maintenance must be planned for this drive.
This information is of importance to the user of the machine in order to prevent unintended production stops.
And in case the machine manufacturer has a maintenance contract with his end-user to maintain the machine
and prevent production loss caused by standstill, a pre-alarm can prevent costly repairs.
Ways of access
With the current communication technologies there are many possibilities to create a connection to the
machine. To name a few:
• Wireless connection through a UMTS or GPRS connection.
• The machine plugs in into the local factory network.
• There is a direct connection to the Internet by means of an ADSL, cable, fiber or similar connections.
Internet
Internet
Router
Wireless ADSL LAN
Internet
LAN
Whichever connection type is used data can be directly transferred between the machine and the machine
builder’s office, independent of the connection between the two. The products pictured are all router devices
and connect their local network to a bigger network. This bigger network can be the Internet or a factory
network.
Internet
WAN LAN
Internet
Imagine such a device having a WAN (Wide Area Network) port to connect to a bigger network or the Internet
and a couple of LAN (Local Area Network) ports to create a local network. Through the routing capabilities of
the devices the two distant LAN networks are connected to each other and act as one. A device connected to
the LAN side of the router can reach other devices on the other sides LAN. This is very convenient as a machine
controller on one side can directly be accessed from the other side. Instead an endpoint (router) being a box
with WAN and LAN ports it could also be a PC that connects to the other network.
Security
Sending data over the Internet or other networks implies a security risk. Of course it is a must to prevent that
somebody can intercept the data send across the network and start tampering with the system.
VPN creates a secure tunnel. Secure in the sense that there is authentication
VPN
when the connection is opened and that the data transferred is encrypted.
The authentication can be based on username/password, pre-shared keys or
certificates. Or a combination of the three is used. Often a username plus a
certificate is used.
Encryption can be from a simple to a very high level. Keep in mind that encrypting and decrypting data takes
time. The higher the encryption is the more time it takes to prepare the data and thus the slower the transfer.
An option when a high level of encryption is used could be using a device that has enough processing power
to do the encryption/decryption quickly. Faster devices have often a higher price. There is no golden rule to
decide which encryption level to use. It depends on the level of security and communication speed needed.
Machines can then report their status directly and continuously and the machine builder has the opportunity
to react immediately on events. Like when there are problems but also to plan scheduled maintenance or send
consumables on information the machine provides.
Solution Details
In a network setup there are often products from different manufacturers used. But these devices must
understand each other. Thus standardization of protocols is need.
Also in VPN technology there is a lot of standardization. There is not one VPN standard but there are several. The
two mainstream ones are IPsec and OpenVPN (also known as SSL).
These two standards made their way to commonly available products and services. With Common Of The
Shelve (COTS) products anybody can set up his own VPN infrastructure.
OFFICE FACTORY
Fixed IP-address
192.168.249.243
As the machine is part of the factory bigger network it cannot be accessed from outside the factory. The factory
router that connects to the Internet has a firewall and will block off all incoming traffic. Therefore the router
in the machine needs to be the initiator of the VPN connection. To let the VPN connection be established
successfully the VPN initiator (the router in the machine) must have some following set up.
• Time synchronization. In the negotiation and encryption process also the date and time is used. Both the
initiator and responder must have the same time and date. The exact date and time can be derived from
so-called timeservers (NTP-servers). A timeserver can be on the Internet or on the factory network. With a
timeserver the date and time is automatically set and adjusted regularly.
• Domain Name Server. For the VPN initiator to get to the VPN responder it needs to know its address on the
Internet. However fixed IP-addresses on the Internet are scarce and quite costly. It is easier to have a domain
name. Then a DNS server resolves the domain to an IP-address. The router knows only the name (office.
machinebuilder.com) but by requesting a DNS server, which IP-address is linked to this name, the responder
can be reached. And it doesn’t matter how often the IP-address of the responder changes. It is always
reachable through its name.
For the direct wireless or wired connections the way of connection is a little simpler but still largely the same.
Connection technology
When creating a VPN tunnel a connection must be established from the client to the server. In many cases
this connection is over the Internet. There are several ways to connect to the Internet depending on what is
available at that location.
In general there are three variants. This can be wired or wireless, directly connected or via a bigger local
network.
Wireless
There are locations where only wireless access is possible. For instance on a remote site where there is no ADSL
or cable connection. However there is a mobile network with data communication available. To get access to
this mobile network a subscription at a service provider and a SIM-card are needed.
There are different types of wireless data communication but the most commonly known are GPRS and UMTS.
GPRS is older and less performing technology then UMTS. UMTS has communication speeds well into the
Megabit per second range. GPRS throughput is limited to a couple of hundred kilobits per second.
To ensure that data communication is always possible GPRS functions as a fallback when it is not possible to
establish a UMTS link. For both UMTS and GPRS the cost of the connection is based on the amount of data
transferred, not on connection time. Therefore the connection can be up and running all the time.
All the above-mentioned connection types feature that they are up and running all the time so there is
instance access from one side to the other.
Routing
An essential part in VPNs is the routing. For a device on one network to reach a device on the other side there
shouldn’t be to many hurdles in setting up the connection at the device. For the device it is only important to
know to which router address his message should be sent when it is not on the local network. It is then up to
VPN technology
There are many implementations of VPN. But currently two are in use as be proven reliable and save. These are
IPsec and OpenVPN (or SSL). Both make use of the same kind of technologies in compression and encryption.
There is one difference that IPsec uses a kind of username/password for authentication while OpenVPN uses
certificates that need to be generated at the server. Also OpenVPN uses the same way of communication
https:// secure websites use. This makes it easier to let OpenVPN traffic pass Firewalls in routers as the Firewalls
judge this traffic to be regular web-traffic.
Summary
A Virtual Private Network is a secured connection between two devices/routers/networks. The connection can
be established over local and public networks. Security is by authentication and encryption.
There are clients and servers or initiator or responders. The clients initiate the connection to the server and the
server can accept connections from multiple clients. The VPN connection between the client and the server is a
transparent link between the two. Any type of data can be sent over. And it doesn’t matter on which side of the
VPN connection you are. And how far apart the two networks are.
Components
Router/Gateway A Router is a device that forwards data packets between computer networks. These can be two networks
but also a local network and the Internet. If the Router forwards to a larger network it is also called a
Gateway.
Servers for DHCP, A Server is accessible locally or on the Internet and delivers a service.
DNS and NTP A DHCP server assigns IP-addresses.
A DNS server translate names to IP-addresses
A NTP server delivers a time to a device.
VPN-initiator and responder In VPN a connection is always initiated from one side. Therefore one side is waiting to respond to a request
from an initiator. Comparable is a Client/Server principle of operation.
UMTS, ADSL, Cable and Fibre Different technologies to connect to the Internet. This can be wireless, wired or optical.
LAN and WAN Local Area Network versus Wide Area Network. A LAN is a network where all devices are at the same locati-
on like an office or a factory. The WAN is the bigger network where the LAN is connected to via a router.
Services
VLAN The Virtual Local Area Network is a technology where certain ports on a managed switch are combined
to a kind of “physical network”. Traffic on other ports of the same or other switches will not appear on the
ports assigned to the VLAN. A VLAN can span over multiple switches in a LAN. The reason to do this is
traffic separation.
Routing Routing is the process of selecting paths in a network along which to send network traffic
Firewall A Firewall is a software or hardware-based network security system that controls the incoming and
outgoing network traffic by analyzing the data packets and determining whether they should be allowed
through or not, based on a rule set.
A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the
Internet) that is not assumed to be secure and trusted.
VPN protocol VPN (Virtual Private Network) is a general term. However there are many different implementations/proto-
cols. One is more secure then others. Currently most used implementations are IPsec and OpenVPN.
industrial.omron.eu
AUTHOR
René Heijma Starting his career as a PLC and SCADA engineer René Heijma worked
Product Specialist Industrial on many different projects in the process and machine automation.
Communication From the early specification of the project, the programming of the
PLCs and SCADA systems, till the commissioning of the electrical
• Omron Europe B.V. installation.
Product Marketing
Automation department He joined Omron in 2001 as a Field Network Specialist. In those years
• Zilverenberg 2, DeviceNet and PROFIBUS where the prominent field networks which
5234GM, ’s-Hertogenbosch, needed support. But since then Ethernet based control networks
The Netherlands appeared, René specialized in these network technologies also and
• Tel. +31 (0)73 6481 950 specifies new products and supports them thereafter in the Omron
• [email protected] organisation.
• industrial.omron.eu
VPN-technology is not really belonging to the control network domain
but is a very nice extension. René investigated how to apply this
VPN-technology in Omron applications and this whitepaper is an
abstract of this investigation.
industrial.omron.eu