Benefit from our secure Internet connectivity!
How can embedded systems be connected to the cloud easily and securely?
If the embedded systems are supposed to send data to the cloud only cyclically (one-way), it’s easy: there are protocols like MQTT. But if you want remote access for programming, configuration, support, operation and maintenance – then it becomes much more difficult. Existing solutions with VPN tunnels are complex and expensive to install and operate. When handling many systems, this becomes a high cost factor.
iniNet Solutions offers a technology here, which can be easily integrated into any system, provides high security and has very low costs.
SpiderControl VPI Internet Access is a patented concept for Internet access that is hard to beat in terms of simplicity of installation and use. All operator pages and functions that can be used via the HTTP protocol are made visible on the Internet via a portal – and this while maintaining high security standards.
This is especially the case for the embedded web servers. OEM customers benefit above all from a high level of transparency that is mapped on the Internet.
Technical information
The VPI agent can be integrated directly on your PLC or on a device in the same network and needs only a few dozen kB of code. The embedded VPI agent is available for WinCE or embedded Linux and can also be ported to an RTOS. The advantages of this concept are enormous:
- no additional hardware (e.g. VPN router) required, all components run on the PLC
- no public IP address required, the agent works with any internet access infrastructure (prepaid GSM, public WLAN, …)
- no modifications to the firewall necessary, http access to the
- easiest installation
- full encryption possible, etc.
The agent is written in the programming language “C” and can also be operated directly on small controllers. Thus, an embedded system independently maintains a connection to the Internet without the need for a fixed (and thus chargeable) IP address or another device. The problems with changing IP addresses that arise with DynDns are also completely eliminated. The embedded agent also integrates symmetric encryption, which requires little performance even on small platforms. Thus, this solution is the optimum in terms of hardware effort, running costs and security.
In contrast to a connection with DynDns, the PLC is not simply visible on the Internet via an IP address, but via a virtual subdirectory of the portal server. This portal server is located in a secure zone, communicates externally via encrypted connections and manages users, passwords as well as access rights and profiles in a central database. If required, certain functions can be blocked in the portal in a simple manner. A log file of user interactions (audit trail function) can also be implemented centrally.
Applications
This technology can be integrated into existing systems. The VPI agent is integrated on the embedded system (a few kBytes of code), which communicates with the VPI cloud. These connections can then be used transparently by any cloud applications of the customer.
VPI Internet Agent
Remote access via Internet: VPI Agent for Internet Remote Access to the Intranet
For monitoring and controlling devices, remote access via a web browser to an (embedded) web server of a remote system is a widely used technology. Virtual Private Infrastructure (VPI) systems connect remote devices to the Internet via a VPI portal. VPI uses HTTP from the VPI portal to the VPI agent to communicate with the remote device. The VPI portal forwards the HTTP requests to the VPI agent, which acts as a relay station and forwards them to the VPI device itself. It is a ‘reverse proxy’ function.
A VPI portal is a communication platform that must be transparent at the HTTP level. It receives requests from VPI clients via TCP port 80 and forwards them to VPI agents. This includes transparent forwarding of remote procedure calls (RPC). In the same way, VPI agent responses are forwarded to VPI clients.
Thus, a VPI portal is more than just an HTTP proxy. It is the central management platform for all target devices in the system. It runs a list of links to all target systems to which it has access rights. When a target is selected, a transparent HTTP connection to the VPI agent is established.
Da HTTP über URLs eine eigenen Namespace bereitstellt, können verteilte HTTP-Server über Proxy- und Relay-Server organisiert werden, wodurch das zugrunde liegende IP-Adressschema leichter verborgen werden kann. Die Verwaltung eines solchen Konzepts kann daher einfacher und weniger anspruchsvoll sein.
Advantages
- All data traffic over the Internet is encrypted (HTTPS)
- Gateway and firewall: no configuration changes necessary
- Each user identifies himself by password and user name
- The access rights can be managed in a simple way by the end customer himself. The customer’s VPI agent manages and controls access rights, so the customer always has precise control over who can do what and where.
- Every access can be logged in detail
- The clearly defined functionality of the VPI allows an effective, automated monitoring against hacker attacks.
- Access is realized on application level instead of protocol level. Unlocking the IP protocol for an external user in a conventional solution requires the configuration of extensive restrictions to ensure security. VPI, on the other hand, implements only the functionality that is really needed from the start and is therefore much easier to control and much more robust against attacks
- The connection can be activated from the device only when needed
- The entire connection can be closed at any time without affecting the normal operation of the network in any way
Net topology