SolutionsInAction™ Technology for Real Applications 

Access to Remote Devices Behind a Router/firewall & Protect with Conditional Access – All without changing the Network

Secure Remote Connectivity to Devices behind the Firewall

IpTL’s patent-pending IPShare™ gives you secure remote connections with conditional and deterministic access to network devices behind remote routers, firewalls, or NATs.  IPShare™ can give you access even when you have no control over the remote customer site network, IP networking addressing, or access to the remote router.

As one of the SuperNAC™ suite of software-defined perimeter features, IPShare™ provides the following solutions to remote device access and security:

  • Pin-point remote network access to devices like IP Cameras and NVRs
  • Block all network traffic over the VPN except when requested by a host
  • No need to configure the router or renumber the LAN – overlapping IP addresses are ok

Challenges

  • You need access to a remote IP Camera or NVR but it is behind an existing router on a private network.
  • Remote sites are NOT under the administrative control of the headend.
    • You cannot “renumber” or modify the configuration of the network (e.g., port forwards, static IP, or have any network prerequisites).
    • No access to the remote “router” to change settings.
    • No ability to set “VLANs” or other 802.1x methods.
  • Access may be wired Internet, but other sites will require Internet from LTE/Cellular; all are dynamic-IP and private IP.
  • Need to prevent access into the Headend network from the remote network (PC’s, Wi-Fi, etc.)
  • Need to prevent random access into the remote network from the Headend network.
  • Needs to scale from one to hundreds or thousands of remote locations.

The IpTL Secure Network Gateway creates an Armored Tunnel to the Headend server over an existing Internet connection.   On the remote IpTL appliance, the tunnel provides Ethernet LAN connectivity from the headend network to the IPShare™ switching engine. Locally, IPShare™ connects to the physical Ethernet LAN and then creates a routed interface, with NAT, between the Armored Tunnel and the local LAN.

On each side of the IPShare™ engine the network addressing space remains the same.  Therefore no new routes or router configurations are required, and you can connect multiple sites that have the same IP network.  For extra security, enabling the SuperNAC™ connection-based switching prevents any traffic from traversing back up into the Headend Network.

  • The IpTL appliance connects to the Local Isolated LAN Ethernet.
  • An Armored Tunnel connects the appliance to the Headend network over the existing LAN network.
    • The IPShare™ interface on the IpTL appliance has an address on the Headend network (“the other end of the tunnel”)
  • NAT on the tunnel watches for in-bound connections and automatically translates addressing between networks.
  • Connection-tracked switching blocks all data transfer between interfaces until a valid request is made.
  • Each network is segmented, isolated, & controlled
The user initiates an HTTP, RTSP or similar network request to the IP Camera.

  • The IPShare™ switching engine closes all traffic from the Isolated LAN until a connection request from the Headend network is initiated.
    • The IpTL appliance will forward inbound connections to the camera and translate between the Isolated LAN address and the IPShare™ Headend address. No configuration required on the Isolated LAN routers or devices — to access the camera you point to the address of the IPShare™ addresses on the IpTL appliance.
  • SuperNAC™ security is configured to only allow data from the IP camera to the headned LAN only when communications are first initiated by a requesting host on the headend LAN.
    • The IP camera, or any other network devices, cannot initiate any network traffic to the Headend LAN.
    • Conditional access is connection-based and the camera can only communicate with the requested host; when the connection is terminated all communications are blocked.
    • Only the IP Camera can be accessed from the Headend. General network access blocked.

Additional security can be implemented by setting a SuperNAC™ application filter to only allows video camera data (e.g. RTSP or HTTP) to flow from the Enclaved Network to the Protected LAN.

The Headend server forwards local LAN requests over the Armored Tunnel to the remote appliance.
IPShare™ forwards the user to the IP Camera or NVR but translates to a LAN address on the Isolated LAN.

Solution – How-it-Works

See the Magic for Yourself with our Free Trial Demo

Sometimes you just need to see it for yourself.  We’ve setup a program to do just that.  Click the Try Now if you want to see the magic of IpTL absolutely reliable networking!

Copyright 2019 IP Technology Labs, LLC.   All trademarks are the property of their respective owners.

IP Technology Labs

IP Technology Labs