eWON Layered Security Approach |
© 2014 eWON Inc. This document is property of eWON Inc.
5
security settings on the device restrict traffic between its two network interfaces. This
network segregation limits remote access to only those devices connected to the
LAN of the eWON. Access to the rest of the network is prevented.
The eWONs themselves have user-level access rights separate from the Talk2M login.
Only users with appropriate credentials and access rights can change the security
settings on the eWON. Similarly, for the devices with data services, only authorized
users can view or modify the data.
All of our hardware devices feature a digital input. A switch can be connected to
this input and the state of the switch can enable or disable the WAN port. This allows
the end user to keep full local control of whether or not the device is remotely
accessible.
The eWON needs the same type of settings as a PC connected to the same network
(IP address, subnet mask and gateway, plus any optional proxy settings). Since the
eWON can act as a DHCP client, it can be configured to receive those settings
automatically. However, the eWON also can be set up to use a static IP address that
is assigned and controlled by the IT department if preferred.
Application
IP, port, and protocol filtering/firewalling available. Restricted access based on user, group,
site for all or single devices or specific port.
Within the eCatcher application, Talk2M account administrators can set filtering and
firewalling rules about which devices behind the eWON are remotely accessible and
even over which ports and with which protocols they are accessible. When
combined with Talk2M’s user rights management discussed below, Talk2M
administrators have the ability to tailor the remote access rights to fit their
organizational structure.
Encryption
VPN sessions are end-to-end encrypted using SSL/TLS for session authentication and IP SEC
ESP protocol for tunnel transport over UDP and TCP/IP.
Communications between the remote user and the eWON are fully encrypted. All
users and eWON units are authenticated using SSL/TLS for HTTPS session
authentication and the IPSec ESP protocol for secure transport over UDP. Talk2M
supports the X509 PKI for session authentication, TLS for key exchange, the cipher-
independent EVP interface for encrypting tunnel data, and the HMAC-SHA1
algorithm for authenticating tunnel data.
Management & Accountability
Unique user logins, configurable user rights to different devices, connection traceability.
A Talk2M account may have an unlimited number of users. Administrators can
create unique logins for every user who needs to access equipment remotely. These
unique logins makes it easy to grant and revoke access privileges as needed. In
addition, Talk2M account administrators can restrict which remote eWONs particular
users can access, which devices behind those eWON are accessible and even the
ports on those devices and the communication protocols used. For instance, an
administrator might permit remote users to reach the web services in a particular
