miho IT Guidelines

in the version of 2016-04-22

Introduction

A successful remote access is the key to improved customer satisfaction due to lower cost and shorter shut-down times, it also safes resources on the side of the machine manufacturer. In the past, the machines which should be accessed via remote access where reached via modem technology and the telephone network. Under normal circumstances, analogue modems would be used (because the analogue telephone network is available worldwide), in special cases ISDN based solutions where used. Besides the advantages of analogue modems
• Analogue telephone network (still) available worldwide, in emergency via mobile networks
• Low safety risks due to direct, wire based point to point connection they have some serious disadvantages:
• Great instability of the established connection, requirering reconnecting very often.
• Low speed (very often below 19000 Bit/s)
• Possible problems due to technology changes on the customers side (like VOIP)
• Separate infrastructure needed (cable / connection to the telephone system)
Especially when accessing complex image-processing systems, the low connection speed is becoming more and more of a bottleneck since the resulting slow build-up of the image on the computer of the service engineer stops him from operating the machine quickly enough.
As an alternative, internet based technologies have been established, with the following advantages:
• Nearly the same worldwide coverage as the telephone network
• Universal, extendable and very failsafe network
• Almost no danger of connection break off.
• Speed is scalable, usually only a question of the price.
• Flexibility: The connection can be established via the existing customer network or a separate autarkic connection similar to a modem connection can be installed.
However, the following disadvantages have to be considered:
• Security: Information transported via the internet is using unsecured and sometimes anonymous connections as a matter of principle. Therefore the encryption of the transported data / information is mandatory. Besides this, it must be avoided that unauthorized persons can obtain access to the customer’s machines. To achieve this, adequate means to identify the service engineer and also the customers machine, must be established.
• The network technology on which the internet is based requires a higher level of specific knowledge to work with it.
As far as security is concerned, one must understand that there is no such thing as 100% security, neither with a modem connection nor via the internet or even without any external connection. If someone wants to obtain unauthorized access to a machine, there will be a way, even by using the weakest link on site, like bribing an employee. At the end it’s a question of the risk analysis and the adequate barriers which are installed to block a potential intruder. As a summary we can state that the advantages of internet based remote access, especially for complex image processing systems are significantly higher, if the proper security measures for this medium are implemented.

Technical Solution

The software package OpenVPN is used for the encryption and authentication.
It has the following advantages:
• Authentication via state of the art "public key" methods
• Modular, secure, encrypted transmission of data
• The complete communication is using only one port
• NAT-capability
• Easy to route through a network
• Several years of experience at miho, because it is used for our own in House remote access tasks
The technical side consists of a dedicated Remote Access server at miho (VM-XP-RA1) that is protected on both sides (towards the internet and miho) by firewalls. If needed, the customer initiates a connection to this server via a VPN tunnel. From that moment onwards, a point to point connection between the customer’s machine and our Remote Access server exists. Each machine gets a unique certificate to identify itself at the miho Remote Access Server. In case of misuse, it is easy for us to withdraw this certificate and block any further access to our Remote Access server. If we receive a Remote Maintenance request, one of our service engineers can initiate a VPN tunnel from his desk (or anywhere in the world, if necessary) to the remote Access server. This way he can lock into the same virtual private network which already "contains" the customer’s machine and can start the remote maintenance.The Service engineer is of course required to identify himself with a unique certificate, too. The Remote Access server has a dynamic address in the internet, this represents another barrier against an attack. The customer’s miho machine (David2; MC3 or NOP2 or Awes PC) initiates a DNS request (port 53 UDP or TCP) to obtain the address of the miho remote access server (ra1-miho.dyndns.org, ra1-miho.ignorelist.com). Actually there is also a static address (94.79.148.178), but it should not be used, because in case of a change of our internet service provider this address will be not valid anymore. After that, the encrypted communication will be initiated by contacting the remote access server on port 5850 (UDP). A socket connection is established using a dynamically assigned port on the client side (as usual with socket connections). Please note that no proxy server is allowed between the customers miho systems and the Internet. After that, the completely encrypted communication will be done via port 5850 (UDP). Please note that no proxy server is allowed between the customers miho systems and the Internet.Based on the fact, that the connection request is initiated on the customers side, no port forwarding within the customers firewall is necessary in case of simple network structures (the customer has a specific DSL line for the miho machine (David2; MC3 or NOP2 or Awes PC) only in the DSL router and the machine).

Technical requirements

Solution 1 - Standalone:
Separate internet (DSL) connection for miho devices.
Solution 2 - Integration to existing IT system:
Separate network with internet connection through ports 53 (TCP&UDP) & 5850 (UDP) outgoing connection for vpn socket establishment (client: dynamic port). Per miho device is one ip address plus one reserve ip address for service proposes in this network necessary.
Alternative: TeamViewer
In case, that a customer owns a TeamViewer-Licence, we can use it as an alternative way for remote assistance. However, we have to point out that our own solution based on OpenVPN represents the most common among our customers and therefore the best supported solution and that in case of using TeamViewer data traffic may be routed via TeamViewer’s servers for whose security we cannot accept any liability (proprietary software).

Declaration of the exclusion of reliability

Administrator-level access
The administrator- level access to miho machines and PSs is normally not available for the customer to avoid false configuration and related systems breakdown and loss of production. In addition this ensures that no viruses or other malware can reach the miho systems or even the customer’s network by installing foreign software. If the customer explicitly requires the release of the administrator password for miho machines and PCs, this can be done by signing this declaration and the enclosed unbinding from any reliability. In this case, miho will take no responsibility for any damages which are directly or indirectly caused by the customer’s usage of the administrator access, specifically, for example for:
• Loss of data
• Loss of production
• Spreading of viruses and other malware
• Software incompatibilities

We understand the above statement and herewith declare that the release of the administrator access to miho machines and PCs is due to our demand, and that we are willing to accept the risk. We herewith unbind miho Inspektionssysteme GmbH from any reliabilities and eventual claims for indemnification out of above mentioned events.

miho Remote Control
Out of security reasons a remote control for miho made machines and equipment will normally be realized through following means only:
1) a direct dial through connection (customer to provide an analogue telephone wire)
2) a direct connection to an internet access (customer to provide an efficient internet access)
Both above means avoid any connection to an existing network of the customer. In this way it can be prevented that viruses or any other damaging software eventually coming from miho equipment can disturb the customer´s network, or vice versa. If the customer explicitly demands a connection of miho equipment to an existing network such connection can be established. In such case miho cannot be held responsible for any damages caused directly or indirectly by the networking, e.g.
• loss of data
• loss of production
Due to spreading of viruses or other damaging software, or plain software incompatibilities.

We understand the above statement and herewith declare that the connection of miho equipment directly to our network will be established on our demand, and that we are willing to accept the risk. We herewith explicitly unbind miho Inspektionssysteme GmbH from any reliabilities and eventual claims for indemnification out of above mentioned events.

miho Production data aquisition
The transfer of production data of the machines made by miho is done via the following means only, due to security reasons:
• Direct connection of a production data collection system (PC) via an individual network connection.
This way, any connection to the customers network will be avoided. This ensures, that neither viruses or other malware from miho machines can disturb the customer’s network nor that on the other way, such software can obtain influence on miho machines.

If the customer explicitly demands a connection of miho equipment to an existing network such connection can be established. In this case, miho will take no responsibility for any damages which are directly or indirectly caused by the customer’s usage of the administrator access, specifically, for example for:
• Loss of data
• Loss of production
Due to spreading of viruses or other damaging software, or plain software incompatibilities. Miho guarantees that the machines delivered are free of viruses and other malware at the time of the delivery. Since the machines are accessible to maintenance and other personnel thereafter, miho cannot guarantee this anymore at a later time.

We understand the above statement and herewith declare that the connection of miho equipment directly to our network will be established on our demand, and that we are willing to accept the risk. We herewith explicitly unbind miho Inspektionssysteme GmbH from any reliabilities and eventual claims for indemnification out of above mentioned events.
Preconditions for installation and maintenance

Both for the installation of the various software components for remote maintenance, as well as the production data acquisition, we need local administrator accounts.
The customer must ensure, especially if our systems shall be integrated into the customer's network that on the agreed installation time an employee of his IT department is available for the smooth handling of the necessary integration work.

Preconditions for installation and maintenance

Both for the installation of the various software components for remote maintenance, as well as the production data acquisition, we need local administrator accounts. The customer must ensure, especially if our systems shall be integrated into the customer's network that on the agreed installation time an employee of his IT department is available for the smooth handling of the necessary integration work.