Batboard

With internet access very common these days, and more equipment coming available with eth ports, pc based, ip config, etc, it's easy to access a remote site from your office to make changes, or diagnose a problem before responding. I've become fond of the Juniper SSG-5 Netscreens to establish secure vpn access, and VNC to assist dispatchers with console issues. But, some folks use Cisco vpn clients and PC Anywhere. Others use LogMeIn. What do you use to remotely access your customer systems while keeping them secure? Any pros and cons to these strategies?

We've discussed this with our customers in the past, and the general consensus has always been that the radio system, as a critical life/safety infrastructure, should have NO internet access whatsoever.

This was also discussed with regards to remote maintenance of trunked infrastructure, such as being able to remotely call up UEM on an Astro25 7x system and diagnose system problems, clear alarms, etc.

Motorola was very against the system having any sort of internet access, for fear of intrusion, terrorist attack, etc.

Motorola's NMO group in Schaumburg that DOES remotely monitor systems uses dedicated T1 circuits between the site and Schaumburg for monitoring. It's all on a private network that theoretically cannot be penetrated by nefarious people.

Personally, I'd rather drive out to the site and deal with the problem then have some screwball penetrate the network and wreak havoc on the system.

Hi Bill,

I am a programmer for an institution where security is paramount, so we use a Cisco VPN with AES-256 encryption. You can't beat it. I can even use it with my iPhone. Coupled with VNC, I have the ultimate remote access system, to my desktop, servers, you name it. And my apps require no specific config to work through it. The downside is Cisco is very expensive, but you seem to be good with the Netscreen (which I heard was excellent), so it will work as well. Also, if you go the VPN route, you don't have to worry about a third party service failing (besides your ISP, that is)... Just my $.02

ETA: I just saw d119's response, and I would agree... If you must connect something so sensitive as a PS TRS, use a leased line. Be aware, though, that a single 1.5Mbps link can cost about as much as a few new APX7000s with P25 trunking per month.

bezking wrote:ETA: I just saw d119's response, and I would agree... If you must connect something so sensitive as a PS TRS, use a leased line. Be aware, though, that a single 1.5Mbps link can cost about as much as a few new APX7000s with P25 trunking per month.

Oh believe me, it does... And in the past I've had to reconfigure that leased line when they've changed providers to cut costs. But you cannot beat the security of it. I'd guess that Motorola gets a decent deal on these circuits considering they likely have quite a few of them for the various systems they monitor.

The other way they do it with small systems is to install MOSCAD devices with the trunked infrastructure, and connect dial-up modems to them. When something goes wrong, the MOSCAD system phones home and reports in. I maintain another system with this feature, and it works well, and again, is pretty secure.

I understand the risks. We've discussed them with our customers as well, and they have allowed it, but I would understand if one of them said no way no how. I fell into Juniper products. A Netscreen came with a project engineered by another group without any config template, and I had to learn them cold. Even though we're in the Silicon Forest, Cisco dominates the market, and few people I knew had any experience with Juniper. I just drilled through their knowledge base, and got 'er done. I am by no means an expert. But, I can tell by the stats that no one has attempted to attack them.

One thing I do to keep a low profile is to limit services, and not respond to anything except a proper vpn ipsec tunnel request. I have tunnels between sites. Some of the tunnels pass actual traffic, and some are there to set an alarm if the tunnel goes down. If a link fails, I'll get several emails from different sites reporting a site down. The dsl modems will respond to icmp, but the Netscreens won't. Neither will respond to telnet or http until a secure tunnel is established and I access them from the protected side. If I can ping the modem, but not start a tunnel, I know something happened beyond the modem, and a site visit is warranted. If I can't ping the modem, I call the provider to start a ticket before saddleing up.

I've found that these 900 MHz wireless modems work well with the Quantar and Astro-TAC:

http://www.digi.com/products/wireless/x ... p#overview

They're 900 MHz frequency hopping spread spectrum with built in AES encryption, so they're fairly secure.

They work well when connected to the RS-232 RSS port on the Quantar. When the Quantar has the right options, you can monitor the station's RSSI real time, which is useful for detecting interference on the repeater input, or testing subscriber antenna changes. The station's codeplug can also be read/written via the 900 MHz link--no trip to the site necessary!

515 wrote:I've found that these 900 MHz wireless modems work well with the Quantar and Astro-TAC:

http://www.digi.com/products/wireless/x ... p#overview

They're 900 MHz frequency hopping spread spectrum with built in AES encryption, so they're fairly secure.

They work well when connected to the RS-232 RSS port on the Quantar. When the Quantar has the right options, you can monitor the station's RSSI real time, which is useful for detecting interference on the repeater input, or testing subscriber antenna changes. The station's codeplug can also be read/written via the 900 MHz link--no trip to the site necessary!

Excellent idea especially if the customer has the budget, and you're in an area that isn't already congested with 900M traffic. It's as good or better than maintaining dialup service to a site. If a reliable path exists, I don't have a problem with this strategy. I like it. We've done similar things with customer equipment returning through the channel banks on their microwave backbone. Sometimes Motorola ships it back on a MOSCAD. Sometimes we ship it back via the SRU ports. Whatever it takes to make intelligent decisions where to send your personnel when problems occur, and to see problems before they occur.

I use the free version of logmein.com and zonealarm to prevent anyone except logmein.com's ip addresses to access it. Logmein.com can be accessed from any internet connected computer (sweet and crappy at the same time. make sure your passwords are strong!!). It is what I use on some of my low end VOIP links (eeeeek! Critical RF included) and other embedded systems.....FatBoy

FatBoy wrote:I use the free version of logmein.com and zonealarm to prevent anyone except logmein.com's ip addresses to access it. Logmein.com can be accessed from any internet connected computer (sweet and crappy at the same time. make sure your passwords are strong!!). It is what I use on some of my low end VOIP links (eeeeek! Critical RF included) and other embedded systems.....FatBoy

Ewwwwwww.

If you're internet-connected, at the very least, drop the money for a Cisco ASA5505 and set up IPSec VPN support using strong passwords (or two-factor authentication) plus a strong pre-shared key. Lock the VPN down with ACLs to only allow the services you need to pass (don't let things like NetBIOS through).

FatBoy wrote:I use the free version of logmein.com and zonealarm to prevent anyone except logmein.com's ip addresses to access it. Logmein.com can be accessed from any internet connected computer (sweet and crappy at the same time. make sure your passwords are strong!!). It is what I use on some of my low end VOIP links (eeeeek! Critical RF included) and other embedded systems.....FatBoy

There is a small agency in central WA that does the LogmeIn thing to remote access their system from a cellphone to tapout. I doubt they use ZA. I think they are depending on the NAT of their DSL to keep the unwanteds out. Not the most secure system, but in 3 people per square mile country where the phrases "public safety" and "budgetary process" are contradictory terms, you do what cha gotta do.

Quick Comment:
If the agency does law enforcement too; where they run plates, etc, their network will need to meet the security required by WSP as detailed by the "FIPS 140.2" document describing network security.

It's a VFD in the Yakima Valley area. But, a valid concern none the less. I'll mention it to them. Thanks!

Motorola is using CISCO boxes running a CISCO VPN or lately Juniper Boxes running a Juniper VPN to access and remotely manage systems via internet providers.