The IXON Remote Service solution is designed to offer safe and secure remote access to industrial equipment worldwide for remote troubleshooting, programming and monitoring. As a result it significantly reduces service costs and machine downtime.
The IXrouter can easily be connected to the hardware on your machine, allowing you to access your machine remotely for monitoring, troubleshooting, and service purposes.
The IXON Cloud is a secure and powerful platform made up from a worldwide network of scalable servers. It is focused on delivering and enhancing innovative remote service. The IXrouter that is connected to your hardware connects to the IXON Cloud via a secure VPN connection.
The IXclient is a lightweight application that runs in the background on your PC. It establishes a VPN connection when you to use the IXON Cloud to remotely connect to your devices.
How is security ensured in the machine network?
The IXrouter is equipped with a built-in firewall that completely separates the WAN port (company network) from the LAN ports (machine network). The firewall blocks all communication except for authorized and encrypted data verified by a valid identity certificate. This means that only authorized users can access the machine network via our IXON Cloud.
By default there is zero communication possible from the customer network to the machine network (and vice versa). The IXrouter is configurable, however, to allow communication from the customer network to the machine network via port forwarding.
How is security ensured in the customer network?
The IXrouter uses an outgoing port to establish a secure connection to our IXON Cloud. This means there is no need to open any incoming ports in your firewall.
Below is an overview of the outgoing ports and protocols that the IXrouter utilizes:
|443, 8443(1)||TCP||HTTPS, MQTT (TLS), OpenVPN(3)|
|53(2)||TCP & UDP||DNS|
(1) Port 8443 is only used when stealth mode is actived for connectivity via a censored internet connection (i.e. when located in China).
(2) DNS requests are often handled by local DNS servers. In those cases the listed DNS port can be ignored.
(3) The very first package may be considered unencrypted as the OpenVPN handshake takes place prior to the TLS handshake. For this reason an exception may be required on firewall rules that block non-SSL traffic over SSL-ports.
Via these outgoing ports the IXrouter connects to different IXON servers: REST API, MQTT and OpenVPN servers. The IP addresses of these servers, as well as the number of these servers, may change over time and are thus not pre-defined. What is pre-defined is the domain of these servers. This domain will always end with ".ixon.net" (i.e. am01.ixon.net). The IXrouter attempts to resolve these addresses by doing DNS requests. If it can't perform DNS requests, it can't connect to our servers. Port 443 is the standard TCP port for traffic using SSL/TLS and is normally open as it is used by other services to set up a secure connection (i.e. internet banking).
The local IT department may choose to only grant specific devices internet access, based on the MAC address or IP address of the device. The MAC address can be obtained from the label on the side of the IXrouter. The IP address can be set to a static IP address. However, by default the IP address is set to be obtained automatically via DHCP.
To communicate with the IXON Cloud, the IXagent (part of the IXrouter firmware) uses the proven encryption standard TLS v1.1 and higher. The required TLS key exchange, crucial for security, is done in accordance with industry standard 4096-bit RSA keys with SHA-256. During the RSA handshake the public server keys are shared and, with IXON's built-in Certificate Authorities, the server's identity is verified. The IXagent does not use 3rd party Certificate Authorities, which guarantees an up-to-date security for embedded devices. When setting up a VPN tunnel, the necessary security licenses are downloaded and the AES-256 encrypted VPN tunnel is set up. Attacks like Man-in-the-middle, spoofing ARP, and DNS hijacking will be detected immediately.
The IXrouter is permanently connected to the IXserver and sends out ‘keep-alive heartbeats’ on a regular interval. The remote connection between the IXrouter and IXON Cloud can be managed by the local operator. The digital input on the IXrouter allows the user to enable/disable the VPN connection at the flick of a switch, literally. Alternatively, the connection can be terminated by disconnecting or unpowering the IXrouter. Once it is connected and powered again, the IXrouter automatically re-establishes the connection with the IXON Cloud.
If the local IT department does not allow any form of internet connection to third party hardware, there is also the option for an IXrouter with a built-in 3G or 4G module. All it requires is a standard SIM card with internet access (standard size, 2FF).
The IXrouter is equipped with a built-in firewall which makes it so the customer network isn’t remotely accessible.
By default there is zero communication possible from the machine network to the customer network (and vice versa). The IXrouter is configurable, however, to allow communication from the machine network to the customer network, to the internet, or both via a specific setting.
How is security ensured on the IXON Cloud?
A crucial segment within the complete IXON solution is the IXON Cloud (IXON’s server platform), which acts as a secure proxy for the data between the IXrouter and IXclient. The browser always checks for valid SSL certificates on the IXON Cloud. As a result, the IXON Cloud is protected against so called man-in-the-middle attacks.
The IXON Cloud is the only component in the complete IXON solution where ports are exposed to the Internet. However, only VPN connections which carry a valid x.509 certificate receive access. The certificate is downloaded automatically once the user is successfully logged in and presses [Connect] to connect to a specific router.
The IXON solution meets all the security and safety requirements stipulated by the National Institute of Standards and Technology for encryption and key negotiation.
Authorized users can access the machine network only via the IXON Cloud. This requires you to have an account (login information) as well as having received an invite to the particular company and being granted access and permission to the registered IXrouter(s).
The IXON Cloud checks for incorrect login attempts by guessing or by software trying to identify a username and password combination (Brute Force Attacks). Such attempts are detected and rate-limiting is initiated by the IXON Cloud to block these attempts temporarily. As an additional safety measure it is possible to set up 2-factor authentication for your account, where your mobile device generates an additional passcode needed during login.
All connections from and with the IXrouter, as well as changes made to the configuration of the IXrouter are logged with a timestamp and, if applicable, a designated user. All these logs can be checked under Latest events when navigating to [Devices], selecting the concerning IXrouter, and opening its [Info] tab.
With IXON, it is possible to add additional features to your account (i.e. Cloud Logging) with a one-time or recurring fee. All payment and credit card information is stored exclusively by PCI-DSS compliant third parties, ensuring no credit card details pass through IXON’s systems. In your browser, payment information can only be entered in secure pages hosted and created by our payment provider.
Our servers are hosted at several of the world's largest cloud providers. We have servers located in Europe, North America, Asia and Australia. All servers comply with national regulations and are certified by international safety standards, such as ISO27001 and ISO9001.
Using an advanced server monitoring system, IXON’s support and R&D employees are immediately informed in the event of a server failure, suspicious activity or unauthorized access to one of our servers, with procedures in place to minimize the consequences. All audit logs are stored in an external data storage and will be consulted in such cases to create a complete forensic trail of the period of suspicious activity.
How is security ensured on your computer?
The IXclient is a lightweight application that runs in the background on your PC. It creates a virtual Ethernet port on your PC and handles all communication between your PC and the IXON Cloud.
The IXclient uses the proven encryption standard TLS 1.1 and higher. The required TLS key exchange, crucial for security, is done in accordance with industry standard 4096-bit RSA keys with SHA-256. During the RSA handshake the public server keys are shared and, with IXON's built-in Certificate Authorities, the server's identity is verified. The IXclient does not use 3rd party Certificate Authorities, which guarantees an up-to-date security. When setting up a VPN tunnel, the necessary security licenses are downloaded and the AES-256 encrypted VPN tunnel is set up. Attacks like Man-in-the-middle, spoofing ARP, and DNS hijacking will be detected immediately.
How is support offered by IXON?
IXON and its employees are happy to help you in any way to ensure a smooth and carefree experience using the IXrouter. IXON employees can offer you support in various ways. In some cases, an employee may ask you to invite them to your company to be able to access your IXrouters. If no more support is needed, you can remove these users from your company. As is the case with all users: all remote support operations from IXON employees are logged and can be checked under Latest events when navigating to [Devices], selecting the concerning IXrouter, and opening its [Info] tab.