From VPN to VPI: How Virtual Private Internet is enabling fewer truck rolls to provision and maintain customer premises equipment and edge deployments
On-premises equipment is an integral part of the telecom business, creating hardware-enabled subnets, security, routing, and more for customers. As edge deployments increase, the need to service equipment in the field, at the edge or on the customers’ premises, is growing. Yet the cost of sending a skilled technician to a customer location to configure, maintain, or upgrade customer premises equipment (CPE) can be immense, especially for telecom providers with national or international areas of coverage. CPE often requires sophisticated setup and configuration that customers do not have, necessitating the dispatch of a skilled technician to the site. This need greatly reduces the productivity of the technician since, in addition to the hours they spend working on the CPE, they now also must add transit times to their day.
Naturally one would suggest logging in to the CPE, but that usually means setting up port forwarding on the CPE or punching a hole through the customer’s firewall. Many IT departments have policies that prevent any ports or external access since permanent openings in firewalls may make remote access to CPE easy, but the price is steep: hackers can use tools to scan the entire IPv4 address space in about an hour now, and once they discover a device, they can easily probe that device cracking tools to exploit open communication ports.
Conversely, placing CPE behind a customer firewall prevents convenient and time-saving remote access for telecom vendors, so what is a telecom company to do?
One possible solution is for the customer to extend VPN access to the telecom vendor, but this requires the customer to have a VPN strategy, which many small businesses don’t have, and it requires some sophistication in managing access rights to the LAN or WAN, which might expose significant portions of the customer network to unauthorized access should the VPN be compromised.
More significantly mobile networks, which are increasing being looked toward to provide connectivity solutions, typically won’t work with VPNs as they default to the more secure Carrier-Grade NAT (CG-NAT) versus global IP address, to ensure regulatory compliance to standards such as PCI.
Recently a new technology has arisen that provides an advancement over VPN capabilities for secure, remote access: virtual private internet (VPI) software.
VPI, or VPN?
A virtual private internet is different from a VPN in a number of ways:
- Works over mobile networks, including CG-NAT.
- There is no appliance that monitors and screens communication between the internet and the protected device.
- Connectivity permissions are explicitly bound to ports, services, and devices, strictly controlling the flow of traffic to prescribed “swim lanes.”
- Traffic flows through a direct connection or through peer-to-peer tunnels directed by a VPI routing service, so VPI devices can only reach ports, services, and devices for which they are explicitly authorized to contact.
- Connected devices may be securely provisioned across multiple internal networks concurrently.
There’s a fundamental cooperativeness built into TCP/IP that is a legacy from its origins as a protocol designed to survive a nuclear war. Devices will respond to other devices broadcasting on the network so connections can be made. This is less desirable in security-centric scenarios where responding to a request could identify the device as a target for hackers.
Since traffic on a VPI is managed through a routing table and by broadcasting and passing along packets like in TCP/IP, VPI-enabled devices can shut down the automatic response to TCP/IP messages and switch to what is called a “drop state.” This effectively renders the device invisible to IP and port scans used by hackers. DDoS attacks and internet worms likewise have no effect on VPI devices in a drop state, as the device will not respond to malicious traffic. At the same time, the device continues to be able to communicate with other devices for which it is authorized on the VPI.
Why VPI saves money for telecom providers
Telecom providers have significant costs related to sending skilled technicians to customer sites. In addition to the travel time, there are service delays driven by travel schedules that frustrate customers. VPN, secure shell (SSH) and remote desktop solutions must all poke holes in the security at the customer site to function, so telecom companies have lived without the benefits of remote maintenance until now.
VPI provides a secure way for telecom companies to communicate to their hardware without exposing the devices and the customer networks to intruders. With a secure way to access on-site hardware assured, telecom companies can reduce dispatches to customer sites and shorten response times, reducing expenses and improving customer satisfaction. When a telecom vendor has thousands of customer sites, they avoid many thousands of hours of employee travel time, and broadly affect customer satisfaction through shortened response times.
There are also extreme cases for the telecom industry that can be aided by VPI. When a telecom provider produces wireless base stations, for security reasons, those base stations are not connected to the internet even if they pass and route internet traffic. In these scenarios, a technician must always be deployed to the site. However, by installing VPI software on a mobile device enabled with WiFi or LTE, a more junior technician or less skilled agent can go to the site of the base station, plug the VPI device to the base station, and temporarily create a secure VPI connection using their LTE device, through which a more skilled technician can access and maintain the base station. When the maintenance is complete, the junior technician unplugs the device, disconnecting the base station from exposure to internet hackers once again – effectively creating an air gap.
Highly-skilled technicians are wasting less time in transit
Telecom companies are already leveraging VPI solutions to enable secure, invisible, and managed connections to CPE that technicians can access remotely. Others are employing VPI enabled devices with WiFi or LTE to temporarily connect air-gapped equipment to the secure VPI network for skilled technicians to access and work on the equipment remotely. In both cases and others, telecoms are responding faster, spending less on van rolls, and applying the time of their most valuable technicians to work on CPE instead of sitting in a truck.
To read the press release from BullsEye Telecom on how they use VPI from remote.it, click here.
To read the case study from BullsEye Telecom, contact us.