Remote Access Tools Security

Once a Tools Applet client is connected to a Runtime client, a VPN connection can be established depending on how the “VPN access” permission is given to a user on a given device.

The FactoryTalk Remote Access VPN works at level 2 of the ISO/OSI protocol stack, that is, it encapsulates Ethernet frames instead of IP packets. This is done for best compatibility with common industrial scenarios, where non-IP protocols or broadcast messages are used.

The VPN is implemented by installing a virtual Ethernet adapter on the Frontend PC.

FactoryTalk Remote Access Runtime can intercept low-level network traffic of selected physical interfaces and channel it to the Frontend’s virtual Ethernet adapter. For both the Frontend machine and the FactoryTalk Remote Access Runtime device, it appears as if the Frontend machine is physically connected to the selected Runtime LAN.

Even if level 2 is below IP, by default the Runtime service automatically assigns a free IP to the Frontend virtual VPN adapter. This is done for convenience, since most useful protocols are IP based and thus ready to work. Moreover, IPs from the actual physical subnets are used. No virtual IP subnets and consequent routing rules are created.

The Runtime periodically polls for existing devices on the network by sending ARP messages. It discovers “free” IPs that can be later assigned to VPN connections. This policy is handy but can be changed if a stricter and more controlled configuration is needed. An IP pool can be configured on the device so the Runtime will only assign IPs coming from this pool. In this case, no ARP discovery is performed.

Having the Frontend PC virtually connected to the physical device network is powerful and useful, but it can be configured and limited in several ways to comply with ICT policies.

VPN firewall rules can be configured in the FactoryTalk Remote Access organization to control what kind of traffic of a certain combination of device/sub-device/user/protocol can be remotely used. These rules can be obtained by configuring firewall rules across the organization hierarchy. Rules are hierarchical, per-user, per-resource, or per-resource group, and can be limited to a certain remote MAC address, remote IPs, subnets, and Ethernet or IP protocols, in an ALLOW – DENY fashion. The resulting set of rules is calculated by the server before a VPN connection starts and are enforced on both Frontend and Runtime.

The best practice regarding security is to enable only the protocols and reachable destination needed by a specific remote user or user group. This makes the VPN connection even more secure than an actual physical local connection, because in a physical connection, the local PC firewall is the only mechanism to limit traffic. In our case, the FactoryTalk Remote Access infrastructure takes care of enforcing the security rules decided by the administrator.

Remote file operations (download, upload, rename, delete) are served through the FactoryTalk Remote Access Service process. This process is running with local system privileges by default. In any case, the FactoryTalk Remote Access organization admin can enable or disable this operation for remote users depending on how the File Transfer permission is propagated to a particular device for a specific user.

The registration to a domain or the configuration can be carried out using specific applets that work on the local network. These applets use an AES-256 GCM algorithm to encrypt the network traffic.