ComBrio, Inc. has announced a new version of its secure remote monitoring product that allows service providers to watch customers' equipment without making any changes to their networks.
The product, called Virtual Service Infrastructure (VSI) 3.0 is a gateway service providers can install on a customer's site to collect Simple Network Management Protocol (SNMP) alerts and send them through an encrypted connection to the service provider's network without relying on dedicated phone lines, virtual-private network (VPN) links or dial-up modem connections
VSI allows a customer to designate the static IP addresses of the machines a service provider is allowed to monitor, and refuse all outside requests for a connection. Legitimate connections can only be made by the VSI gateway itself, which sends an outbound connection request to the address of a predetermined service provider.
Version 3, which can be installed either as a hardware gateway or a software-only product, is able to function by just using one port -- no. 443 outbound, which is also used by XML requests.
"So any network that lets people browse the Internet already has that port open," according to Dave Boulos, vp of product management/marketing at ComBrio. "You can put VSI in there and have it function without making any changes at all to the network." The VSI gateway sends a "heartbeat" health message to the service provider every two minutes or so, and sends alerts to the service provider when there's a problem, Boulos said.
Service providers can send requests to the gateway, for data on the status of a device, or to establish a connection through which they can change the configuration of a device. But the connection is always initiated from the gateway out to the service provider so the customer knows the connection is legitimate, Boulos said.
The connections themselves are encrypted using the Advanced Encryption Standard (AES) over a Secure Sockets Layer (SSL) connection. The connection exists only while the gateway is communicating with the service provider, so there's no open line or VPN to manage, he said.
That eliminates the security risk of having a dedicated phone connection, and the complexity of trying to maintain several VPN links to each customer, according to Steve Bodkin, service product manager for the services business of the $15.6 billion Emerson Network Power.
Emerson uses VSI, among other access methods, to monitor the health of the servers, routers, cooling equipment and other data center infrastructure it sells.
"With a VPN, if you want to do alarms, you pretty much have to have the VPN up 24/7," Bodkin said. "Companies don't want that vulnerability of having a VPN open all the time."
"When we get ready to monitor, the customer will give us a set of static IP addresses they want us to have access to. We get that programmed into the gateway by our security people and it's locked down," Bodkin said. "We don't have access to any other equipment."
The "heartbeat" provides regular "all is well" messages to Emerson, whose monitoring software launches an alert if the heartbeat falters or another problem crops up. A service provider can piggyback a request for a download of operational status data from the equipment to build up a performance-trend database for that particular unit, Bodkin said. One gateway can allow a service provider to monitor anything inside a wide-area network (WAN), if the access controls are set correctly, he said.
Unlike most of the alarms for cooling equipment and other data-center gear, the gateway supports as many alarm types as exist in SNMP, so the service provider knows whether there's a fan failure or high head pressure, or another problem. "It's very specific so you can arm the technician to go out prepared, or know that you don't have to go out at all," Bodkin said.
The gateways also provide a secure audit trail that shows which technician accessed the equipment, what he or she did, and what the changes were, Bodkin said. That audit trail is absolutely vital for customers having to document compliance with Sarbanes-Oxley (SOX) or other regulations, he said.
Not having to maintain a series of VPNs can, in itself, be a huge advantage, according to Michael C. Ladam, an analyst at Stratecast Partners,
a division of Frost & Sullivan, which is based in San Antonio, Tex.
But being able to isolate the security risks by defining so closely what machines could be accessed, by which service provider, and even by the username of a particular technician is a tremendous benefit to the end user, Ladam said.
"When I used to do data center work we'd go back and forth with service providers trying to arrange both the terms of access and the schedule of when we could have someone work with their own team," he said. "Remote access makes that less true now, but there are still some very real security concerns."
The cost of the products -- about $50,000 for a setup that would allow a service provider monitor five customers and about the same amount for a software console that would let the customer monitor all the VSI units and service providers using them, according to ComBrio's Boulos -- should be justified if the system is as efficient as it seems, Ladam said.
"If it works, this kind of product is going to be viral," he said. "If Sun adopts it and starts promoting it to its enterprise customers, there's a good chance they're going to go to HP and say 'Sun is doing this and we think you should, too.' They're still pretty young; they're not making claims like that. But it's a likely model."
Most of ComBrio's customers are service providers, because that's who the product was designed for, Boulos said. Fujitsu is using it, however, and other original equipment manufacturers are looking at it as well, he said.
"This isn't a silver bullet," Bodkin warned. "But it does address things a huge number of customers are worried about. And the biggest majority of them, once they understand how the gateway operates, they're fine with it. Not every customer; some want a dedicated phone line and we have a solution for that. But most of them."