rapidM2M as firewall for Linux systems and industrial PCs

When connecting Linux systems or industrial PCs directly to the internet, all active services on these systems, such as remote access and unclosed security holes, are exposed to attacks from the internet. rapidM2M devices can be used as gateways to securely connect such systems to the internet. The rapidM2M devices act as a firewall, since only the data points (measurement data and configuration) defined in the data descriptor are transmitted via the internet. This results in a significant increase in security and is also suitable for systems for which security updates are not available anymore.

Concept with the highest degree of safety and simplest implementation

Concept with the highest degree of safety and simplest implementation

The rapidM2M device and the Linux system are connected via RS232. On the Linux system the data recording is running as usual. A program is created and installed on the Linux system which encrypts the data to be submitted and transfers theme via the RS232 interface to the rapidM2M device. Thanks to the programmability of the rapidM2M device, the protocol and the encryption can be chosen arbitrarily. The actual contact to the internet is established via the rapidM2M device, which thus serves as a modem and firewall.

In this high security scenario, only measurement data is transferred from the Linux system to the rapidM2M device. A return channel from the rapidM2M device to the Linux system is not implemented. With this concept it may also be useful to transfer some parameters such as the transmission interval via the internet to the rapidM2M device. Since the transmission interval is only relevant for the rapidm2M device, it is not passed on to the Linux system. The return channel ends with the rapidM2M device in its function as a firewall because data transfer via RS232 is not implemented or intended.

The device management functions provided by the rapidM2M ecosystem can be used without restrictions in this scenario. These functions include, for example, the determination of the position of the individual devices, the central updating of the firmware of the rapidM2M devices and the installed device logic on them as well as the transmission of status information and operating status.

Extension of the concept by configuration parameters

Erweiterung des Konzepts um Konfigurationsparameter

For some applications it may be useful or necessary to be able to adjust parameters such as the measuring interval via the internet connection. For this purpose, the concept presented above only needs to be extended by the possibility to transmit data from the rapidM2M device to the Linux system via the encrypted RS232 connection. For this purpose, both the program running on the Linux system, which receives the parameters, and the device logic installed on the rapidM2M device must be adapted.

Additional security is provided by the fact that the program on the Linux system and the device logic on the rapidM2M device must always be coordinated. Even if the rapidM2M device would try to transmit additional parameters, these will be ignored by the Linux system. Since there is no possibility to change the software on the Linux system via the internet connection, this approach also provides a very high degree of security.

A plausibility check (e.g. minimum value for the measuring interval) of the received parameters both by the device logic of the rapidM2M device and by the program installed on the Linux system increases the security of this concept.

Extension of the concept to include the possibility of updating the Linux system

Erweiterung des Konzeptes um die Möglichkeit das Linux-System zu aktualisieren

For the transmission of larger amounts of data to the rapidM2M device the so-called file transfer is available. This function can be used to extend the concepts presented above with the possibility to provide Linux systems with updates and patches. With file transfer, data can be imported centrally via the rapidM2M portal and then automatically distributed to the corresponding rapidM2M devices via the internet.

Following the concepts presented above, the rapidM2M device would pass the received patch in binary from to the Linux system via the encrypted RS232 connection. The program running on the Linux system stores the received data in the file system and starts the update process after receiving the complete package. The automated distribution of the centrally imported files is part of the device management functions provided by the rapidM2M ecosystem. This means that the complete update of all software components (firmware of the rapidM2M device, installed on the rapidM2M and user-created device logic, updates for the Linux system) can be managed and automated centrally. Unlike the direct connection of the Linux systems, it is not necessary to install the updates and patches via a remote connection.

The file transfer integrated in rapidM2M takes account that in remote locations, the mobile phone connection used to establish the internet connection is interrupted during the file transfer. The integrity of the file is guaranteed in any case.

This approach also provides a significantly higher level of security than the direct connection of the Linux system to the internet. Even if an update package with a serious security hole or a compromised update package is erroneously imported by the user via the rapidM2M portal (which is then distributed to the Linux systems connected via the rapidM2M devices), the potential damage is limited. The rapidM2M device also acts as a firewall in this scenario. Even if the compromised update package installs software on the Linux system that should make it part of botnet, aims to use the system as a spam server or tries to infiltrate backdoors, the negative effects are limited, because the system itself cannot access the internet.

Alternative connection of rapidM2M device and Linux system

Alternative Anbindung von rapidM2M Device und Linux-System

rapidM2M devices such as the rapidM2M M23x have a USB interface and a larger data memory in addition to the RS232 interface. The Linux system can therefore be connected to the rapidM2M device via RS232 as in the scenarios described above. The update packages can be downloaded completely from the rapidM2M device and stored in the internal data memory. The Linux system then accesses the FAT-formatted data memory via the USB interface and installs the update package stored in it.

Furthermore, rapidm2M devices with WiFi or LAN interface are also available. The connection of Linux systems and industrial PCs to rapidM2M devices is therefore also possible via these interfaces.

Conclusion

The article shows conceptually that rapidM2M devices can be used as firewall for Linux systems and industrial PCs. Due to the standard functions implemented in the rapidM2M devices, this conceptual design can be realised very easily. Such concepts, in which rapidM2M devices are used as firewalls for the secure transmission of data to the internet and vice versa, have already been realised and successfully implemented in projects.

Beside the functionality of a firewall, Linux systems and industrial PCs can benefit from further features of the rapidM2M devices, such as file transfer for update patches.

Benefit from the various possibilities to use rapidM2M devices as a supplement and extension for your existing products and solutions! Make an appointment today for a virtual IoT Coffee. Tell us about your ideas and challenges. The Microtronics experts will show you how rapidM2M can make your application a success.

Josef