VPN Or Public Gateway

From everyone’s responses, it sounds like the best way is to use a VPN for user connection to the Ignition system.

What about this scenario?

There is a front end server with just Perspective that can be accessed from the public internet (just like any other website). It has access to the database that we will use across all our servers. This front end server has the remote tag provider reading the tag values from the backend server but is set to read only, just like @PGriffith suggested.

Now when a tag write needs to happen from the front end gateway, it writes to a database table. Then the back end server is constantly listening to this database table. When there’s a new record, perform that tag write. So the front end server does not have direct write access.

Now is this more secure than the previous suggestion? Is this the best possible solution to get some sort of write access from the front end server which is accessible via the public internet?

If you are going to write at all, you may as well use the tag provider. Consider using two–one read-only for most items, and the other read-write but only containing the items those users need.

Would it help if there was a load balancer in front? I know the load balancer is to redirect traffic based on some set of reasons to multiple servers but can it help with security? Can it help prevent unwanted attacks and tag writes from something other than an Ignition HMI?

What happens when an adversary finds a SQL injection vulnerability or some other sort of vulnerability and attacks your central databases to vandalise or control plant?

What do you actually need the users to be able to control remotely? Are they filling out a form saying that they visited a site and checked that the toilets are clean or are you trying to give them access to control switchgear and pumps?

Control pumps.

I guess I must be confused as to why @John assumes a VPN Solution won’t work.

This is exactly what I do. My company is in Oil & Gas and we have hundreds of very remote locations that the “Office” people can log into and take all kinds of reports, then we have “Production Managers” that can log in and they can turn pumps on/off, make adjustments to the VFD’s, set new alarm setpoints, adjust PID function, and since I am the administrator I can actually reprogram any device that is connected to our VPN network, this includes IP Camera, Modem, Router, HMI, Gateways, Etc… All this is through our Verizon Vpn and then my adding all the necessary IP and PORT redirects through are special VPN Router.

Been using this setup for almost 6 years and have never had any problems! Works FLAWLESSLY!!

I would do it NO OTHER WAY!

How does someone do this, lets say from their house? Does this person connect to their home internet and then use some sort of VPN software to connect to the Ignition system?

Yes.

That’s what I’m trying to get away from, is to not have anyone need software and credentials to keep up with. Sometimes it may be people, who will only had read access (controlled by HMI) and will only need to view for a week or 2 then they won’t need to view anymore. These people could be internal users or customers who are not direct employees.

If you have a Verizon or AT&T VPN network you won’t need any software!

You can connect to the VPN tunnel from any device that is connected to the internet through a special IP address that is not public accessible

I connect from all over the USA.

Think of it this way. Log into a special box (without the need of any software) and that box will keep everything secure and you allow who and what they can access just by programing the box.)

So the IP address you enter into let’s say your web browser re-directs you to your Ignition HMI?

If that’s how you have programmed the redirect in the VPN Tunnel.

I had this battle when I was setting up our system as well.

What we decided to do was to run Ignition in AWS which we then connect to via an onsite VPN. This means it technically has a public IP however the AWS EC2 instance’s firewall only allows access via the VPN IP, essentially making it private. We then also have all of our local devices tunnel through a site-to-site VPN which allows for the local machines to connect to the cloud Ignition instance. So anyone on our local network (requires login credentials) or with VPN credentials is able to connect to the Ignition instance.

I had to learn quite the bit more networking to iron this one out.

1 Like