Trusted Internet Connections

Organizations with multiple network sites may connect the sites using the internal network infrastructure (intranet) or the public internet. 

The participant organizations in the on-site community cloud scenario are connected via links between the boundary controllers that allow access through their security perimeters. The connection can be initiated by one of the boundary controllers. The successful connection establishment creates trusted internet connection over which transiting information is encrypted.

The Challenge

Can you trust the internet connection?  Internet users want the confidence that sensitive data is secure, information is not compromised, and the infrastructure is not infiltrated. 

The CIS Solution

The secure connection between the sites is trusted when each end of the connection knows the other and agrees to connect. applies PKI technology to provide privacy protection and end-to-end encrypted connections. creates trusted internet connections using a distributed system based on 
  • Public Key Infrastructures (PKI) and 
  • NAT firewall.

Public Key Infrastructures (PKI)

PKI pair of keys, the private key and public key, are created by when the software is installed.  The public key, once created, is stored in a PKI certificate.  The certificate is self-signed and must be distributed to other installations in order to connect to those sites.  The private key is kept for local use and must not be distributed.

The advantage of self-sign public key is there's no need for centralized registry like the Certificate Authority. The disadvantage is the sites have to manually validate their certificates using the certificate fingerprint. connections are always mutual inclusive. sites must exchange their PKI certificates and import them to their encrypted trust store, shown as eTS in the diagram, to be used in the connection establishment.  One of the sites can initiate the secure connection but both will verify the others' credential via the information kept in the imported certificates.  Without the remote certificate in the eTS of both sides,  the connection attempt will be aborted.

The successful connection establishment creates a TLS link that connects the boundary controllers, encrypts and transports the information between them.

NAT Firewall can connect with other SIPbiz.nets with or without NAT firewalls.  The NAT firewall should be used when connecting the sites across the public internet. depends on a NAT firewall device to protect the network infrastructure.  The NAT firewall functions provide:
    • network address translation (NAT) between private and public IP addressing spaces.  The NAT is needed to create a private network, an important security and privacy feature
    • internet attack prevention and other security protection mechanisms
    • IP packets transport to/from the Internet. This IP transport function, in some NAT firewall, can be monitored to improve security.

One site can initiate or accept connection from multiple sites. Depending on the nature of the business needs, the connections can be in many different configurations, two examples of such configurations are shown in the above drawing, the point-to-multipoint and full mesh configurations.  A full mesh configuration can be a useful configuration for an enterprise network with multiple locations that are connected via the Internet. An organization providing cloud services may deploy using point-to-multipoint configuration to connect to its cloud consumers. has no architectural limit on the number of connections it can establish. The server in which is hosted might have limited hardware resources needed to scale. can be installed in a private cloud to remove the hardware limitation of the host machine.

Two established networks of sites, for example, owned by two communities of organizations, can merge by connecting all of their sites in a full mesh architecture.

Benefits and Capabilities

Security Enhancement

  • Connect user devices and servers from behind NAT firewall
  • Mutual inclusive privacy protection with PKI
  • End-to-end encrypted information via TLS

Technology Advantage

  • Scalability: There is no architectural limit on the number of trusted connections a can connect. Each can initiate and accept multiple TLS connections.
  • Encryption works with or without NAT firewall
  • Encryption works with IPv4 or IPv6 networks
  • Flexible connection configurations
    • Point-to-point
    • Point-to-multipoint
    • Full mesh

Learn More

For additional information on how your organization can benefit from Trusted Internet Connections solution, please contact

  • PKI Standards
  • Federal PKI
  • Encryption: Advanced Encryption Standard (AES) - FIPS PUB 197.
  • Key Exchange: Elliptic Curve Diffie-Hellman (ECDH) Key Agreement - NIST SP 800-56A.
  • Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) - FIPS PUB 186-3.
  • Hashing: Secure Hash Algorithm (SHA) - FIPS PUB 180-4