Trusted Internet Connections


Organizations with multiple network sites may connect the sites using the internal network infrastructure (intranet) or the public internet. 

The participant organizations in the on-site community cloud scenario are connected via links between the SIPbiz.net boundary controllers that allow access through their security perimeters. The SIPbiz.net connection can be initiated by one of the boundary controllers. The successful SIPbiz.net connection establishment creates trusted internet connection over which transiting information is encrypted.

The Challenge

Can you trust the internet connection?  Internet users want the confidence that sensitive data is secure, information is not compromised, and the infrastructure is not infiltrated. 

The CIS Solution

The secure connection between the SIPbiz.net sites is trusted when each end of the connection knows the other and agrees to connect. SIPbiz.net applies PKI technology to provide privacy protection and end-to-end encrypted connections.

SIPbiz.net creates trusted internet connections using a distributed system based on 
  • Public Key Infrastructures (PKI) and 
  • NAT firewall.

Public Key Infrastructures (PKI)

PKI pair of keys, the private key and public key, are created by SIPbiz.net when the software is installed.  The public key, once created, is stored in a PKI certificate.  The certificate is self-signed and must be distributed to other SIPbiz.net installations in order to connect to those sites.  The private key is kept for local use and must not be distributed.

The advantage of self-sign public key is there's no need for centralized registry like the Certificate Authority. The disadvantage is the sites have to manually validate their certificates using the certificate fingerprint. 

SIPbiz.net connections are always mutual inclusive. SIPbiz.net sites must exchange their PKI certificates and import them to their encrypted trust store, shown as eTS in the diagram, to be used in the connection establishment.  One of the SIPbiz.net sites can initiate the secure connection but both will verify the others' credential via the information kept in the imported certificates.  Without the remote certificate in the eTS of both sides,  the connection attempt will be aborted.

The successful connection establishment creates a TLS link that connects the boundary controllers, encrypts and transports the information between them.

NAT Firewall

SIPbiz.net can connect with other SIPbiz.nets with or without NAT firewalls.  The NAT firewall should be used when connecting the SIPbiz.net sites across the public internet.

SIPbiz.net depends on a NAT firewall device to protect the network infrastructure.  The NAT firewall functions provide:
    • network address translation (NAT) between private and public IP addressing spaces.  The NAT is needed to create a private network, an important security and privacy feature
    • internet attack prevention and other security protection mechanisms
    • IP packets transport to/from the Internet. This IP transport function, in some NAT firewall, can be monitored to improve security.


One SIPbiz.net site can initiate or accept connection from multiple SIPbiz.net sites. Depending on the nature of the business needs, the connections can be in many different configurations, two examples of such configurations are shown in the above drawing, the point-to-multipoint and full mesh configurations.  A full mesh configuration can be a useful configuration for an enterprise network with multiple locations that are connected via the Internet. An organization providing cloud services may deploy SIPbiz.net using point-to-multipoint configuration to connect to its cloud consumers.

SIPbiz.net has no architectural limit on the number of connections it can establish. The server in which SIPbiz.net is hosted might have limited hardware resources needed to scale. SIPbiz.net can be installed in a private cloud to remove the hardware limitation of the host machine.

Two established networks of SIPbiz.net sites, for example, owned by two communities of organizations, can merge by connecting all of their SIPbiz.net sites in a full mesh architecture.

Benefits and Capabilities

Security Enhancement

  • Connect user devices and servers from behind NAT firewall
  • Mutual inclusive privacy protection with PKI
  • End-to-end encrypted information via TLS

Technology Advantage

  • Scalability: There is no architectural limit on the number of trusted connections a SIPbiz.net can connect. Each SIPbiz.net can initiate and accept multiple TLS connections.
  • Encryption works with or without NAT firewall
  • Encryption works with IPv4 or IPv6 networks
  • Flexible SIPbiz.net connection configurations
    • Point-to-point
    • Point-to-multipoint
    • Full mesh

Learn More

For additional information on how your organization can benefit from SIPbiz.net Trusted Internet Connections solution, please contact sipbiz@sipbiz.net.

References
  • PKI Standards
  • Federal PKI
  • Encryption: Advanced Encryption Standard (AES) - FIPS PUB 197.
  • Key Exchange: Elliptic Curve Diffie-Hellman (ECDH) Key Agreement - NIST SP 800-56A.
  • Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) - FIPS PUB 186-3.
  • Hashing: Secure Hash Algorithm (SHA) - FIPS PUB 180-4