Connect Differently: Moving Data Without Open Production Network Inbound Firewall Ports

When your industrial network security posture is that opening any inbound ports on your production network firewall can't be done and you need to move data anyway, what do you do? 

Why not reverse the connection?

What if there were a way to make the connection from the production network or facility outbound instead of inbound. Why not switch the client and server locations? Before you dismiss the thought and say impossible, I can't move my software applications, keep reading. 

Step back and consider that in a client/server relationship, the connection is always initiated by the client, so to make an outbound connection, you'd need a way to have your software in the production side of your facility operate like a client, connecting outwards to the software application that needs the data which would need to be able to operate like a server, whether it is on the business/IT side our outside your facility. The image below illustrates this concept using OPC clients and servers as an example. 


In this example you probably are saying "I can't do this, the OPC client that needs the data is on the IT network side, this is crazy!"

A Different Kind of Outbound Connection

To achieve this, you can insert the Cogent DataHub in between the connections and let the DataHub handle the reversing of the Client Server connection.  Because DataHub is an OPC Client and an OPC Server, it can

  • Connect to your production OPC Server as an OPC client 
  • Connect to your remote OPC client on the business or IT side or outside the facility and present data as an OPC Server 


DataHub's tunneling capability can be configured so either side of the tunnel can initiate the connection and the other side to be the trusted, authoritative data source.  By "authoritative" we mean the side of the connection that has the correct data in case of a disconnect/reconnect on the network.  

The ability to assign the trusted data source and who make the connection resolves the client/server problem, because now the authoritative source of the data can also initiate the connection. In the drawing above, the DataHub inside the plant network would initiate an outbound connection to the DataHub on the IT network side. The IT Network side would need an open port, but the plant network side would not need any inbound open ports. 

By doing this the plant side remains in control of the security of it's data, while remote users, wherever they are, are able to see the data they need. 

What if the remote or IT network side doesn't want to open any ports either?  That can be resolved by using a DataHub in a DMZ in between the 2 locations and each DataHub only has to communicate to the DataHub in the DMZ. 

If you're interested in learning more about that capability and how to also factor in cloud or hybrid cloud solutions, sign up below to be notified of future technical notes on those topics.

Enter Your Business Email:

If you'd like to try the DataHub complete the form at the right.

Questions? Contact us for a free technical consultation.


Download Cogent DataHub Trial