Zoneinsite: Difference between revisions

Zoneinsite ( name TBD, .com domain acquired for one year).

Overview

In todays world network access is as desired as running water or electricity. Installation, configuration, control and maintenance for networks can be very complex, have security pitfalls and have massive limitations over what people are down and when. These issues effect homes, Small and Mid sized business while large businesses invest massive amounts of money to control network access.

Zoneinsite hopes to fill the home to mid-sized company market with a simple, secure and very flexible set of devices and tools that allow any authoritive user local or remote control of then many facets of networks and devices on the network. Most solutions today require software to be installed on network devices but this only works in specific PCs and Hand Held devices, all of which can be worked around by a motivated teenager or hack.

System and Service requirements:

1. Provide a simple, secure and easy to use service platform
2. Enhance network controls in way that is easy to understand and use
3. Simplify what is very complex giving the customer more flexibility

System Elements

Zoneinsite will become the arbiter of all network communications at one or many locations by becoming the LAN gateway router, replacing or being installed south of existing routers, accesspoints and servers. The system will then have visibility to all devices on the LAN as well as the ability to integrate with other devices the product supports.

• PHYSICAL element high level overview of the system's potential:
  • WAN gateway router
    • This system will connect to the internet connection at a site (Cable modem, FIOS, DSL, MIFI, so on).
    • This system will have one ethernet port devoted to connecting to the internet connection device
    • This system will have one or more LAN ethernet ports (variable based on the flavor of product the LAN required)
    • This system, or specific flavor of product can have a wifi access point built in
  • Network Switch
    • This system will have a network switch that can be ordered and installed with the system.
    • This switch will be configured and controlled by the WAN Gateway router.
  • Access points
    • This system will have Access points that work in conjunction with the WAN gateway router.
    • Many access points can be added to a network location, all controlled by the WAN gateway router.
    • These access points must be affordable, support multi SSID-to-Vlan, and should be POE
• VIRTUAL/Software based tool high level overview of the system's potential:
  • WAN Gateway router LOCAL web access/console
  • WAN Gateway router LOCAL mobile APP access/console
  • Cloud Based Local or Remote System access/console

System Installation and Integration

When this system is installed in a location, a user can simply buy one or many of the flavors the product is offered in. Once installed in the norther most location in the LAN (network edge to internet), it is imperative there are no other routers/NAT gateways in the LAN, which will limit the platforms ability to enforce.

Example A: Home user has a cable modem and a linksys wireless router installed. The user will replace this Linksystem with the Zoneinsite wireless router. The user will also verify there are no other routers or access points installed in the home. If there are, the user can either replace the access point with a zoneinsite AP so that they can install and control it easily, or the user can leave it in place, making sure the access point is acting as a bridge and not a router. We would always suggest from a security and ease of use view, that the user replace this additional AP with one that supports the Zoneinsite platform.

Example B: Small office network has a FIOS router with Wifi. The user will disable this wifi device and connect the Zoneinsight WAN gateway router to the fios router and will additionally install a network switch and two access points, all supported by the Zoneinsite platform. Once these elements are in place, the WAN gateway router will identify the system elements and present them for use in the WAN gateway routers LOCAL access/console web UI or using an app connected to the new Access point.

Example C: Joe the business owner has an office and he wants office extension to his home or branch office. Joe can order a system from Zoneinsite and simply ship it to the staff/users onsite. The equipment can be connected to the internet access device (using simple site specific instructions) and ALL configuration from that point forward can be handled by Joe or Joe's IT manager.

When the Zoneinsite WAN router is installed correctly in the northern most location in the network, it will then listen for helo messages from other Zoneinsite devices (Switches, APs, So on). After this, the WAN gateway router has knowledge of all network elements and is ready to configure site specific topologies and rules. This configuration can be done onsite or remotely (the latter with subscription service). In these instances, the system will not allow internet access unless the user configures some levels of security (using a web redirect (captive portal)) but will allow access to the Cloud based Zoneinsite platform. Here the user, having an account and password, can add this new Site to their control domain so that they may access the network from anywhere in the world to add,change and support the networks needs (more on this later).

System Device Identification

One of the major changes the Zoneinsite platform brings to the table as a standard requirement is the idea that EVERY device on the network will be identified uniquely, whereas today, ALL devices are viewed as equal and anonymous. This will be achieved by Mac layer identification and enforcing. This means that when a network is installed and configured with our platform, every device will need to be ALLOWED access. This is not to say that we can't allow a small, controlled amount of access to devices that are unknown, but we would advise against this because of the simplicity of changing a device's MAC address.

Standard Platform Service/Controls

The Platform will provide all current day standard firewall and routing services. Examples:

• Standard NAT translations
• DMZ NAT configuration
• Dynamic IP identification service (small, annual cost?)

Advanced Platform Service/Controls

The main goal of the zoneinsite platform is to supply a home or network administrator the ability to EASY and QUICKLY change the network access rules in the network for the entire network, a group of devices in that network or one device in the network. The platform (how I describe an installed system and the controls it has, whether locally configured or via cloud) can enforce in many many ways, some are listed below:

• Rate limited access: The device or devices will be rate limited based on Layer 3 or sub layer 3 application
• Time limited access: The device or devices will be limited based on the amount of time the device has been accessing the network
• Consumption Limited access: The device or devices will be limited based on a bucket of bytes transferred on the network
• TOD limited access: The device or devices will be limited based on predefined time of day windows.
• Ad hoc limited access: ANY device or group can be controlled at any time by the network admins, either locally or remotely using the Zoneinsite portal.
• Push notifications to Admins' Mobile devices for network access/misuse.

The Platform will go beyond simple network access limitations by using deep packet inspection and application signature detection. This technology allows the administrator to block or limit access based on the above criteria but also based on application or site specific information.

Examples:

• John comes to work. His work PC can access all the Web but not access facebook, instagram or youtube, all other network connections are blocked. His handheld device has the same limitations.
• Bobby is at work, sitting next to John. Part of his job requires that he Skype chat with co workers daily, he can access skype as well as facebook because his job is to keep up the companies facebook profile.
• Julian is home sick from school. His Xbox has network access but is not allow to access the Xbox network outside of the evening hours of 8 to 9PM EST. As badly as he wants to play halo3, he is out of luck without permission or patience.

Additional services include but are not limited to:

• System access/use reporting and alarming
• Site to site VPN configuration and support (requires subscription service)

Business Opportunities

All aspects of this system can be sold in a matter of ways. Examples:

• Ad hoc hardware sale. This brings with it no recurring revenue. It also has no signature updates past the time of sale, nor does it have zoneinsite remote console/access ability. This system is an island and is only configurable locally or remotely with risky firewall exceptions.
• Hardware sale with subscription and support. In this case the hardware could be rolled into the monthly costs for service. This service will have local and remote access abilities as well as subscription updates and support
• Site to site vpn service. This could be a subscription service and can allow site to site VPN to the common home owner and business owner allowing file share, printer and many other access types from offsite LANs (normally very complex and expensive to deploy).
• Remote to site VPN service. This could be a subscription service that allows remote devices (PCs, Handheld devices, so on) access to a site or sites in the administrator's domain.
• Cloud File Sharing internal to account domain.
• Local VM hosting in the GW router.
• Archival Cloud storage.

Future potential integration:

• Security devices: Cameras, lights and locks
• Thermostat information
• Up/down reporting. Keep the internet provider honest

Hardware Requirements

WAN gateway router should be offered in a few flavors: Small, Med and Large. The system will be limited by CPU and network session access. Examples:

• Small: SBC with two NICs and a Wifi adapter, ATOM based CPU?. Suitable for a simple of complex home install or small remote office install (5 users) HD ? RAM?
• Med: SBC with four NICs, CPU should be a dual core device. Suitable for a more complex home install or med office (10-30 users) HD ? RAM?
• Large: SBC with 6 NICs, CPU should be a quad core device. Suitable for a med to large office install (30-100 users). HD ? RAM?

Network switches should be offered in a number of flavors as above:

• Small: 4-8 POE 10/100/1000 copper ethernet ports
• Med: 12-24 POE 10/100/1000 Copper ethernet ports. One or more SFP based fiber interfaces. POE supported on a subset of switch ports
• Large: 24-48 POE 10/100/1000 Copper Ethernet ports. Four or more SFP based fiber interfaces. POE supported on a subset of switch ports

Access points should be offered in a small number of flavors or in one flavor because these will be controlled and integrated with the Switchs or WAN gateway routers, they should simply be added where need to the network.

• Single or dual ethernet (Dual allowing the device to be installed inline to existing wiring without disrupting current cable use. POE support. Wireless extension support

System limitations

• Device to device communication on a single LAN will not be limited or policed as the packets will never traverse the WAN Router
• Application signatures are constantly changing and need to babied.

System diagrams