Tag: remote access

Cloud routers–the current hot feature for the home network

Increasingly every home-networking equipment vendor is pitching a mid-range or high-end router range that offers “cloud” abilities and features. This kind of feature was simply offered as a remote-access feature but is being marketed under the cloud term, used as a way to make their devices appear to look cool to the customers.

These features are more about simplifying the process of providing authorised users remote access to the control functionality and similar features on these devices and providing this kind of access to someone who is using a smartphone or tablet. It also extends to file access for those of us who connect an external hard disk to these devices to purpose them as network storage.

What benefits does this offer for the home network router

The key feature that is offered for these devices is the ability to allow you to manage them from any Internet connection. This may be about troubleshooting your connection or locking down the Internet connection for rarely-occupied premises like a holiday home or city apartment.

If you connect an external hard disk to your cloud-capable router, you would have the same remote-access functionality as a cloud-capable NAS. This means that you could put and get data while you are on the road using your regular or mobile computing device and an Internet connection.

Some vendors integrate an application-level gateway to their cloud-assisted network services like video surveillance as part of this cloud functionality. This allows you to gain access to these services from the same point of entry as you are provided for your router.

How is this achieved

Like the cloud NAS, this involves the vendor providing a dynamic DNS service to aid in discovery of your router along with the use of SSL and other technologies to create a secure path to your router’s management dashboard.

It is also assisted with a client-side app for the mobile computing platforms so as to provide an integrated operational experience for your smartphone or tablet. This caters for items like access to the notification list, use of the interface style that is distinctive for the platform as well as the ability to get and put files according to what the platform allows.

Vendors who offer other cloud-based services would provide an application-level gateway in the router that ties in with these services and the devices that benefit from them. This is to provide a tight and finished user experience across all of their devices on your network, and is a way to keep you “vendor-loyal”.

Current limitations with this setup and what can be done

As we head towards cloud-capable network devices and add more of these devices to our networks, we will end up with a situation where we have to remember multiple Web addresses and user logins for each of these destinations. The manufacturers like D-Link would exploit this by integrating the cloud functionality for all of their devices or, more likely, devices within certain product ranges so that a user comes in to one entry point to benefit from the cloud functionality for that manufacturer’s device universe.

But the reality is that most of us would create a heterogenous network with devices supplied by different manufacturers and of different product classes. Here, one would have to keep a list of usernames, passwords and Web entry points or install multiple apps on a mobile device to benefit from every device’s cloud functionality.

Similarly, a manufacturer would be interested in evolving their “cloud-side” part of the equation for newer products but could place older products at risk of being shut out. Here, they could maintain the same functionality by keeping the remote access functionality alive and passing stability and security improvements to those of us who maintain the older devices.

Of course, working on systems that are true to industry standards and specifications like TR-069 for remote management can allow for pure interoperability and a future-proof environment. It can also allow for increased flexibility and the ability for third parties to provide the “cloud router” services with their own functionality and branding.

Three-way data storage–the way to go for the home network

There is a new trend that is affecting how we store data on our home computers and in our home network.

The three-island trend

This is the existence of three data islands

  • The main secondary storage that is part of our regular or mobile computing devices
  • A Network-attached storage system or a removeable hard disk.

The NAS would serve as a network-wide common storage destination as well as having ability to serve media data to network-capable media playback devices without the need for a PC to be on all the time. On the other hand, the removeable hard disk simply is used as an auxiliary storage destination for a particular regular computer.

  • A Cloud or remote storage service

The remote storage services like Dropbox or SkyDrive are typically used either for offsite data backup or as a data drop-off point that exists across the Internet. Most of these services work on a “freemium” business model where you have a small storage capacity available for free but you are able to rent more capacity as you need it. Some of these providers may work alongside hardware or software partners in opening up increased storage space for users of the hardware or software sold by these partners. In the same case, the remote storage services are increasingly offering business-focused packages that are optimised for reliability and security either on a similar freemium model or simply as a saleable service.

The role of file-management and backup software

Previously, backup software was charged with regularly sending copies of data that existed on a computer’s main secondary storage to removeable storage, a network-attached storage system or, in some cases, remote storage services.

New requirements

Tiered data storage

Now this software is charged with backup not just out to removeable or local-network storage, but to be able to set up storage tiers amongst this storage and remote storage. This is a practice that is familiar with large-business computing where high-cost high-availability storage is used for data that is needed most, cheaper medium-availability storage for data that isn’t as needed like untouched accounts with the cheapest, slowest storage media used for archival purposes or for data that doesn’t change.

The remote storage and the NAS or removable storage can each serve as one of these tiers depending on the capacity that the device or service offers.

Remote storage serves as temporary data location

In some cases, the remote storage may exist simply as a data drop-off point between a backup client on a portable computer and a backup agent on a network-attached storage device as part of a remote backup routine. Here, a user may back up the portable computer to a particular share in something like Dropbox. Then an agent program built in to a small-business or high-end consumer NAS would check that share and move or copy the data from Dropbox to the NAS.

Similarly, a remote storage service could work alongside a locally-installed network-attached-storage and another NAS installed at another premises for asynchronous data transfer between these devices. This can be useful if one of these devices isn’t always accessible due to unreliable power or Internet service.

In the case of that small business that starts to add branches, this concept can work well with sharing business data such as price lists or customer information between the branches. Businesses that work on the “storefront-plus-home-office” model could benefit this way by allowing changes to be propagated between locations, again using the remote storage service as a buffer.

Remote storage serves as a share-point

In some cases, a remote-storage service like Dropbox can permit you to share data like a huge image / video album between multiple people. Here, they can have access to the content via a Web page or simply download the content to local storage. In some cases, this could be about copying that image / video collection of a wedding to the “DLNA” folders on a NAS so they can view these pictures on that Samsung Smart TV anytime.

What does the software need

Backup software needs to identify file collections that exist in a backup job and make the extra copies that appear at different locations, whether as different folders on the same target drive or at a different target location. Similar a timed backup job could also encompass synchronisation or “shifting” of other file collections to one or more target locations.

Similarly, the backup routine isn’t just about “copy and compress” files to a large metafile before trransferring it to the backup destination. It is about working the collection file-by-file according to the destination.

You could do this with most software by adding extra backup jobs with different parameters. But this involves creating more large metafiles with most backup software. Here, file-synchronisation software could perform the job better by working at the file level.

Support for remote data storage in a NAS

Some network-attached-storage devices, especially those that work on an application-driven platform, work as clients to remote storage services. Here, this can cater for off-site file replication or “data-fetching” setups without a desktop or laptop computer having to be on all the time.

In some setups where portability is considered paramount, the idea of a NAS using remote data storage can allow a user to temporarily hold files destined for the remote data storage service on a NAS that is offline as far as the Internet is concerned. Then the NAS is just connected to the Internet to synchronise the files with a remote storage service.

Similarly, a media file collection that is shared via a remote data storage service like Dropbox may then end up on a NAS primarily to be made available to DLNA client devices at all times as well as not occupying precious disk space on the computer. This may be relevant for one or more large video files or a collection of many photos from that special occasion.


As we start to see the concept of the “three-island” data storage arrangement in our home and small-business networks, we well have to be able to work with these arrangements whether by copying or moving the data between the different storage “islands”.

VPNs and remote access in the home and small-business space–a lot of unanswered questions

What is remote-access and VPNs

The concept of remote-access and VPNs is primarily about gaining access to computer resources located in a location that is physically distant from where we are. The typical applications that we talk of are access to business data held out our small business’s shopfront from our home office’s computer or gaining access to data as we travel.

The method that is usually implemented is to set up a Virtual Private Network or VPN which is a virtual secure network link between one or more computers in one network and computers in another network. This link is hosted over another network infrastructure like an Internet service and acts as the secure data “tunnel” or path between these networks.

This will typically allow one to “draw down” files held on a remote hard disk or more likely use a “remote desktop” program to operate a computer from afar. The latter application would typically be performed using programs like VNC or Microsoft’s Remote Desktop / Terminal Services with a server component running on the host computer (which has the data and programs) and a remote-terminal client program on the computer that the user is working from.

Draytek VPN endpoint router

One of Draytek's VPN-endpoint ADSL modem routers

Previously, a VPN was based around two Internet-connected computers with one, typically a file server, being a “VPN server” and the remote computer being something like a laptop or home computer. Now the VPN can have a specially-enabled router as the “VPN server” or can become a secure link between two physical networks separated by an Internet connection and facilitated by specially-enabled routers. 

Two types of VPN

There are two types of VPN setup that are in use. They are the “Client to Box” setup and the “Box to Box” setup.

“Client-to-Box” – Remote computer to local network

The “Client to Box” setup has a user operating a single computer to gain access to the remote network. This is typically used to allow a mobile worker or a telecommuter to gain access to company resources from their laptop or home computer.

The computer runs a “VPN-client” program that is either part of the operating system or a separately-supplied program. Here, this program provides the login experience for the user and authenticates the computer to the main network. Then it effectively “bridges” the computer’s resources to that network.

Client-Box Remote Access VPN

Single-Client Remote Access VPN

“Box-to-Box” – Connecting multiple logical networks

The “Box to Box” setup is simply a secure link that is established between networks established in different locations. The typical reason to do this is to avoid the costs of renting a dedicated line between the locations and use the economies of scale that the Internet offers. This is typically established with the use of special “VPN endpoint” routers joining the networks and these routers create a secure encrypted “tunnel” for the data to move between the networks.

Box-to-Box VPN connecting two networks

"Box-to-Box" VPN connecting two networks

Relevance to the small business and home users

These VPNs do appeal to small businesses and home users in many ways. One is to allow a shopkeeper to have access to data held at either their home office or their shop from the other location. Similarly, a small-business owner can establish a branch of their business in a new location and make sure they have access to the business resources at the main location from the branch’s network.

Another example for a “client-to-box” setup is to allow a tradesman or similar worker to gain access to customer data held on his home-office computer from the road through the use of a laptop computer connected by a wireless-broadband link or use of a wireless hotspot.

There is even the prospect of home users using this VPN technology to gain access to media held on a home media server from remote locations. One example would be to “pull up” audio material held on the home media server from one’s car using a wireless-broadband link to download or stream the material. Another example would be to have the same media that you have “at home” available on a home network installed at a secondary home that you own or rent.

As well, it could be feasible to use VPN technology as part of home security and automation, especially when it comes to managing remote properties.

Similarly, there can be the ability to support the use of the home network’s facilities in households where one or more members maintain separate Internet services and networks. Examples of this may include a business that is operated from home and a separate Internet connection for business-owned equipment; lodgers, students who want to have their own Internet use on their own terms

Limitations with the current technology

Hard to provision

The main limitation for home and small-business users when dealing with the VPN is that the VPN is typically hard to provision, whether it is to set up for the first time or to adapt it to suit future needs. 

The user need to make sure each location’s local network uses a different IP address range which would be a difficult task especially as most small networks are set up to the IP-address specifications that are determined by default when you get the network-Internet “edge” router.

Then they need to know the VPN protocols, security protocols and the VPN passphrase and set these in the “hub” VPN endpoint. They have to make sure this is accurately copied and copy these details to the “spoke” VPN endpoints at the remote locations. Here they may become confused with determining which is “outbound” and which is “inbound” for each tunnel when configuring each endpoint.

They would also have to make sure that one of the VPN endpoints or the one that is to be the “hub” endpoint either has a fixed Internet IP address or can support a dynamic DNS service like DynDNS.org or TZO and is set up for this service.

Most of these tasks would then daunt most home and small-business computer users unless they had a lot of detailed computer knowledge and skills.

Limited protocol and application set

Most VPNs can only handle the protocols associated with bulk file transfer between two or more general-purpose printers. They don’t properly support device discovery for other devices which is important for the home and small-business user.

As well, they don’t work properly when it comes to streaming of real-time media between sites due to issues with streaming protocols and quality of service. Here, VPN applications involving these applications may have to implement application-layer gateways to facilitate the QoS and protocol needs.

Action to facilitate these networks

The UPnP Forum have released the “RemoteAccess” Device Control Profile for facilitation remote access and VPN use especially when it comes to supporting UPnP-compliant devices on the “other side” of a remote access link or VPN tunnel from “your side”. The first version is pitched at the “client-to-box” VPN setup, mainly to allow smartphone and laptop users to gain access to media on the home network. The second version, to be coming over the next year, is intended to support “box-to-box” setups like multi-site “super-networks”.

This has been released in conjunction with the “ContentSync” Device Control Profile which allows for synchronising of content collections (or parts thereof) between two UPnP AV MediaServer devices.

It has then made a relevant case for home users to value VPN and remote-access technology for personal-media applications such as keeping copies or subsets of media libraries at other locations or playing media held at one location from another location.

What needs to happen

Improve provisioning experience

The routine associated with provisioning a remote-access setup or VPN “super-network” needs to be simplified in a manner similar to what has happened to Wi-Fi wireless networking. Here, this was facilitated by the user not needing to work out any new data except to identify a wireless-network segment via its SSID.

In a VPN or remote-access network, the user sets up a “hub” endpoint which would work on machine-determined VPN protocol settings. Here, the user determines the location name, dynamic-DNS service or fixed IP address; and the VPN network password.

As well, a dynamic-DNS service that has a lot more “meat” such as increased reliability could be a service that is sold by carriers and Internet service providers as a value-added service. These services could typically be packaged as a product differentiator between different Internet-access-package lineups or just simply as an add-on item.

Then the user sets up a “spoke” endpoint or client terminal by providing the fully-qualified location name and the VPN network password as well as an identifier for the “spoke” endpoint.

This setup could support the use of machine-generated passwords that have been successfully implemented with Windows Connect Now easy-Wi-Fi setup method in Windows XP Service Pack 2 and Vista; as well as the HomeGroup password in Windows 7. Similarly, there could be support for configuration files like what has happened with Windows Connect Now – USB setup where a configuration file is uploaded to a Wi-Fi router or client device to facilitate quick wireless-network enrolment.

A client-to-box setup could be set up with the user entering the VPN name and password in to a VPN client program that is part of the computer’s or smartphone’s operating system.

Site-local subnets (logical networks)

The provisioning process for a “box-to-box” remote-access network should make it easy to create site-local subnets that are peculiar to each logical network. This could require the “hub” endpoint to keep track of the subnets and cause “spoke” endpoints to determine new subnets as part of the setup process.

It can include the ability to reinforce a DHCP “refresh” so that all network devices that are in a logical network obtain new IP addresses if the addressing scheme has to be redefined for that network. This is because most network devices in home and small business networks are allocated IP addresses using DHCP rather than the user defining them in order to simplify setup of equipment on these networks.

Use of a logo for easy-setup VPN systems

A VPN or remote access system needs to work to an industry standard that is supported by many vendors. Here, equipment and software that complies to this standard needs to be identified with a trademark and  logo which denotes this compatibility so customers can choose the right hardware and software for an easy-to-provision remote access setup.

Retroactive upgrading programs

There are small businesses who run VPN setups that are typically based on VPN-endpoint routers that have existed for a long time and are currently in service. The standards for providing “easy-setup” VPN systems could be retroactively implemented in these units by applying updated firmware that incorporates this functionality to existing VPN-endpoint routers. This may happen more easily for devices that are based on open-source firmware.


Once the industry makes it easier for home and small-business users to establish or manage their remote-access setups and VPN-based multi-premises super-networks, the kind of features that larger businesses take for granted can be of benefit to this class of user.

New UPnP standard for inter-network connection

UPnP Forum standard page – RemoteAccess:1

The UPnP Forum have this week released a Device Class Profile for setting up networks for inter-network operation and remote access. This is mainly to permit:

a) UPnP devices to work across multiple logical networks and

b) UPnP methods to be used for inter-network configuration

What is involved

The standard encompasses public-network-discovery mechanisms like STUN for determining the type of upstream NAT device in the Internet network and dynamic DNS for establishing the IP address for the main network’s fully-qualified Internet name. Some of these standards are implemented through VoIP setups to permit discovery of the VoIP network.

It also involves the establishment of secure VPN or DirectAccess (IPv6 over IPv4) tunnels between networks for this purpose. This doesn’t depend on a particular tunnelling method like PPTP, IPSec or SSL, but is more about establishing the tunnels between the networks.

There is also the establishment of UPnP “device relays” at each end of the tunnel so that UPnP entities (devices or services) in one network can be seen by similar entities in another network.

The standard also includes methods to permit replicated setup and teardown of devices and services between both networks. This would happen when the link is established or torn down or as UPnP devices come on line and go off line while the link is alive.


The-access or client network can be a simple single-subnet private network such as a home network, small-business network or public-access network. Larger corporate networks can qualify if the firewall at the network’s edge doesn’t specifically exclude UPnP Remote Access.

The master network which the remote device is visiting must be a simple single-subnet private network such as a home network or small-business network. The remote access server can be part of the network-Internet “edge” device like the typical "VPN endpoint” router sold to small businesses or can be a separate piece or hardware or software existing on that same network. In the latter case, the server would have to work properly with a UPnP-compliant router (which most routers sold through the retail channel are) and obtain the network’s outside IP address and set up port-forward rules through that same device. 

The value of UPnP Remote Access with corporate networks needs to be assessed, both in the context of network security for high-value data as well as interaction with established VPN setups. This can also include issues like the “other” network gaining access to UPnP devices on the local network or particular devices or device classes being visible across the tunnel.

What needs to happen

This standard needs to permit the user to establish or simple yet secure credential-delivery method for VPNs that extend the small networks. This may involve implementing methods similar to either use of a PIN when pairing Bluetooth devices, “push-push” WPS –style configuration or, for “deploy then establish” setups, an email-based system similar to what is being used to confirm user intent when people sign up for Internet forums and social networks; or other similar practices.

The latter situation would appeal to setups where, at one end of the link, there isn’t likely to be a regular client computer in place, such as CCTV and telemetry applications or remote servers.

Compliant systems may also need to support two or more different methods to cater for whether the logical networks are in the same building or afar; or for whether the user prefers to deploy the equipment then configure it remotely or configure all the equipment at one location before deploying it.

Why would this technology end up being useful

One main reason for this development would be to extend the UPnP technologies to VoIP setups. This would then allow for home and small business to benefit from corporate-class telephony setups like tie-lines, common phone books, logical extensions and the like as well as easy-to-implement VoIP telephony.

Another application would be to enable access to existing UPnP devices in other locations. The common reason would be to benefit from multimedia content held at home from a hotel room or to synchronise such content between NAS boxes installed at home and a vacation property. Other applications that come to mind would include remote management of UPnP devices that are part of building control, safety and security such as central heating or alarm systems.

Parts of this standard may be implemented by router and remote-access software vendors as a way of establishing a “box-box” or “box-PC” VPN setup between two small networks like a home network and a small-office network. This could allow the small-business operator to benefit from the VPN setup that big businesses often benefit from, thus allowing for increased yet secure network flexibility.