Remote Services via Internet

Remote Services via Internet

With export volumes of 83%, remote services are of central importance to the printing machine manufacturer Koenig & Bauer. Where modem and ISDN connections no longer meet requirements, broadband Internet connections are increasingly opening up new possibilities regarding secured remote diagnosis and maintenance.

Closely interdependent production schedules at a printing plant necessitate the availability of printing systems as an important competition criterion. No publishing house or printing plant can afford unplanned downtime. For the printing machine manufacturer’s service department, this means uncovering any risks of error as early as possible and thus avoiding breakdowns. With large numbers of printing plants from Koenig & Bauer being distributed around the globe, this poses an enormous challenge.

The German group of companies began early in exploiting the possibilities of remote diagnosis and maintenance using modem connections to ensure the availability of the installed plants and at the same time, reduce the costs of on-site service and maintenance. However, with the increasing complexity of printing press systems, previous applications for remote service had been pushed to their limits due to data throughput rates of just 64 or 128 kBit/s using ISDN connections.

In addition, expenditure for the telephone infrastructure, the high connection costs and, last but not least, the security risk, that every modem represents for the entire company network were all disadvantages that the printing machine manufacturer no longer wanted to accept. “For these reasons, we started searching for new ways of remote maintenance,” comments Andreas Birkenfeld, Division Director Systems Technology at Koenig & Bauer, and adds, “the use of broadband Internet connections lent itself, because the connection costs are minimal, data throughput rates are increased from 64/128 kBit/s to several MBit/s using xDSL Internet connections – and new technologies such as Voice over IP (Internet telephony) and streaming of image and video data are opening up new service perspectives.”

The solution
In the end, KBA implemented remote maintenance via Internet using open standard technologies in an integrated end-to-end solution from Innominate, the Berlin-based industrial network security specialist. For its solution concept, Innominate has turned around the usual approach to remote maintenance services. Previously, a connection had to be established from the service technician to the system – in other words, as an incoming connection to the end customer network. With Innominate's "outgoing VPN" concept, the connection is established from the system to a service center – thereby becoming an outgoing connection from the end customer network. This paves the way for remote maintenance over the Internet.

“All former access problems due to internal security policies and central enterprise firewalls can be solved in one fell swoop, because outgoing Internet connections are decisively simpler and more secure to administer,” comments Torsten Rössel, Director of Business Development at Innominate, in describing the solution implemented for Koenig & Bauer.

In terms of hardware, the Innominate technology named mGuard is based on autonomous security appliances, which are available in different form factors for integration in the various systems to be serviced – for instance, as DIN rail mountable devices for printing plant control cabinets or as PCI plug-in cards for the control computer of an offset sheet printing machine.

As peer VPN gateway, a scalable mGuard “bladePack” has been installed in the Koenig & Bauer service center, which can accommodate up to twelve mGuard blade slide-in modules in a 19 inch, 3 rack units chassis. This allows it to flexibly support from 250 up to 3000 secured remote services connections. The mGuard platform works completely independently. The corresponding systems can be integrated with minimal configuration into any standard Ethernet environment, are compatible with every operating system and require no system configuration modifications – neither to the existing network, nor to the system to be serviced via remote maintenance. The security of remote services connections is granted by VPN (Virtual Private Network) technology based on the IPsec standard. In the process, the (de)activation of VPN tunnels can be controlled by the end customer and authorised communication can be limited to the necessary scope using firewall rules. To ensure the economic scalability of an Internet-based remote services solution for hundreds or even thousands of connected systems, comprehensive device management from a central platform is indispensable. The Innominate Device Manager (IDM), featuring a client/server architecture, is just such a platform. All features and settings of the security appliances can be centrally administered and configured during roll-out for the commissioning of remote services connections. Controlled updates of firmware and device configurations are possible while in operation and can be uploaded during an existing remote services connection (push procedure) or downloaded and activated independently by the devices themselves (pull procedure).

With sophisticated template and inheritance techniques, intelligent administration of virtual address pools, and an integrated certificate authority for the generation of VPN certificates, the IDM enables a high degree of automation for the configuration and commissioning of individual appliances. These elements also allow for a practical division of labor. A small number of IT security administrators with greater expertise can design the templates containing the more complex, security-relevant components, while after just a short briefing, a larger number of technicians can set up respective devices ready for delivery and operation with the help of these templates.

Initial experiences
During the pilot phase, in order to gather experience with the Internet-based remote maintenance system, Koenig & Bauer equipped more than 20 printing plants worldwide with the comprehensive mGuard solution. Among other things, a procedural form was developed for specifying the customer’s IT environment and any special requirements. On this basis, configuration, functional check, and acceptance test of the appliances could already be completed ex works at KBA..In an ideal-case, the technician on-site at the customer merely needs to connect the system with the data line and supply voltage. Due to the largely standardised configuration of the appliances, the administrative complexity is reduced to a minimum.

“If the customer delivers a technical briefing, we can even attain a true plug & play installation,” says Andreas Birkenfeld in describing his experience. He also has concrete ideas regarding the future possibilities of the solution: “We feel that integrating monitoring functions for ongoing equipment condition audits and logging functions to record events would be practical upgrades to the Device Manager”. Innominate has already included these suggestions in its roadmap for future product development. After a successful pilot phase, Koenig & Bauer plans the standardised use of mGuard devices and in a second step, the retrofitting of existing systems.

The security functions
The decentralized security appliance used in the printing machines from Koenig & Bauer combines a set of functions to reliably protect IP-based network connections to industrial systems and production plants:
  • Configurable firewall to protect against unauthorised accesses and connections. The Stateful Inspection Firewall scans all incoming and outgoing data packets based on the origin and target addresses and blocks undesired data traffic in both directions.
  • Flexible network operation in Router Mode to isolate networks or in Stealth Mode for transparent integration within existing networks. In Stealth Mode, the appliance’s external Ethernet interface takes over the network addresses (MAC and IP) of the system that is being protected; thereby it cannot be recognized and is consequently invulnerable by attacks.
  • VPN routing (optional) for secure data communication over public networks. Features a selection of hardware-accelerated DES, 3DES or AES encryption algorithms and supports the standardized IPsec protocol.
  • Routing and firewall redundancy (optional) for high-availability industrial network security solutions with automatic master/slave failover function.

    The Company
    Koenig & Bauer (KBA) has a long tradition. Already in 1814, the newly developed cylindrical printing machine from Friedrich Koenig was able to print the London daily newspaper “The Times” using a steam engine. Today, the group of companies (headquartered in Würzburg / Germany) has a broad range of printing systems at its disposal for the areas of offset sheet printing, digital offset sheet printing, reel-fed offset printing, web gravure printing, newspaper printing, flexoprinting, telephone directory printing, commercial paper printing and continuous sheet printing, as well as industrial labelling systems (inkjet, hot press and laser technology). With 8300 employees and an annual turnover of 1.7 billion euros, the group ranks among the largest manufacturers of printing plants in the world.

    For more information: