Our Virtual Invisible Network (VIN) is software defined; meaning the networks it creates do not require physical interfaces or cables and are “almost or nearly” entirely invisible. Below we explain in further detail some of the questions frequently asked about our product and capabilities.

What is a Wide Area Network (WAN)?

A Wide Area Network (WAN) is often considered to be constructed from smaller networks such as LANs. The most significant difference between a LAN and a WAN is the area that a WAN covers. Rather than being localised, a WAN may span a suburb, city, country or even the entire planet. The Internet is probably the most famous WAN and is built from millions of much smaller networks.

WANs primarily connect two or more LANs or other localised networks together using leased lines from telecommunication companies or other long-haul communications providers. An example of a WAN connection is the connection between your office or home LAN and your ISP (Internet Service Provider) to provide you with access to the Internet. The same telecommunications companies can also combine resources to implement inter-continental cables that run between different countries.

It isn’t practical to lay such cables from one location to every other city, country or continent on the planet, so data is often relayed through other locations in order for it to be sent from, for example, Australia to the United Kingdom. This is the basis for the Internet where numerous shared public connections (provided by telecommunications companies) are used to relay traffic from one location to a remote location half way around the world.

Public WANs, such as the Internet, are not secure by nature because everyone’s traffic shares the same communications infrastructure. It is therefore the responsibility of the applications and services (such as secure web sites) to ensure that application data is encrypted (usually using SSL/TLS) as it traverses the public networks or a Virtual Private Network (VPN).

The problem with WANs is that they cannot support the unassisted discovery practices of a LAN which often means that WAN networks can be slow and unreliable.

How does VIN achieve the LAN over WAN experience?

The key to achieving LAN over WAN is to ensure that a mesh network is created. A mesh network is one that allows a given node to automatically discover and communicate directly with any or every other node on the same network segment.

In order to achieve this over a wider area, VIN uses the capability of Peer-to-Peer (P2P) communications (think Skype, VoIP solutions and other P2P apps) but at the lowest possible network level before reaching physical hardware. In the case of VIN, this is Layer 2 (the final software layer).

Techniques are used to establish direct communications between each and every node in a VIN network allowing the transport of encrypted Ethernet frames between them. This ensures that broadcast and multicast traffic is supported in order to enable unassisted resource and service discovery. Therefore, anything that can be achieved on a regular LAN, can be achieved in a VIN network.

In a nutshell, VIN uses proprietary software to create a private network that functions like a LAN over nearly any distance and that enables users to experience a fast, secure and reliable network.

How does VIN create a network?

The first requirement for any VIN deployment is the installation of software.

This is a fully documented procedure and requires the deployment of the VIN Platform (or VSP) on a bare-bones physical machine (server) or on a virtual machine (VM) configured with appropriate specifications either through a Telco Cloud provider or a simple AWS (Amazon Web Services) instance.

Additionally, VIN Peers or VIN Core must be installed on the VIN Nodes that will make up the edge of the virtual network.

VIN networks are easily defined through the VIN Platform. As seen with SD-WAN solutions, this is known as the orchestration platform that allows network administrators to define the configurations (name, IP address range, etc.) of a given virtual network and to establish the invitation that is provided to a Peer in order for it to register with the network.

Prior to registering with a VIN network, a VIN Peer must be provided with an invitation string that it uses to contact the VIN Platform. This comes in the form of a URL with a random token that identifies the network that the Peer is to join. The Peer registers the invitation (think of RSVP) with the VIN Platform and, if enabled, awaits approval from the network administrator. This eliminates the use of usernames and passwords and makes the virtual network device-centric rather than user-centric.

On approval of the invitation registration, the Peer receives approval notification and a Broker Service connects the user or node to the mesh network. It is at this point that all of the magic happens with VIN.

First and foremost, the VIN Peer will securely identify the Broker Server as being legitimate through certificate validation. This occurs much the same way as a web browser validates a secure web server. On validation, the encrypted network information is pushed to and received by the Peer which is then used to register with the VIN Broker and join the network.

On successful validation of the VIN Peer, the VIN Broker will announce the new Peer to the other Peers already joined to the network. These Peers will in turn respond with an acknowledgement. This sequence forms the rapid discovery process and usually initiates the P2P connections between the new Peer and each of the existing ones. With well-behaved NAT firewalls, this P2P negotiation process is almost instantaneous.

The new Peer is then part of the network and is now able to communicate with other Peers in the network to provide a LAN experience where operating system services will then begin to discover each other over the new virtual LAN fabric. Each and every VIN Peer will consistently attempt to establish P2P connections with each and every other VIN Peer it is aware of on the virtual network. Peers rapidly discover each other thanks to the announcement process that occurs when joining.

In order to maintain these P2P connections through the respective firewalls that each Peer Node may reside behind, small keep-alive probes are sent to ensure that even at the quietest of times, at least one packet is sent every so often to keep the firewall NAT table entry alive. This is also true between the Peer Nodes and the VIN Broker to ensure the VIN Broker is always able to send information to each of the Peer Nodes. For Peer Nodes that do not establish direct P2P connections, a relay through the VIN Broker is employed.

Once connections are established and the virtual network is formed, the result is a virtual LAN stretched between each of the VIN Peers that form the edge of the virtual network. The behaviour of the network is equivalent to that of a physical LAN segment.

What makes a VIN network "virtually invisible"?

The P2P capability of the VIN network is what makes it hard to detect and unique compared to other competitor SD-WAN products. There is no central point on which to focus attention in order to discover the virtual network fabric, and even if it were discovered, that person would only see a very limited part of everything that traverses the virtual network, perhaps only that which passes between two nodes or two points. That person would also need to be on the same circuit that the traffic is traversing in order to intercept it only to find that the frames are encrypted using strong AES encryption.

Therefore, it is only theoretically possible to capture a fraction of the traffic on the virtual network, whilst being completely unaware of any other traffic being sent between other nodes. Couple this with the fact that nodes are usually residing behind a firewall with no open ports (PAT) that is required in order for the node to communicate with other nodes. Nodes can happily send and receive traffic to and from other nodes on the network whilst nodes outside of the virtual network have no means of reaching any of the nodes within the virtual network, let alone even knowing where they reside behind their respective firewalls.

Therefore, with all of these situations combined, the “virtual network” can be considered to be “virtually invisible”.

This concept has been put to the test by many independent security and IT firms across the globe. The Virtual Invisible Network solution was described by independent US-based cyber security experts, Secure State as “amongst the most secure products in the market today” and “in line with the top Fortune 500 companies with which SecureState works.”

Netlinkz (formerly iWebGate) also won the Global Security Challenge, the world’s largest international security innovation competition. The competition is sponsored by the US Department of Defence.

What can I do with a VIN network?

The simplest way to answer this is that anything you can do on a traditional LAN can be done on a VIN network. A VIN network is a LAN in its own right and supports the usual broadcast and multicast traffic that you’d find in a traditional single LAN segment.

When using nodes in a traditional LAN, the operating systems of those nodes are at their functional best where service and resource discovery is far more efficient. Nodes will discover each other and establish direct connectivity almost instantly allowing the usual operating system functionality to be established, including population of network places in folder and file browsers.

If Active Directory (AD) servers are brought into the VIN network, AD client nodes that are also part of the VIN network will be able to discover and fully utilise services as usual. Client nodes that have not yet joined the AD domain may do so effortlessly over a VIN connection. This is also possible even when the VIN is in VPN mode and the AD servers are not part of the VIN network.

Doesn't a Virtual Private Network (VPN) provide access to the LAN?

Yes it does, but in a limited sense.

VPN does not allow the remote user to be a part of the broadcast domain of a LAN because the remote user is considered to be beyond the LAN where the VPN server acts as a type of gateway. The VPN tunnel is used to provide access to the network but the location of services must be known in order to reach them, or dedicated assistance must be provided in order to discover the location of resources and services.

VIN is able to replicate the VPN models by enabling traffic routing (relaying), however, by default, VIN creates a whole new virtual network that is identical to a LAN and allows resources and services to be brought into the new virtual network without exposing anything, including the underlying physical networks. Those nodes that join the VIN network are then able to function as though they are all in the same LAN, regardless of their location. Therefore, it is possible to bring in servers, desktops, laptops and hand-held devices from different locations and allow them to communicate with each other as they are all on the same virtual LAN.

If VIN native mode is equivalent to a LAN, what other modes are there?

VIN can establish networks in one of three modes:

    • Native Peer-to-Peer Mode (LAN)
    • Peer-to-Network Mode (VPN)
    • Network-to-Network Mode (WAN/VPN)

Native Mode is the default mode for VIN networks. Whilst all modes create a virtual LAN, this mode is established where none of the nodes are enabled with routing. The purpose of this mode is to establish highly secure communications between selected nodes. Client nodes can be brought into the network along with servers providing appropriate applications, services and resources. For example, Exchange Servers are made available for client nodes to access the group email and calendaring services provided. AD servers do not need to join the network and are accessible only by the Exchange Server via the physical LAN.

Peer-to-Network Mode emulates the roaming VPN user situation where the remote user requires access to all of the resources needed on a private LAN but is too cumbersome to bring all of the nodes on the physical LAN into the virtual network. With VIN, this requires basic knowledge of IP routing in order to establish such connectivity but the outcome is identical to that of a typical remote user VPN whilst remaining more secure.

Network-to-Network Mode is used to establish the equivalent of infrastructure or fixed VPN. Typically, this emulates a dedicated private leased line connection between two distinct localised networks (e.g., LANs), however can be as extensive as replicating an entire MPLS based network with as much, if not more efficiency and an ability to be established in a matter of minutes rather than weeks. While significant costs can be saved, this does, however, require a reasonably advanced knowledge of IP routing capabilities. It is also worth noting that an MLPS network solution would be more expensive by a factor of at least fifty than a comparable VIN solution.

What are the limitations of the VIN solution?

Given that the limitations of LANs are reasonably few, the same is true for VIN, however a few of the limitations experienced with physical LANs are eliminated for VIN.

For example, the most significant limitation of a physical LAN is the area that it covers. This is immediately eliminated for VIN because it was purposefully designed to function over the top of larger area networks, including the Internet.

LANs are typically limited by the number of nodes that can be connected to a single network segment before collisions become too frequent and impact performance. Typically, network administrators will not connect any more than 200 nodes to a LAN before segregation of the network is required. VIN forces a C class network mask so the ceiling is 254 nodes for a single network, however while collisions are not possible with VIN, this is not recommended if the virtual network will be heavily loaded with broadcast and multicast traffic which could result in significant traffic load.

Other than the node count limitation, another limitation is imposed from the basic compute power of the machine that a Broker or Peer component is loaded onto. The less compute power either of these provides results in lower performance capability and reduced throughput of traffic. For the Broker Service, a lack of compute resources will also limit the number of nodes that can register with it. For a reasonable single server this limit may be as little as 200 nodes. To circumvent this, the server aspects of the VIN would need to be established on a load balanced cluster. A high availability service coupled with the load balancing service would also eliminate the single point of failure that results from using just a single Broker Service.

The final limitation is, of course, available bandwidth. The direct P2P nature of a VIN network means there is no requirement for much higher bandwidth availability for a server and simple broadband Internet is more than capable of supporting VIN networks. However, for busy VIN networks supporting high traffic loads, more bandwidth should be allocated where necessary.

Netlinkz is continuing to scale its platform to larger and larger Enterprise and Carrier Grade standards.

If VIN is LAN over WAN, why is it sometimes described as SD-WAN?

VIN is reasonably comparative with other SD-WAN solutions, such as VeloCloud, but it is VIN’s data plane that sets it apart from SD-WAN solutions. The true overlay virtual network is always provided as a mesh network that functions exactly the same way as a LAN and therefore provides all of the same benefits of a LAN and even removes some of the limitations of a typical LAN. VIN does not rely on traditional VPN (e.g., IPsec used by VeloCloud) and is more efficient as a result.

VIN is also extremely easy to scale and can be loaded onto any Windows, MAC or Linux computer or Android/iOS device.

What is a Local Area Network (LAN)?

In a traditional sense, a LAN consists of a collection of computers and devices (nodes) connected to each other, either physically via cables or wirelessly via radio frequencies (e.g. Wi-Fi), with the common purpose of sharing information and resources. A basic LAN is a single segment found within a confined geographical location such as an office or home. Multiple LAN segments can interconnect with each other using routers (gateways from one LAN to another) and the overall collection of networks is still considered to be a LAN.

The LAN is where we are most efficient. Often, everything we need, from shared storage to printers, is directly accessible on the same LAN segment that our node is connected to.

But we also have the ability to connect LANs located in geographically disperse locations using a dedicated connection. This is when we begin to use Wide Area Network (WAN) connectivity.