What makes a VIN network "Virtually Invisible"?
The P2P capability of the VIN network is what makes it hard to detect and unique compared to other competitor SD-WAN products. There is no central point on which to focus attention in order to discover the virtual network fabric, and even if it were discovered, that person would only see a very limited part of everything that traverses the virtual network, perhaps only that which passes between two nodes or two points. That person would also need to be on the same circuit that the traffic is traversing in order to intercept it only to find that the frames are encrypted using strong AES encryption.
Therefore, it is only theoretically possible to capture a fraction of the traffic on the virtual network, whilst being completely unaware of any other traffic being sent between other nodes. Couple this with the fact that nodes are usually residing behind a firewall with no open ports (PAT) that is required in order for the node to communicate with other nodes. Nodes can happily send and receive traffic to and from other nodes on the network whilst nodes outside of the virtual network have no means of reaching any of the nodes within the virtual network, let alone even knowing where they reside behind their respective firewalls.
Therefore, with all of these situations combined, the “virtual network” can be considered to be “virtually invisible”.
This concept has been put to the test by many independent security and IT firms across the globe. The Virtual Invisible Network solution was described by independent US-based cyber security experts, Secure State as “amongst the most secure products in the market today” and “in line with the top Fortune 500 companies with which SecureState works.”
Netlinkz (formerly iWebGate) also won the Global Security Challenge, the world’s largest international security innovation competition. The competition is sponsored by the US Department of Defence.
What can I do with a VIN network?
The simplest way to answer this is that anything you can do on a traditional LAN can be done on a VIN network. A VIN network is a LAN in its own right and supports the usual broadcast and multicast traffic that you’d find in a traditional single LAN segment.
When using nodes in a traditional LAN, the operating systems of those nodes are at their functional best where service and resource discovery is far more efficient. Nodes will discover each other and establish direct connectivity almost instantly allowing the usual operating system functionality to be established, including population of network places in folder and file browsers.
If Active Directory (AD) servers are brought into the VIN network, AD client nodes that are also part of the VIN network will be able to discover and fully utilise services as usual. Client nodes that have not yet joined the AD domain may do so effortlessly over a VIN connection. This is also possible even when the VIN is in VPN mode and the AD servers are not part of the VIN network.
Doesn't Virtual Private Network (VPN) provide access to the LAN?
Yes it does, but in a limited sense.
VPN does not allow the remote user to be a part of the broadcast domain of a LAN because the remote user is considered to be beyond the LAN where the VPN server acts as a type of gateway. The VPN tunnel is used to provide access to the network but the location of services must be known in order to reach them, or dedicated assistance must be provided in order to discover the location of resources and services.
VIN is able to replicate the VPN models by enabling traffic routing (relaying), however, by default, VIN creates a whole new virtual network that is identical to a LAN and allows resources and services to be brought into the new virtual network without exposing anything, including the underlying physical networks. Those nodes that join the VIN network are then able to function as though they are all in the same LAN, regardless of their location. Therefore, it is possible to bring in servers, desktops, laptops and hand-held devices from different locations and allow them to communicate with each other as they are all on the same virtual LAN.
If VIN Native Mode is equivalent to a LAN, what other modes are there?
VIN can establish networks in one of three modes:
- Native Peer-to-Peer Mode (LAN)
- Peer-to-Network Mode (VPN)
- Network-to-Network Mode (WAN/VPN)
Native Mode is the default mode for VIN networks. Whilst all modes create a virtual LAN, this mode is established where none of the nodes are enabled with routing. The purpose of this mode is to establish highly secure communications between selected nodes. Client nodes can be brought into the network along with servers providing appropriate applications, services and resources. For example, Exchange Servers are made available for client nodes to access the group email and calendaring services provided. AD servers do not need to join the network and are accessible only by the Exchange Server via the physical LAN.
Peer-to-Network Mode emulates the roaming VPN user situation where the remote user requires access to all of the resources needed on a private LAN but is too cumbersome to bring all of the nodes on the physical LAN into the virtual network. With VIN, this requires basic knowledge of IP routing in order to establish such connectivity but the outcome is identical to that of a typical remote user VPN whilst remaining more secure.
Network-to-Network Mode is used to establish the equivalent of infrastructure or fixed VPN. Typically, this emulates a dedicated private leased line connection between two distinct localised networks (e.g., LANs), however can be as extensive as replicating an entire MPLS based network with as much, if not more efficiency and an ability to be established in a matter of minutes rather than weeks. While significant costs can be saved, this does, however, require a reasonably advanced knowledge of IP routing capabilities. It is also worth noting that an MLPS network solution would be more expensive by a factor of at least fifty than a comparable VIN solution.
What are the limitations of the VIN solution?
Given that the limitations of LANs are reasonably few, the same is true for VIN, however a few of the limitations experienced with physical LANs are eliminated for VIN.
For example, the most significant limitation of a physical LAN is the area that it covers. This is immediately eliminated for VIN because it was purposefully designed to function over the top of larger area networks, including the Internet.
LANs are typically limited by the number of nodes that can be connected to a single network segment before collisions become too frequent and impact performance. Typically, network administrators will not connect any more than 200 nodes to a LAN before segregation of the network is required. VIN forces a C class network mask so the ceiling is 254 nodes for a single network, however while collisions are not possible with VIN, this is not recommended if the virtual network will be heavily loaded with broadcast and multicast traffic which could result in significant traffic load.
Other than the node count limitation, another limitation is imposed from the basic compute power of the machine that a Broker or Peer component is loaded onto. The less compute power either of these provides results in lower performance capability and reduced throughput of traffic. For the Broker Service, a lack of compute resources will also limit the number of nodes that can register with it. For a reasonable single server this limit may be as little as 200 nodes. To circumvent this, the server aspects of the VIN would need to be established on a load balanced cluster. A high availability service coupled with the load balancing service would also eliminate the single point of failure that results from using just a single Broker Service.
The final limitation is, of course, available bandwidth. The direct P2P nature of a VIN network means there is no requirement for much higher bandwidth availability for a server and simple broadband Internet is more than capable of supporting VIN networks. However, for busy VIN networks supporting high traffic loads, more bandwidth should be allocated where necessary.
Netlinkz is continuing to scale its platform to larger and larger Enterprise and Carrier Grade standards.
If VIN is LAN over WAN, why is it sometimes described as SD-WAN?
VIN is reasonably comparative with other SD-WAN solutions, such as VeloCloud, but it is VIN’s data plane that sets it apart from SD-WAN solutions. The true overlay virtual network is always provided as a mesh network that functions exactly the same way as a LAN and therefore provides all of the same benefits of a LAN and even removes some of the limitations of a typical LAN. VIN does not rely on traditional VPN (e.g., IPsec used by VeloCloud) and is more efficient as a result.
VIN is also extremely easy to scale and can be loaded onto any Windows, MAC or Linux computer or Android/iOS device.
Key Benefits of the Virtual Invisible Network
- Performance: improved network performance thanks to the mesh topology of the virtual network fabric. These improvements can be largely attributed to the P2P capability at the network level.
- Reliability: VIN has been proven to hold connections better than any other VPN based solution, even if the underlying network fails or encounters intermittent problems. VIN is also automatically self-healing where connections are re-established when the underlying transport is restored.
- Scalability: VIN networks rapidly scale up or down with ease, simply by adding or removing Peer Nodes as required.
- Security: VIN employs the traditional security methods expected of any private network layered over a public one but is also far more secure by design. See our Security page for more information.
- Flexibility: VIN offers the same networking flexibility as traditional physical Ethernet networking and can be interconnected with any other type of IP-based network making for infinite possibilities.
- LAN over WAN: VIN is the only virtual network solution that provides the true LAN experience over a much greater geographical area. VIN uses any type of network to support the layered virtual network fabric which behaves just like a traditional LAN segment.
- Rapid Network Charge and Discharge: Discharging a network can be just as rapid as establishing one. Entire private layered networks can be established or dismantled in minutes.
- Reduced CapEx and OpEx: significantly reduces the spend on specific networking hardware and infrastructure as well as benefiting from low subscription costs and reduction in ongoing operational costs.
- SD-WAN Approach: VIN is delivered in the style of SD-WAN for ease of network design and deployment. Networks are configured and controlled through a central orchestration platform. The data plane, however, is significantly improved over traditional VPN based SD-WAN models.