Networking Lookout or the LabVIEW DSC Module Across Firewalls

Publish Date: Sep 06, 2006 | 14 Ratings | 4.14 out of 5 |  PDF

Overview

Connections between two machines running Lookout, the Lookout Web Client, or the LabVIEW Datalogging and Supervisory Control (DSC) module are made through National Instruments proprietary protocol called Logos. This protocol is based on UDP, which is a subset of the TCP/IP family. As described in this document, Logos connections can be affected if you are running the communication across a network firewall.

1. What is a Firewall?

Having a private network that is also connected to an external network (the Internet) can cause serious security issues, because anyone who has access to the Internet might also gain access to the private network. A firewall is a piece of hardware or software (or a combination of both) designed to prevent any unauthorized user from accessing a private network. Firewalls are like gatekeepers. All incoming and outgoing messages are carefully monitored to meet certain select security requirements. Firewalls inspect all forms of communication between two networks, and depending on how they match the programmed policy rules, the communications are dropped or passed.

There are many different theories from different security experts about how firewalls should be used to secure networks. The following are three fundamental methods:

1. Packet Filtering

Packet filtering is a way of controlling access to a network by monitoring incoming and outgoing packets. A packet is the unit of data that is routed between an origin and a destination on a network. Only those packets which meet the requirements specified in a database of rules are allowed to pass. Filters normally follow these basic rules:

  • Drop all inbound connection requests and pass all outbound connection requests.
  • Allow only those TCP packets to go through that are bound for certain ports (for example port 80 used for WWW).
  • Restrict inbound access to certain IP ranges.

2. Network Address Translation (NAT)

NAT is used by most firewalls. The main purpose of NAT is to hide the internal computer IP addresses. The NAT firewall changes the source address of all outgoing messages to the firewall IP address. It captures reply packets and changes the target address back to the source computer address (the one that started the communication). Thus, a single host is making requests on behalf of all internal hosts. In this way NAT prevents any external users from obtaining the IP address of an internal computer and prevents any connection that has not originated on the internal network. For example, an internal client can connect to an external FTP server, but an external client will not be able to connect to an internal FTP server.

3. Proxy Servers

A proxy server is another type of firewall. When an internal computer makes a request for an Internet service (such as a Web page request), this request is passed on to the proxy server. If the requested communication meets all the requirements, the proxy server performs the request. For example, suppose you want to download an HTML page in Internet Explorer and this page has some ActiveX content. If you have set up your proxy server to prevent any HTML pages with ActiveX content from being downloaded to the private network, the proxy server filters out the ActiveX content. The drawback of proxy servers is that they are extremely application specific. For example, you must have different proxy modules for HTTP, FTP, Telnet, and so on.

Back to Top

2. Logos and Firewalls


1. Packet Filtering and Logos

The Packet filtering section above lists three basic rules that are generally followed. In the case of the first and third rules listed, you only need to make sure that your firewall is configured to pass all the inbound connection requests for the client IP addresses. The second rule regarding TCP packets requires more consideration with the National Instruments Logos communication protocol.

Logos is the National Instruments proprietary mechanism for inter-process communication that is used by some of our software products, including Lookout and the LabVIEW Datalogging and Supervisory Control module. Logos is based on the UDP protocol (TCP/IP family). It implements certain services (such as Process Manager, Classified Ads, Time Synchronization, and Citadel) which facilitate client/server communication. Each service has a different dynamically-assigned port between 1024 and 65535.

Suppose you have a server process running and multiple clients that need to establish communication with the server process. Since Logos is based on the UDP protocol, a client must know what port number a service is listening on if it wants to communicate with it. The Logos Classified Ads service maintains a service port map on each computer. This service is always running on the 2343 port (officially reserved for nati-logos). If a client wants to communicate with a particular service on the server computer, it first connects to Classified Ads (on port 2343) and asks for the port number assigned to that particular service. The Classified Ads searches the map table and returns the service port number. The client will then be able to make the connection request through the dynamically-assigned port number of the desired service, which can be any port above 1024.

Your firewall configuration must keep all UDP ports within the 1024-65535 range open. Otherwise, the client won't be able to make a connection to the server. Keeping these ports open isn't as big a security risk as it may seem. In most cases, no one outside your firewall can do anything devious through these UDP ports, since you probably don't have any harmful applications listening on the UDP ports greater than 1023. But if you are concerned about security, you can take these measures:

  • Use a utility that list all open ports on your computer, such as TCPView from www.sysinternals.com.
  • Restrict the inbound requests on the UDP ports to certain IP addresses only. Then only computers from that list will be able to make the connection; requests from a computer that is not in the list won't be successful. Refer to your firewall documentation for details about how to restrict the access.
  • Limit the range to just the first few hundred, starting from 1024. While there is a good chance that the connection will work, we do not recommend doing this. The dynamic ports are assigned by the operating system starting at 1024, and Logos does not have control over the numbers. So for example, if you limit the range to 1024-1200 and a port higher than 1200 is assigned to a service, the client will not be able to access it.

2. Network Address Translation (NAT) and Logos

NAT will make your data inaccessible from computers outside the firewall. NAT is very powerful, but it has some drawbacks. The IP header is the leading section of each packet and contains predefined fields such as the address of the source computer and target computer. Only an IP address in the header can be managed by the firewall. An IP address included in the data block is not recognized by the firewall and cannot be translated.

When establishing communication for data access across a network, Logos embeds the host name (or IP address) inside of the packet. If a client machine running on an external network needs to access data, it first makes an inbound connection to the Classified Ads to find the port the Process Manager services are listening on. Then it establishes communication with the Process Manager (implemented by Lookout or the LabVIEW DSC Engine). The Process Manager returns its configuration to the client, including the computer its running on. By default it's a computer name valid on the local area network (such as server1). This name is local name and won't be recognized on the Internet. To work around this, you can enter a name that is valid on the Internet.

If the name of the computer running Citadel is registered with some DSN (Domain Name Service), try to add your domain suffix to get the global name (such as server1.ni.com). Unfortunately, while the global name is valid on the Internet, it likely won't be recognized by your local network. If it is not a registered name, then you have to use the IP address directly. However, if your firewall uses NAT, the IP addresses on the local network and the Internet are different. Based on which IP address you use, you'll be able to access the data either from your local network or the Internet.

3. Proxy Servers

As mentioned above, Proxy servers are very application specific. They are mostly used for WWW, FTP, or e-mail servers. Logos communication will not be restricted by Proxy services.

Back to Top

Bookmark & Share

Ratings

Rate this document

Answered Your Question?
Yes No

Submit