Overview
CENTAURI devices operate in concert with CENTAURI cloud services for certain aspects of provisioning and normal ongoing operations. To facilitate operations, there must be a secure communication channel established between CENTAURI devices and the corresponding cloud-based services. Customers may have different requirements for how secure communications channels should be established and operated. The design of CENTAURI has several built-in security features and options to accommodate most Customer security requirements.
When is connectivity to CENTAURI cloud services required?
Provisioning
During the provisioning of the device, a good quality laser link must be established between the two devices being provisioned. CENTAURI uses a cloud-based orchestration service to assist with this process. Calibration of both CENTAURI devices in a link is used to analyse and set the optimal laser power settings for that specific link. The calibration service requires a connection to CENTAURI cloud services using SSH and HTTPS access over a VPN to each device, to initiate and manage the calibration process.
This is not required for normal ongoing operations. As a result, connectivity to CENTAURI cloud services may be established for provisioning, only, and then later disabled.
Connectivity may be required from time to time if the device needs to be recalibrated. In these instances, the connection to CENTAURI cloud services can be re-established, temporarily, while the calibration process is run.
Ongoing Operations
During normal device operations, telemetry details are generated for many aspects of the device’s state over time. For example, link performance information, detailed metrics on vibration, SFP performance, and metrics for other device components. The telemetry data is streamed to the CENTAURI cloud, where it is collected and processed to analyse the device’s performance over time. The insights generated from this analysis enable Transcelestial to make proactive recommendations to keep the device performing optimally and to assist in providing root cause analysis for any issues that may arise during ongoing operations.
Metrics and events data are written to local log files on each CENTAURI device. The stored log files are then forwarded to the CENTAURI Log Aggregator Service. CENTAURI devices initiate metrics streaming using an outbound connection to a well-known DNS address and port for the Log Aggregator Service. No inbound connection to the CENTAURI device is required or accepted during this process. The device client and the aggregator service use mutual Transport Layer Security (mTLS) to ensure that traffic is secure and trusted in both directions between CENTAURI devices and the Log Aggregator Service. All communication between the two endpoints is encrypted using TLS 1.2.
Software updates are part of the normal operation of CENTAURI devices and are required to stay current with supported software versions. CENTAURI has a built-in software update client to facilitate this, and the client is initiated at the request of an operator. The software update client initiates an outbound connection to the CENTAURI S/W Package Download service. No inbound connection to the CENTAURI device is required or accepted during this process. The device client uses OAUTH2.0 to establish a connection to the download service, and all communication is encrypted via TLS 1.2.
For time synchronisation via Network Time Protocol (NTP), the device requires an outbound connection to time.nist.gov.
CENTAURI Device and Cloud Services High-Level Overview
CENTAURI Management Services
CENTAURI Management Services (Management UI, RESTful API, SSH, SNMP Agent) enable the ability to view or modify detailed configuration settings on CENTAURI devices.
To view or modify any device settings, authenticated access is required to each service:
- Management UI - Access is over HTTPS with token-based authentication
- RESTful API - Access is over HTTPS with token-based authentication
- SNMP Agent - SNMP v3 with user id, password and end-to-end encryption of traffic
- SSH - Certificate-based access only, with short-lived certificates issued by Transcelestial. The standard lifetime of the certificates is five (5) minutes.
The CENTAURI Management Services can be configured for access in the following ways, depending on a specific Customer’s security requirements:
- Private access only, via a Customer's private network. No external access is permitted.
- Remote access via a VPN. No direct external access is permitted.
CENTAURI Device Firewall
Each CENTAURI device has a firewall installed on the device itself. The device firewall is configured to block access except for what is actually required to support that device’s specific deployment scenario. For example, where a device has connectivity to the public internet, and the Management Services are private to a Customer’s network, the firewall can be configured to prevent all inbound connections from the internet and to allow only the outbound connections required to communicate with the CENTAURI Log Aggregator Service, S/W Package Download service and NTP.
Conclusion
In this article, we explained how CENTAURI devices operate in concert with CENTAURI cloud services to support the provisioning of CENTAURI high-speed connectivity links and normal ongoing operations. The communication channels set up between CENTAURI devices Transcelestial’s cloud-based services facilitate safe and secure operations while providing the flexibility to support different Customer requirements for how secure communications channels should be established and operated. We hope you found this information helpful.
Need more information? Do you want to find out how Transcelestial and CENTAURI can support your specific deployment scenario and security requirements?
Please contact us and we will be happy to assist you.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article