Brown’s Mainsdata branch routing

The Mainsdata security overlay hardens the security of your branch data network providing a totally secure, end-to-end data network solution.

Mainsdata routers in each branch communicate with Mainsdata servers in your datacentre via virtual private networks - or secure VPNs.

It uses state-of-the art, standards-based techniques to protect the personal data of your customers from inspection and undetected alteration as the data travels from branch to datacentre.

• Secure branch virtual private networking.
• Resilient automatic failover backup.
• Scalable from 5 to 5000 branches.
• Rich monitoring, management and diagnostics.
• Multiple bearer bonding.
• Integrated system.
• Eases the move to IP.
• Helps solve PCI Data Security Standard requirements (PCI DSS).

The branch routers check that they connect only to the correct datacentre and the datacentre servers check that only authorised branches connect.

The Mainsdata routers provide a firewall in every branch and allow only traffic from the VPN to enter the branch.  The routers also ensure that all traffic leaving the branch goes via the VPN and watch out for people connecting private devices in the branch.

You could save 60% with Mainsdata

Mainsdata network diagram - click to enlarge

Mainsdata is the answer to how to save money on branch network costs while at the same time improving security, speed and reliability.

Companies and organisations that switch their branch network supply to Mainsdata can save considerable sums of money and their network access speeds will increase and the reliability and resilience of their links improve.

What does the Mainsdata solution offer?

• 7 days-a-week management of the network service.
• Direct phone access to an engineer in case of problems.
• The benefit of individual consultancy, ordering, and installation and setup.
• Legacy SNA and X.25 interoperability.

We partner with tier-1 providers to deliver this service.

So, what is stopping you from switching?

Retail branches are usually sited in centres of population.   They use mains electricity, mains gas, mains water, mains drainage and regular telephone lines.   Historically, the public services were thought too slow for data and so private networks have been used at significant cost.

Access to the centre via the Internet is now much faster than via traditional private networks and the time has come to exploit this for branch connectivity.   Thousands of businesses are operating via the Internet and all the large retail companies rely on the Internet at their centre to communicate with millions of customers both large and small.

Brown's Mainsdata routers in each branch are the key to facilitating the move away from private circuits to confidently using the Internet via a combination of broadband (ADSL), fibre (cable modem access) and UMTS (3G) for mainline and backup services.   It is the Mainsdata routers that provide the network security and the management of the access to the network.  The connections between the branches and the datacentre are secured regardless of the underlying physical network.

Any retail company with 10 or more branches would benefit from using this approach.   For those with an existing private network the payback time is well under a year.

Mainsdata security - the technical data

All data between branch and datacentre is carried via secure virtual private networks - or VPNs.  This provides end-to-end security.

The VPNs are established between a Mainsdata router in each branch and a Mainsdata server in the enterprise datacentre.  The security protocol used is TLS1.2 (RFC 5246).

The two endpoints of each VPN are authenticated using X.509 certificates with 2048-bit public and private keys.

Data is encrypted using the AES algorithm with 256-bit keys.  This process ensures the confidentiality of the data.  [PCI-DSS requirement 4]

A 256-bit hash using the SHA2 algorithm is applied to each transmitted block and is checked by the recipient.  This prevents undetected tampering with the data and so ensures its integrity.

The endpoints of the network discard all outside data originating from outside of the VPN, so attempted intrusions from other sources will be prevented.  [PCI-DSS requirement 1]

Devices attached to the Mainsdata router must have their MACs authorised before being allowed to participate in data exchange.  This will inhibit the connection of rogue devices to the LANs in the remote locations.  [PCI-DSS requirement 10]

A RADIUS-based utility, DNRACS, is used to verify remote locations against stored security credentials and to log VPN connections.

Network management and monitoring

Brown's supplies the DNManager application to provide a comprehensive management and monitoring facility. It is used to:

• report on the status of the network
• alert operators to attempted security breaches
• keep updated the security credentials of acceptable locations
• authorise the MACs of devices in the branches
• remotely update the firmware of the Mainsdata branch routers
• assist in the diagnosis of problems

PCI-DSS refers to the Payment Card Industry Data Security Standard version 1.2

Datasheets

Brown's Mainsdata solution