Explains the difference of PVDTN-STS with present connectivity methods; explains the security vulnerability of all VPN (MPLS or otherwise) networks used for MAN / WAN connectivity. The key to the system is the Secure Switch ( a 3 position, electromechanical, microprocessor driven, RJ45 switch) and the STS system covered by letter of patent 262590, which facilitates segregation at LAN level, simultaneous presence on the Internet through the public or Web server, and exchange of publishable information / data and mail between the internal and external networks without impairing the security of the former.
2. B. THE TECHNOLOGY ON OFFER
1. PVDTN-STS is a path-breaking patented,
integrated, inter-locational connectivity
solution which ensures
a. 100% security of an organisation’s
internal databases and WAN
computing against external (hacker)
and internal (mole) threats. It is the
only such solution in the world today
b. Save 50 to 75% of the organisation’s
present telecom costs
c. Save a substantial portion of the
organisations travelling costs, through
multiple simultaneous net meetings for
different work groups with their officers
from their respective work places
spread across the country and the
world
d. The savings in these costs would
generally pay back the network re-
engineering or new set-up cost in 1 to
3 years. The more the inter-locational
communications, the quicker the
payback.
3. c. The system would improve the
organisation’s operational efficiency.
2. PVDTN – STS system is covered by the
following letters of patent and pending
applications.
a. For PVDTN
i. Letter of Patent 202674
ii. Fresh application 1156 / KOL /
2014 DATED 11.11.2014
covering the enhancements.
b. For STS
i. Letter of patent 262590
ii. Fresh application 1158 / KOL /
2014 dated 11.11.2014 covering
improvements
3. To understand this path breaking
technology it is necessary to first
understand the present method of Inter-
locational and Internet connectivity.
Kindly see Fig 1 which shows this
connectivity.
4. INTERNET
INTRANET
P2P LL
NETWORK
OR
MPLS VPN
FIREWALL
DB1 DB2
LAN Nodes
PS
Fig. 1
PRESENT METHOD OF
INTERNET CONNECTIVITY
DB1, DB2, Internal databases of organisation
MS Company mail server
PS Public Server of Company
Single LAN DBs and MS are placed inside the Firewall
PS is placed outside the Firewall or in the DMZ
However, since all Firewalls are breakable the
internal data bases are vulnerable to hacker
attacks
MS
5. INTERNETPVDTN WAN
IBN
2IBN
1
INTRANET LAN INTERNET LAN
STS
SS
OD
2
SS
OD
1
SSA
Fig. 2
PROPOSED METHOD OF
INTERNET CONNECTIVITY
LAN Nodes
VDS
DB2 CS
IS
PSDB1
VDS
CS – Company Communications Server
PS – Company Web or Public Server
IS – Intermediate Server which relays
information / data / mail back and forth
Between CS & PS.
SSA – Automatic Secure Switch which
connects IS to INTRANET and Internet
LAN buses alternately in preset
(adjustable) time.
DB1, DB2 – Company’s internal
databases.
IBN1, IBN2 – Internet Browsing Nodes
SSOD1, SSOD2 – On-demand Secure
Switch.
STS – Total Secure transfer system
comprising of CS, IS, PS and SSA
6. Normally
closed relay
contact
Normally
open relay
contact
R2
R1
MC2
RJ45
socket for
connecting
to Internet
LAN Switch
RJ45
socket
for
connecti
ng to
Interme
diate
Server
LAN
Card
RJ45
socket for
connecting
to Company
secure
LAN Switch
MICRO CONTROLLER LOGIC
MC1
12V DC
Serial Port
9 Pin D Type
R1
R2
Normally
closed relay
contact
Normally
open relay
contact
R2
R1
MC2
RJ45
socket for
connecting
to Internet
LAN Switch
RJ45
socket
for
connecti
ng to
Interme
diate
Server
LAN
Card
RJ45
socket for
connecting
to Company
secure
LAN Switch
MICRO CONTROLLER LOGIC
MC1
12V DC
Serial Port
9 Pin D Type
R1
R2
Fig 3
Schematic Diagram of Secure Switch (SS)
3-Position, Electromechanical, Micro-controller
driven RJ45 switch
8. 4. As may be seen from Fig.1 in the present
method of connectivity, there is a single LAN
switch with a Firewall. The internal databases
and the network are kept within the firewall
domain. The public or company server PS is
kept outside the Firewall or the Demilitarised
Zone (or DMZ).
5. However, as it is now widely accepted all
Firewalls are breakable. Thus in the
arrangement shown in Fig. 1 hackers /
crackers coming in from the Internet can
snoop and spoof through the Firewall system
and access the Internal Databases, which are
vulnerable to hacking.
6. Information from the internal network is
passed on to the Web server (PS) and the
reverse is also true, observing the rules of the
Firewall. So there is free flow of information
back and forth between the internal and
external network.
7. The connectivity arrangement of this new
technology is shown in Fig. 2. In this case
there is a physical separation between the
private (INTRANET) and the public (Internet)
networks
9. 8. The exchange of information between the
public and private networks, i.e. between
the organisation’s communication server
(CS) connected to the INTRANET LAN,
and its public or Web server (PS)
connected to the Internet LAN takes place
through the Intermediate Server (IS) which
is connected to the Automatic Secure
Switch (SSA). SSA alternately connects IS
to INTRANET LAN and Internet LAN, never
to both together, at a settable frequency.
9. Hence there is no direct connection
between the two LANs. Hence hackers /
crackers coming through the Internet will be
confined to the Internet LAN only and will
have access to the PS only like the rest of
the public and gain access to all the
publishable information of the organisation,
and nothing more than that.
10. All LAN nodes on the INTRANET LAN will
be able to transact internal mail through
their Company Mail Server on the same
LAN, and external mail through the STS
system and the Internet Mail Gateway
available on the PS connected to the
Internet LAN.
10. 11. However, there will be some people in the
organisation who will need to browse the
Internet for information and for viewing vendor
and competitor Web sites and other search
engines. For such people Internet Browsing
Nodes (IBNs) will be provided.
12. This network segregation has been made
possible by the secure switch which is a three
position, electromechanical, microcontroller
driven RJ45 switch the schematic diagram of
which is shown in Fig. 3, and the pictorial
views in Fig. 4. This product is covered by the
STS patent No.262590 held by Pankaj Kumar
Mitra, and developed, and owned by
MIDAUTEL
13. Fig. 5 shows how a PVDTN WAN is
configured with point-to-point (p2p) leased
lines between peripheral locations and the
central location with cross linking between
adjacent locations for alternate routing in a tri-
node configuration.
14. Fig. 6 shows the principle of a PVDTN WAN.
Each p2p line has a channel splitter at either
end which split the total bandwidth and create
two parallel networks – a circuit switched
network routed by EPAXs with E&M trunks,
and an IP packet switched network routed by
data routers at each location.
11. 15. Fig.7 shows a typical PVDTN NODE
structure at each company location.
16. Fig.8 shows the MAN network structure of
large multi-office organisations in the same
city, such as Govt. Offices, and Banks. This
forms part of the enhanced PVDTN system
covered by the new patent application dated
11.11.2014.
17. Fig. 9 shows a typical multi-tier PVDTN
WAN configuration, following the principle
explained in Fig.6 and note B 14 above.
18. Fig. 10 shows a typical single-tier PVDTN
WAN using the same principle.
19. Fig. 11 shows the concept of the tri-node
configuration followed in all WAN design.
20. Fig. 12 shows the IP Core schematic of a
TSP (telephone service provider).
21. Fig. 13 shows how all services at a location
are connected to this IP Core through the
Tier 1 switch at the location.
22. It also shows that all public domain networks
have a continuous physical access to each
other, and also to the routers of the VPN
routers supported by this common IP Core.
12. X
Y
X+Y
X+Y
MAX (X,Y)
PVDTN WAN
IPPN
SPLITTER
pSTN
IPPN
SPLITTER
pSTN
+
+PVDTN =
NODE 2
NODE 1
PVDTN Principle
p2p leased line
Circuit Switched pSTN (private switched telephone network routed by EPAXs
at each location
Packet Switched IPPN (IP private network) routed by data routers
at each location
Fig. 6
Fig. 5
13. From Delhi
From Nagpur
From Mumbai
From Chennai
V
D
P
S
Digital n x 64 KBPS
Leased Lines
Analogue
Leased Lines
From locations in same city
or outstation location
Trunk line cards KDI
Voice / fax cards KVF.8
Data cards KHS.2 / KLS.1
Tel
Modem
LCE 2W E&M
Fax
LAN BUS
Server
LAN Nodes
IP RouterCircuit switch router
LINE SPLITTER – KM2100
Residential Connection
Fig. 7
PVDTN NODE ARCHITECTURE AT KOLKATA
NOTE: In Kolkata there are no 4WE&M analogue lines terminating on the VDPS
trunk cards. However, these have been shown so that the analogue
connection at Mumbai from Ahmedabad and at Delhi from the CG Cell may
be understood.
2WE&M lines shown will be present in all locations for residential
connections.
14. S1
S4 S5
S3 S2
LAN BUS
LAN Nodes
Redundant dark
fibre connections
OFC / UTP
Converters
L1
L2L3
L4 L5
UNIFYING SWITCHES AND LANS
USING DARK FIBRE CONNECTIONS
AT KOLKATA
TO FACILITATE SINGLE ROUTING POINT
FOR IP AND CIRCUIT SWITCHED WANS
Modem
LCE 2W E&M
Residential Connection /
Gram Panchayat Connection
Fig 8
17. KOLKATA
3
3
3 3 33
2 2
2
2
2 11
1
1
1
1
4
4
4 4
4
4
4
4
4 4 4
4
4
4
4
4
4
4
TYPICAL STATE WAN CONFIG
USING PVDTN
FOR INTEGRATED VOICE, FAX, DATA COMMUNICATIONS
UP TO GRAM PANCHAYAT
WITH 100% ALTERNATE ROUTING / REDUNDANCY
4 MBPS
2 MBPS
768 KBPS
384 KBPS
2 X 128 KBPS
2 X 2WE&M
1
11
62.42 KBPS
6.22 KBPS
320.7 KBPS
1958.6 KBPS 4 MBPS
2 MBPS
8
8
8
8
8 8
8 8
8
8
8
8
8
8
8
8
8
8
4
4
4
4
4
4
4
4
4
NOTE : Total number of trunks emanating from Kolkata is 144 (8 x 18). Using the Erlang loading
norm this can serve 1152 extensions in Kolkata. Thus 1158 officers may be provided NET
telephones and they may be spread across Writers’ Building, New Secretariat, and the Secretariats
at Salt Lake
6
3
6 6
6
6
3
3
Fig. 9
7
3
4
3
3
6
3
2
Chandigarh
Delhi
Gurgaon
Mumbai
Hyderabad
Kolkata
IHC
Bangalore
227.2
KBPS
140.64
KBPS
300.40
KBPS
118.48
KBPS
120.96
KBPS
120.96
KBPS
110.64
KBPS
103.76
KBPS
192 KBPS
256 KBPS
128 KBPS
512 KBPS
320 KBPS
Fig. 10
CII – PVDTN
WIDE AREA NETWORK TOPOLOGY
6
6
5
6
3
3
3
9
9 4
6
X
Y
X + Y
X + Y
A
B
C
MAX (X,Y)
Fig 4Fig.11
TRITRI--NODE FORMATIONNODE FORMATION
IN PVDTNIN PVDTN
USED FOR SINGLE AND MULTIUSED FOR SINGLE AND MULTI --TIER NETWORKSTIER NETWORKS
1. X and Y are the total bandwidth impinged on the WAN at each location
at A and B respectively. This includes bandwidth for data, speech, and
fax communications.
2. The derivation of X and Y at each location is shown inTable Iof our
draft proposal presentation.
3. The link bandwidth calculations are shown inTable IIof draft proposal
presentation. As shown above the main links AC and BC will havea
total bandwidth of X + Y. This is to take care of 100% alternaterouting
in case of failure of either AC or BC links.
4. The cross link AB will have the larger of the two bandwidths X,Y.
5. We hope this will help you to understand the basis of derivationof
location and link bandwidths shown in our draft proposal presentation.
X
Y
X + Y
X + Y
A
B
C
MAX (X,Y)
FigFi
TRITRI--NODE FORMATIONNODE FORMATION
IN PVDTNIN PVDTN
USED FOR SINGLE AND MULTIUSED FOR SINGLE AND MULTI --TIER NETWORKSTIER NETWORKS
1. X and Y are the total bandwidth impinged on the WAN at each location
at A and B respectively. This includes bandwidth for data, speech, and
fax communications.
2. The derivation of X and Y at each location is shown inTable Iof our
draft proposal presentation.
3. The link bandwidth calculations are shown inTable IIof draft proposal
presentation. As shown above the main links AC and BC will havea
total bandwidth of X + Y. This is to take care of 100% alternaterouting
in case of failure of either AC or BC links.
4. The cross link AB will have the larger of the two bandwidths X,Y.
5. We hope this will help you to understand the basis of derivationof
location and link bandwidths shown in our draft proposal presentation.
18. Pune
NIB – II
TOPOLOGY
Kolkata
Guwahati
Lucknow
Chattisgarh
Bhopal
Jaipur
Gandhinagar / Ahmedabad
Chandigarh
Shimla
Srinagar
Kolkata
Delhi
IGW
IGW
IGW
IGW
IGW
IGW
IGW
IGW
Mumbai
BRAS
H-bad
BRAS
Pondicherry
Chennai
Thiruvanthapuram
Ernakulam
Mumbai
Chennai
Bangalore
Bangalore
Noida
CORE Router
BRAS
STM16
STM1
EDGE Router
Goa
Noida
Patna
Bhubaneshwar
Back Office facilities – Web hosting,
Customer servers, Messaging, Caching,
Billing, etc.
Fig.12
19. NIB – II
ARCHITECTURE
CORE ROUTER
TIER I
EDGE ROUTERS EDGE ROUTERS
EDGE ROUTERS
EDGE ROUTERS
TIER II TIER II
TIER II TIER II
TIER IITIER II TIER II
TIER II TIER II
TIER II
DSLAMs
DSLAMs
BRAS BRAS BRAS BRAS
EDGE ROUTERS
Leased Lines from VPN Subscriber Premises
MPLS VPN
EDGE ROUTER
EDGE ROUTERS
NATIONAL INTERNET
EXCHANGE
TO CONNECT
ALL ISPs AND PROVIDE
COMMON
INTERNATIONAL
GATEWAY
NIEX
EDGE ROUTER
Fig. 13
EDGE ROUTERS
RAS
PSTN NETWORK
TO OTHER CORE ROUTERS
DIAL – UP
CONNECTIONS
DIAL – UP
SERVICE
EDGE
ROUTER
20. Explanatory Motes on VPN Vulnerability
Fig.12 shows the topology of a typical ISP’s IP network over which
both Internet and VPN services are laid out. This is the topology of
BSNL’s NIB – ii. Five cities are connected in a full mesh
connectivity to form the core IP back-bone across India. Other
cities are connected through tri-node rings from the nodes of the
core network through the Tier-1 switch at these nodes.
Fig. 13 shows the architecture of each of these nodes. The core router
at the node sits on the Tier 1 switch. From these switches are
taken the router connections for all the services – VPN, Internet
through Broadband and PSTN. Thus you will note that there is
continuous physical connectivity between all the routers in this IP
network through the Tier 1 switch at each IP Node (POP). Thus
there is continuous public domain access to the VPN routers.
1. In any IP network, public or private, the WAN ports of all routers in
the network have continuous physical access to each other. Thus
while a router port is engaged in communication with another in the
network, a third port can have simultaneous communications with
it. If the IP network is in the public domain (Internet) or has access
from the public domain (VPN), this third port could be that of a
hacker.
2. Thus while the various security protocols like IP Sec, etc., can
transport the data from one computer to another securely, the LAN
and the data bases residing on it are exposed to public domain
through a VPN which has public domain access for reasons
explained in 1 above.
3. For secure WAN computing it is necessary to have a real private
network (at least for data communications). Once this is there then
inter-locational voice / fax can be run over this network at marginal
increase in the operating cost, using the patented PVDTN
system.
4. You should not expose your company data bases to the public
domain through Internet, ISDN back-up, or VPN (which has public
domain access) for reasons explained earlier in 1 above.
5. The MPLS networks currently in vogue are another form of VPN
network and are subject to the comments in 1 to 4 above.
We do hope the above notes will explain the security vulnerability of
your data bases when these are on LANs connected to VPN
(MPLS or other wise) of any service provider.
If you wish to secure your data bases 100% then use point-to-
point leased lines for inter-locational computer connectivity.
21. ADDITIONAL INFRASTRUCTURE FOR PVDTN
AT CENTRAL LOCATION
EPABX
LAN
INTERNET
LAN
VDPS
LAN
INTRANET
LAN
PSTN
INTERNET
PVDTN
WAN
CS
IBN
PS
Secure Switch
Channel
splitter
Existing infrastructure
Additional infrastructure
IS
SS
SS
22. ADDITIONAL INFRASTRUCTURE FOR PVDTN
AT OTHER LOCATION
EPABX
LAN
INTERNET
LAN
VDPS
LAN
INTRANET
LAN
PSTN
INTERNET
PVDTN
WAN
IBN
Channel
splitter
Existing infrastructure
Additional infrastructure
SS
IBN
SS
23. The voice to non-voice (fax and data)
communications cost ratio varies as under
based on statistics collected for various MLOs
(multi-locational organisations across the
world.
80:20 for the most developed countries
95:5 for developing countries
97:3 for less developed countries
Since for the same unit of time 60 times more
information can be transported as data the
Volume ratio would look like
80:1200 for the most developed countries
95:300 for developing countries
97:180 for less developed countries
There is one other ratio the inter-locational (or
intra-company) communications costs to total
communication costs. This could vary from
about 40% for small and less inter-active
MLOs (multi-locational organisations) to
80 to 90% for large and highly inter-active
MLOs.
FAQ 1
How are savings made in PVDTN?
24. Thus if the total communication (voice and data)
costs of a company like yours is X the cost of
voice communications will be around 95% and
that of data around 5%. The integrated voice-
data intra-net will carry only the inter-locational
voice traffic and the total data traffic which is
mostly internal. Even external email will be
passed through this network to be conveyed to
the internet gateway through the STS system.
The total cost of inter-locational communication
of a company is = T + D, where T is the inter-
locational telephony and fax cost and D is the
data communications cost. In this case T will be
say 0.8 x 0.95 X = 0.76 X ; and data com cost
will be 0.05 X.
What PVDTN does is that it eliminates T, by
adding a percentage of D to D. Thus in place
of T+D as you have now, for inter-locational
communications costs, you will have D + d ( a
percentage of D) for total inter-locational
communications costs with PVDTN. Further
presently T varies with increased usage and
consequently (T + D) increases year by year
with increased usage. (D + d) on the other
hand will be a fixed per annum cost for
unlimited usage. There are no usage charges.
FAQ1(Contd.)
25. In PVDTN over the same point-to-point leased
line backbone we have two separate and
distinct networks running.
A circuit switched network for voice and fax
communications through the VDPS (EPAX
with E&M trunk cards).
A packet switched IP network through the
data routers sitting on the computer LAN at
each location.
The bandwidths for each network are provided
by the channels splitter at each location.
The above are clearly explained in Slide 2, of
PVDTN Presentation.
Thus your present voice communication team
will look after the circuit switched voice and fax
network for inter-locational communications and
the PSTN infrastructure already in place.
The IT / data communications team will
administer the packet switched IP data network
through the data routers and the PVDTN WAN,
and also the Internet connectivity
Thus there is no conflict of roles or interest of
either group of people.
In our company the voice and fax
services are looked after by one group,
and the data services are looked after by
another group. Since PVDTN is an
integrated voice / fax / data network what
will happen to this arrangement?
FAQ 2
26. In VOIP (voice over IP) the actual bandwidth
required per each call through the WAN is 90 to
100 kbps. In the circuit switched network the
bandwidth required for each call through the circuit
switched WAN is either 12.8 kbps or 24 kbps
depending on the multiplexers (channel splitter)
being used.
Thus considerably larger link bandwidth is required
for VOIP leading to higher operating costs. Use of
PVDTN integration will reduce the link
bandwidth and hence the operating cost.
Irrespective of VOIP or PVDTN integration the
number of simultaneous calls to be provided in any
WAN link is determined by Erlang loading, which is
the number of extensions to be served by each
trunk (WAN call). This could vary from 1:6 (for very
busy locations), to 1:10 (for normal locations as in a
standard PSTN network). For most multi-locational
organisations (MLOs) 1:8 is a good Erlang loading
ratio.
Thus if there are 96 users of NET telephones in a
location based on Erlang loading of 1:8, there
should be 12 simultaneous WAN calls or trunks
provided for. These may be distributed over all the
lines terminating at the location.
We have already implemented voice
integration over our existing data network
using VOIP (voice over IP). How can PVDTN
improve on this?
FAQ 3
27. The total bandwidth required for evacuating
these simultaneous WAN calls will be 1200
kbps for VOIP and 154 or 288 kbps for PVDTN.
If the appropriate bandwidths are not provided
in VOIP it will amount to bandwidth jamming
and resulting unsatisfactory speech quality.
And in PVDTN it could cause blocking of
communications.
Provision of the appropriate bandwidth ensures
unblocked communications in PVDTN and
satisfactory speech quality in VOIP.
In most VOIP implementations this aspect is
overlooked resulting in bandwidth jamming and
unsatisfactory speech quality.
This is what prompts the NET phone users to
fall back on their PSTN phones to speak to
their colleagues in other organisation locations,
increasing telephony costs.
In PVDTN bandwidth provision is always
optimum resulting in unblocked toll quality
(normal telephone like) speech. Thus PSTN
calls to other company locations are totally
eliminated.
FAQ 3 (Contd.)
28. FAQ 4
How do we run our Web based collaboration tools on
PVDTN?
♦ PVDTN is a combination of two parallel
networks.
♦ A circuit switched network for normal
telephony and fax communications
(synchronous communications)
♦ An IP packet switching network for data and
and other IP communications (asynchronous
communications).
♦ All collaboration tools and software will run on
the IP network for collaboration within the
organisation, with the software residing in a
server housed within the Intranet. This may be
done using Novell Teaming and Conferencing ,
Microsoft Share Point, etc.
♦ For collaborative work with the outside world –
clients, vendors, consultants, the Internet would
be used through the IBN (Internet Browsing
Nodes). For this there are two options.
♦ Use Web based meeting portals like
Mediatone Networks Webex (there are
several other similar shared collaboration
solutions portals).
♦ Set up your own Web based collaboration
server in the Company’s Web based Public
server and carry out collaborative activity
with the Company’s clients ,vendors,
consultants, business partners. This may be
done using Novell Teaming and
Conferencing, Microsoft Share Point, etc.