How to enable remote software updates in segregated networks with bandwidth efficiency and centralized control
Many manufacturing and industrial environments have segregated network setups where assets (IoT/embedded devices) are co-located within a local area network and separated from the public internet by an internet gateway device. Segregation increases security, but limits access and control to do software updates to the co-located devices more efficiently.
Centralized remote software update capabilities in segregated networks
As organizations continue to transition to the digital economy one challenge they face is secure and robust ways to update legacy hardware as well as any new installed systems. Leaving outdated and unpatched software can do irreparable damage to sensitive equipment and will make it exploitable for attackers. The risks of running software with known vulnerabilities are significant but easy to overlook, or ignore. It is cumbersome to update software on the devices with a USB stick and command line instructions with your laptop. This approach, though it may be policy compliant, is the least efficient way. Alternatively, one can install self-managed server infrastructure locally in the facility with some kind of updating mechanism in order to do updates to the co-located devices but then it will require maintaining and supporting the infrastructure. Further, if you have multiple segregated networks you will not be able to manage and deploy software updates from a central location and will also not be able to see the overview of all devices in one single place. With multiple on-premise installations you would need to manage multiple servers. These approaches bring complexity in managing infrastructure with more labor support which will drive up both the capital expenditure and operating costs for the business.
Mender enables its customers to update software over-the-air (OTA) to segregated network environments by bringing the server intelligence and local storage capabilities to the internet gateway device. This is done through Mender Gateway (see image below) and enables management and deployment of OTA software updates to the co-located devices on the local network. Mender Gateway acts as a proxy with the ability to understand and serve client requests locally separate from the outside public network. It operates by proxying requests from a local HTTP(s) server on the local network to the upstream Mender server.
The result is Mender Gateway enables remote software updates in advanced enterprise network topologies, all from a central Mender interface. It gives direct visibility and control into the entire network and its co-located devices in the network from one central pane of glass - the Mender web interface. It can save organizations costs and complexity of dealing with manual and local updates or dealing with self-hosted/onsite infrastructure.
Deploy software update to a segregated network faster and cheaper
In certain use cases software updates need to be transmitted over cellular networks (LTE/5G). In a segregated network environment there may be devices that require the same software update to multiple devices of the same type. For example, a group of devices may need full operating system updates and another group of devices may need a package or container update, all of them co-located and within the same facility.
To avoid downloading (large) software multiple times to the same set of co-located devices, the software is downloaded and “cached” only once to Mender Gateway and then deployed locally to each device type. Depending on the cellular technology and network operator, this can translate to significant data transfer cost savings. Once you have software stored locally on the gateway device it will be faster to distribute it across the co-located devices within the environment which avoids sluggish data transfers if there are intermittent cellular network connectivity issues.
To illustrate the cost savings, a simple model to compare software deployments with and without Mender Gateway is considered. Note that without Mender Gateway the challenges remain the same as highlighted in the previous section in this post. Then the assumption in the ‘without Mender Gateway’ scenario is that the network is not segregated and software is deployed directly to each device within the same environment.
The cost of mobile data varies significantly across countries worldwide and cable.co.uk released (in 2021) an extensive analysis of mobile data pricing across the globe with an average cost of $3.33 for 1 GB of data in the U.S. The referenced data is based on end-user pricing and channel customers could see lower pricing but the relative magnitude of update costs are still valid.
For example, assuming a full OS image update is 500 MB (after compression) with Mender Gateway the file is downloaded once and stored on the Gateway before it is deployed to all the devices within the facility that could run on some local secured WiFi. Without Mender Gateway, the OS image file needs to be downloaded once for each device. This can translate to a significant cost differential with Mender Gateway as shown in the graph below, and expected faster software installations on each device. It also allows for a controllable, reliable and predictable cost model for enterprise budgeting.
Based on the above model, if you scale your deployments to more devices, increase file sizes and deploy more updates per given period of time it can accumulate significant network data costs without using Mender Gateway.
Watch a video on how to get started with Mender Gateway:
Network segregation is common in many industries as it enables protection from potential virus and ransomware attacks to sensitive assets from outside public networks. Updating software to the embedded devices in these segregated network environments is challenging. Mender enables updating software remotely to segregated network environments by bringing the Mender server intelligence and local storage capability to the edge of the network. It enables remote software updates in complicated enterprise network topologies, all from a central Mender interface. It gives direct visibility and control into the entire network and its co-located devices in the network from one central pane of glass - the Mender web interface. Additionally, it lowers costs by downloading and storing updates locally once on the gateway and then deploying to all co-located devices in the segregated network.