Open-Mesh

Trust and Security

Open-Mesh Trust and Security

Overview

With more than 50,000 cloud-managed networks, Open-Mesh is one of the largest providers of cloud-based networking services in the world. Operating continually since 2007, Open-Mesh’s CloudTrax network controller has been trusted to power the networks of hotels, shops, schools, businesses and communities world-wide.
This page details how Open-Mesh and CloudTrax safeguard your data and keep your network running reliably.
  • Distributed Data Centers
  • Out of Band Management
  • Smart Hardware Architecture
  • Security Best Practices

Open-Mesh Data Centers

Open-Mesh’s network controller, CloudTrax, runs in at least 3 geographically separate Amazon AWS data centers. A combination of physical and cyber security, coupled with geographic regions and availability zones allow CloudTrax to remain secure and resilient in the face of most failure modes, including natural disasters or system failures.

AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). AWS undergoes annual SOC 1 audits and has been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems.

Open-Mesh Data Center Highlights:

  • Globally distributed, redundant, physically separate data centers

  • 24/7 automatic outage detection and alert system

  • Underlying architecture provides CloudTrax with 99.99% uptime

  • All network settings replicated across at least two geographically separate data centers simultaneously

  • Automated nightly backups

  • IP and port-based firewall protection

  • Comprehensive physical on-site security

  • Immediate failover to hot spare in case of hardware failure or natural disaster

Out of Band Management

CloudTrax separates user data from network monitoring and configuration with an out-of-band management system.

No user traffic—browsing data, application data, etc.—passes through CloudTrax: it flows unimpeded to its intended internal or external destination. CloudTrax sends network configuration data via a secure (AES encrypted) connection with Open-Mesh access points. Each access point maintains its own key. Only aggregate user data is sent to CloudTrax for reporting purposes.

Open-Mesh uses a cloud-based out-of-band management as it is:

Secure.
User traffic is routed directly to intended destination; no user traffic passes through CloudTrax data centers.

Scalable.
With no local controller, each network has no controller bottlenecks.

Reliable.
Cloud-hosted in multiple redundant locations for high availability. The network continues to function even if CloudTrax is unavailable.

Other cloud-based solutions will disable your access points if you don't purchase a license. Open-Mesh is different. We provide the cloud controller free of charge and have built the architecture to keep a network operational (with most features) without relying on the cloud controller at all. It's truly your network.

Out of band management

Hardware Architecture

Open-Mesh has an advanced architecture to ensure minimum disruption to users in the event Open-Mesh access points cannot communicate with CloudTrax due to a temporary WAN failure or other outage.

In the event an access point is unable to communicate with CloudTrax:

  • Users can access the Internet, provided a WAN connection is available

  • Users can access local network resources (directories, printers, etc.)

  • Users can continue to authenticate via splash pages (unlike other cloud systems, Cloudtrax hosts the splash pages on the access points).

  • Network policies (walled garden, blocked devices, etc.) remain in effect

  • Users can authenticate via 802.1X/RADIUS

  • Users can roam between access points

  • Users can initiate and renew DHCP leases

  • Established VPN tunnels continue to operate

If CloudTrax is temporarily unreachable, the following services are unavailable:

  • Network configuration and monitoring tools

  • On voucher-enabled public networks, splash pages continue to load and all vouchers are presumed authentic, granting users temporary access for up to one hour. Normal authentication resumes once a connection with CloudTrax is reestablished.

CloudTrax Unreachable

Security Best Practices

Open-Mesh recommends users follow these security best practices for an added layer of security on their networks.

 

1. Enable WPA2 Security

Each SSID can be protected with WPA or WPA2 security to restrict access to users with a pre-shared key (or “passphrase”). To reduce vulnerability to password cracking attacks, Open-Mesh recommends using a truly random passphrase of 13 characters (selected from the set of 95 permitted characters). If possible, use WPA2 as it is far more secure.

 

WPA2 Security in CloudTrax

2. Verify SSL certificates

CloudTrax uses https, ensuring communication between an administrator's browser and the cloud controller is encrypted. As with any secure web service, do not log in if your browser displays any of the certificate warnings shown here, as it may indicate a man-in-the-middle attack.

Security certificate warnings