Defense in depth

A comprehensive layered security strategy

Security is a core competency fully integrated at every level within the framework of our solutions. While ease of use is important, the security, integrity, and reliability of eWON's Talk2M cloud infrastructure and its customers' networks remains eWON's first priority. Using a defense-in-depth approach based on guidelines set forth by ISO27002, IEC 62443-2-4 and NIST Cyber security Framework 1.0 and other publications, guidelines and industry best practices, eWON developped a managed, hybrid, layered cyber security approach to protect its devices, network and most importantly, its customers's industrial systems.

eWON device

Network segregation, local device authentication, physical switch for enabling/disabling access

The eWON units are typically installed in the machine control panel with the machine connected on one side(LAN) and the factory network on the other (WAN). When a connection needs to be established the eWON acts as the gateway through which all traffic passes. When the eWON is first configured for VPN access, security settings on the device restrict traffic between its two network interfaces. This network segregation limits remote access to only those devices connected to the LAN of the eWON. Access to the rest of the network is prevented.

The eWONs themselves have user-level access rights separate from the Talk2M login. Only users with appropriate credentials and access rights can change the security settings or modify the data on the eWON. All our devices feature a digital input. A switch can be connected to this input and the state of the switch can enable or disable the WAN port. This allows the end user to keep full local control of whether the device is remotely accessible or not.

The eWON needs the same type of settings as a PC connected to the same network (IP address, subnet mask and gateway, plus any optional proxy settings). Since the eWON can act as a DHCP client, it can be configured to receive those settings automatically. However, the eWON also can be set up to use a static IP address that is assigned and controlled by the IT department if preferred.

CD + Cosy + Flexy


IP, port, and protocol filtering/firewalling available. Restricted access based on user, group, site for all or single devices 

Within the eCatcher application, Talk2M account administrators can set filtering and firewalling rules about which devices behind the eWON are remotely accessible and even over which ports and with which protocols they are accessible. When combined with Talk2M’s user rights management, Talk2M administrators have the ability to tailor the remote access rights to fit their organizational structure.

Talk2M provides 4 different firewall setting rules, from the least restricitve to the most secure: Standard, High, Enforced, Ultra.

Those 4 firewall levels are based on declared devices IP, ports, gateways and eWON services (FTP server, HTTP server, etc.) access. Moreover, the requested configuration can be applied to a selected group of users.


Traffic encryption

VPN sessions are end-to-end encrypted using SSL/TLS protocol

Communications between the remote user and the eWON are fully encrypted using the SSL/TLS protocol, thereby ensuring data authenticity, integrity & confidentiality. Indeed, all users and eWON units are authenticated using x509 SSL certificates and end-to-end traffic is encrypted using strong symmetric & asymmetric algorithms that are part of the SSL/TLS protocol cipher suite.

Security - Encryption

User and access management

Unique user logins, configurable user rights to different devices, two-factor authentication, connection traceability

A Talk2M account may have an unlimited number of users. Administrators can create unique logins for every user who needs to access equipment remotely. These unique logins make it easy to grant and revoke access privileges as needed. In addition, Talk2M account administrators can restrict which remote eWONs particular users can access, which sevices behind those eWON are accessible and even the ports on those devices and the communication protocols used. For instance, an administrator might permit remote users to reach the web services in a device for monitoring purposes but limit the ports used for making programing changes to only specific engineers.

In a world where 76% of all breaches involve weak or stolen password, eCatcher offers secure authentication mechanisms to re-inforce device access security. Password enforcement and two-factor authentication policy (a password and a confirmation code sent to your mobile phone) are available within eCatcher. Advanced configuration options (remember this PC, password expiration policy) are available for Talk2M Pro users.

Every remote connection is documented on the Talk2M Connection report. The Talk2M Connection report is a powerful IT auditing tool which allows account administrators to monitor which users are connected to which eWON and when and for how long they were connected.

eCatcher - Powerful User Access Control

Network infrastructure

Globally redundant Tier 1 hosting partners, 24/7 monitoring, SOC 1/SSAE 16/ISAE 3402 Data Centers, ISO270001, CSA, SOC2

The Talk2M infrastructure is a critical integrated element in our remote access solution. It is a fully redundant network of distributed access servers, VPN servers, and other services that act as the secure meeting place for eWONs and users. To increase reliability, redundancy and reduce latency, eWON works with multiple industry leading Tier 1, 2 and 3 hosting partners throughout the world to ensure best in class service. Talk2M is hosted in SOC 1, SOC 2/SSAE 16 and ISO 27001:2013 certified data centers. The network of servers is monitored 24/7 to ensure maximum availability and security using an array of alerting mechanisms.

Talk2M - VPN Connection Cosy

Policy compliance

The eWON/Talk2M solution enhances and is compatible with existing corporate security policies, firewall rules, and proxy server

eWON understands that its customer designed their corporate security policies carefully. The Talk2M remote access solution is designed to be compatible with customers’ existing security policies. By using outbound connections over commonly open ports (443 and 1194) and by being compatible to most proxy servers, the eWON is designed to be minimally intrusive on the network and work within the existing firewall rules. Within eCatcher, Talk2M account administrators can customize the password policies to force compliance to corporate password policies and can restrict which users can access which devices remotely. Talk2M account administrators can also view the Talk2M Connection report to see which users are connecting to which devices and when. This report can be a valuable tool to ensure that your corporate remote access policies are being followed. 

eCatcher - audit