Remote Secure ATM/M2M Deployments for the Banking Industry


#1


Environment
A bank wants to deploy a number of ATMs in remote locations and within other businesses premises (supermarkets, motorway service stations etc) and shopping malls.

Requirement

A banking organisation wants to deploy ATMs all over the country in remote locations and within other business’s premises. Due to the varied geographical deployment locations, available connectivity at the installation aiste will vary considerably. Sometimes a fixed line service (like a DSL internet connection) can be installed, but in many cases the only available connectivity method will be cellular data or an existing wired or public WiFi network.

The ATM installations need to be able to use any available connection at a location to create a secure VPN connection back to the Bank’s core network. Resilience is also very important - if the primary internet connection should fail the remote ATMs should immediately failover to another healthy WAN link.

Two geographically separated datacenters will be used to provide network resilience.

Suggested Solution

Datacenter Deployments The two datacenters each have a Balance 710 router installed. Each have two internet connections from two different ISPs to provide connection diversity. Each 710 can support up to 300 remote ATM deployments.

Remote ATMS Each deployed ATM has a BR1 installed which creates a local wired LAN segment that the ATM controller/PC connects to along with an IP CCTV camera. The BR1 has a single cellular modem that supports dual SIMs in an active/standby configuration - so two mobile network SIMs can be used to improve the chances of getting cellular connectivity. The BR1 also supports a Wired WAN connection for any locally available internet connectivity if available (DSL, local LAN) as well as WiFi as WAN so it can connect wirelessly to existing WiFi infrastructures that might be available.
The BR1 can have a single active WAN at any one time, and any available healthy WAN connections can be prioritised to suit the design requirements (so DSL can be favoured over cellular, and cellular over WiFi for example).

=1*]PepVPN & SpeedFusion VPN Bonding** The remote BR1s create a secure PepVPN connection back to each of the Balance 710’s in each datacenter, with one set as the primary datacenter and the other as standby (the BR1s are distributed across the pair of B710’s with half using datacenter A and the other half using datacenter B as their primary datacenter) . The Balance 710’s support SpeedFusion so can bond the available internet links at each datacenter to create a highly available PepVPN termination point for the remote devices.

Security All VPN connectivity uses 256bit AES encryption to secure the sensitive banking information as it traverses cellular, DSL or WiFi WANs at the remote locations.

Remote Management and Monitoring A private instance of InControl 2](http://www.peplink.com/products/incontrol-2/) is hosted in the Banks Datacenter. InControl 2 provides a complete remote monitoring and management service for the deployed BR1s.

Additional Notes

The BR1s can be powered using both the terminals on the front and the DC connecter at the back enabling the use of a UPS or dual power sources for resilience.

Remote staff (either working from home, or deployed in temporary pop up branches) can use small Peplink devices (MAX on the go or BR1 Slim) to securely connect to the corporate network using whatever connectivity they have available (at home DSL, cellular on the road / in the field).

The use of LTE connectivity is an attractive option as it provides over the air connectivity in those instances where fixed lines have been physically damaged (by roadworks or physical damage to the cables coming into the building).

Devices Deployed*: *Balance 710](http://www.peplink.com/products/balance/)*, *BR1](http://www.peplink.com/products/max-cellular-router/single-cellular/)