L2Connect FAQ




Frequently asked questions
Q:
When communicating using Internet, is there a possibility of eavesdropping or falsification by someone en route?
Q:
Is there a possibility that an unauthorized employee or a malicious third-party will access to the intranet via L2Connect?
Q:
Is it possible to prevent the employee who is the legitimate user installing L2Connect Remote Access in his/her personal PC by which use is not allowed and accessing the intranet?
Q:
Is it possible to ban some servers to access from outside while achieving site-to-site connection by the bridge function of L2Connect?
Q:
Our company uses L2Connect for the site-to-site connection between the headquarters and branch offices. Can branch office employee with his PC access to the headquarters network?
Q:
“Anywhere” is a problem. Is it possible to restrict the place where connection is available?
Q:
Is there a possibility that servers will be attacked by employees accessing malicious servers on the internet?
Q:
When a user creates a bridge using L2Connect without permission, VPN or the network beyond VPN will be connected with the intranet directly. Is it possible to restrict the access?
Q:
In search for higher security level, I would like to limit the application via L2Connect to web only. Is it possible?
Q:
I would like to control communications minutely, specifying the area and users. And please let me know how to configure control.
Q:
Is it possible to limit the time period that the specific users can connect?
Q:
Is it possible to prohibit the specific users' connection?
Q:
Is it possible to limit the time period that the specific users can connect?
Q:
Is it possible to prohibit the use in the office?
Q:
I limit the range of communication by VLAN in the office, and can I apply this for remote access?





Q:
When communicating using Internet, is there a possibility of eavesdropping or falsification by someone en route?
A:
No.
Every communication of L2Connect is encrypted, so the third-party cannot peep nor rewrite its contents. Various encryption algorithms can be selected as follows.

Encryption algorithm Version Public-key cryptographic scheme Common-key cryptographic scheme Key length (bit) Hash functions
AES256-SHA SSLv3 RSA AES 256 SHA1
DES-CBC3-SHA SSLv3 RSA 3DES 168 SHA1
AES128-SHA SSLv3 RSA AES 128 SHA1
CAMELLIA128-SHA SSLv3 RSA Camellia 128 SHA1
CAMELLIA256-SHA SSLv3 RSA Camellia 256 SHA1
TSL1.2 support is planned.
AES128-SHA256 TLSv1.2 RSA AES 128 SHA256
AES256-SHA256 TLSv1.2 RSA AES 256 SHA256
Q:
Is there a possibility that an unauthorized employee or a malicious third-party will access to the intranet via L2Connect?
A:
No.
L2Connect confirms users before communication in order to prevent unauthorized users. The confirmation methods available with L2Connect are as follows.

Authentication Method Overview Security level
Password Authenticate a user only when a character string registered in the L2Connect Server is consistent with that entered by the L2Connect Access.
Low
Spoofing is possible by just obtaining a password information. A brute force attack is possible.
Digital Certificate(PKI) Authenticate a user if his/her private key pairs up with the digital certificate registered in the L2Conncet Server.
High
It is safe unless a private key stored in PC is stolen.
Authentication device IC card Store a private key in an IC chip, and authenticate by digital certificate after confirming with PIN. It is impossible to take a private key from an IC chip. Unit price is cheap, but a reader/writer is necessary.
Very high
Spoofing is impossible unless both of a physical IC chip and a PIN information are obtained.
USB token As a reader/writer is not necessary, usability is good.
TPM chip Embedded in some PCs.
Q:
Is it possible to prevent the employee who is the legitimate user installing L2Connect Remote Access in his/her personal PC by which use is not allowed and accessing the intranet?
A:
Yes, it is.
The virtual MAC address of the L2Connect network device is created with random numbers when installing a client product and its value is different each time it is installed. Consequently, by registering a legitimate virtual MAC address in the filtering list of L2Connect Server in advance, it is impossible to communicate even though the client product is installed in another PC.
Q:
Is it possible to ban some servers to access from outside while achieving site-to-site connection by the bridge function of L2Connect?
A:
Yes, it is.
You can specify the MAC Address to which communication is permitted or not permitted, in L2Connect Bridge and L2Connect Server in advance. The database which stores personal information or the PCs without security patches cannot be accessed from outside.
Q:
Our company uses L2Connect for the site-to-site connection between the headquarters and branch offices. Can branch office employee with his PC access to the headquarters network?
A:
No.
MAC address filtering function is incorporated in L2Connect Remote Bridge and L2Connect Server respectively. By pre-registering the MAC Address of PC to permit/not permit to access, you can manage access and only the required minimum PCs are connected to the L2Connect network.
The restricted area Enforcement of security policies from the headquarters Communication efficiency improvement by restrictions
L2Connect Remote Bridge × Available
L2Connect Server Not available
Q:
“Anywhere” is a problem. Is it possible to restrict the place where connection is available?
A:
Yes.
L2Connect has a function to restrict senders’ IP addresses. By using this function, you can specify the places where connections to L2Connect Server are possible in advance. For example, you can prevent the connection from home.
Q:
Is there a possibility that servers will be attacked by employees accessing malicious servers on the internet?
A:
No.
Group number is set in the license of L2Connect product. Unless numbers of the server and the client products matches, they will not be able to communicate. So it is impossible for employees to access to malicious servers on the internet.
Q:
When a user creates a bridge using L2Connect without permission, VPN or the network beyond VPN will be connected with the intranet directly. Is it possible to restrict the access?
A:
Yes.
In keeping security of the intranet, it is not acceptable that a user creates a bridge without permission. L2Connect is designed to restrict it by both server and client side.
1.Restrictions at client side.
The L2Connect Client Products for PCs are mainly classified into L2Connect Remote Access that connects PCs and L2Connect Remote Bridge that connects networks. Each of these products needs dedicated license, and the technical architecture that does not allow using the bridge function with L2Conncect Remote Access has been built.
2.Restrictions at server side.
When registering in L2Connect Server, you must set the type of users (Remote Access or Remote Bridge). Even if by any chance a user who registered in L2Connect Access obtains a license of L2Connect Bridge, the user cannot connect to L2Connnect Server.
Q:
In search for higher security level, I would like to limit the application via L2Connect to web only. Is it possible?
A:
Yes.
With L2ConnectServer, you can specify the port number to pass or block. As the port used by each application is determined, you can limit the application which can be used with L2Connect network, such as prohibiting the copy of files.
Q:
I would like to control communications minutely, specifying the area and users. And please let me know how to configure control.
A:
With L2Connect Server, you can create the access control list that sets the permission/non-permission by user name, IP address, port number, and protocol. By using this function, you can set in details.
Q:
Is it possible to limit the time period that the specific users can connect?
A:
Yes.
L2Connect itself does not have the function to limit the time period that users can use, but you can create an account that is valid for only a certain period of time by utilizing the validity period of the digital certificate used for authentication. With the simple certificate authority, you can limit on a daily basis. Furthermore, authentication of digital certificates is performed by L2Connect Server. Therefore, the digital certificate that passed the validity period cannot be used, even if the clock of the client PC is distorted.
Q:
Is it possible to prohibit the specific users' connection?
A:
Yes.
You can prohibit users’ connections by some ways.
1 Invalidate his/her digital certificate.
When the issued digital certificate is registered in the certificate disposal list, the user authentication using that certificate will be impossible. As a result, the users who use that certificate will not be able to connect.
2 Deny a connection by a user.
By setting a denial of connection of user property, you can make the corresponding user unable to connect without changing other information of such user.
3 Delete a user
By deleting the corresponding user from the user database of the server, you can make such user unable to connect.
Q:
Is it possible to limit the time period that the specific users can connect?
A:
Yes.
L2Connect itself does not have the function to limit the time period that users can use, but you can create an account that is valid for only a certain period of time by utilizing the validity period of the digital certificate used for authentication. With the simple certificate authority, you can limit on a daily basis. Furthermore, authentication of digital certificates is performed by L2Connect Server. Therefore, the digital certificate that passed the validity period cannot be used, even if the clock of the client PC is distorted.
Q:
Is it possible to prohibit the use in the office?
A:
Yes.
The L2Connect protocol does not camouflage https protocol completely, and a specific habit has been developed. Therefore, you can prohibit the use of L2Connect by setting a security policy of firewall, such as “do not permit a camouflage of https”.
Q:
I limit the range of communication by VLAN in the office, and can I apply this for remote access?
A:
Yes.
With L2Connect, you can attach a VLAN tag specified for each user, and put out a frame as-is to the intranet. By connecting this to the existing network, seamless connections between the VLAN that is configured for each department, etc., and the accesses from outside can be achieved.
Copyright© BizMobile Inc. All Rights Reserved. BizMobile Inc.
alt