Embedded Files
mfusion Overview
mfusion Overview
RansNet mfusion is a centralized monitoring and management platform that enables administrators to securely manage all RansNet network devices through an intelligent and secure platform.
The key function of mfusion cloud platform includes:
Zero-Touch Provisioning for RansNet devices (HSA, UA, CMG, XE, UAP and HSG). When a device is powered on, it automatically calls home to mfusion, allowing administrators to remotely provision, configure, and onboard devices without requiring a certified engineer to be physically present on-site. This significantly reduces deployment time and operational cost.
Centralized Device Management. mfusion provides centralized config management, config backup, firmware/patch management, and remote control (eg. reboot) of devices. These functions allow administrators to manage thousands of devices efficiently without the need to access individual units.
Centralized Visibility and Monitoring. Once a device is online, mfusion automatically monitors the device and provides complete visibility on network and device health status, and instantly alerts for faults or thresholds. The built-in reporting engine enables administrators to generate, customize, and schedule comprehensive usage and performance reports, which can be automatically emailed to customers or internal stakeholders.
Service-Provider-Focused Architecture. mfusion is purpose-built for ISPs and MSPs managing large-scale, multi-customer deployments. Its super-tenancy architecture supports strict role-based access control and data isolation, allowing service providers to grant end customers secure, read-only or delegated access to their own devices for real-time visibility—without exposing other tenants’ data.
RansNet operates a cloud-hosted mfusion platform, backed by scalable and high-availability computing resources, allowing multiple customers to securely share the platform while operating within their own isolated tenants.
For customers requiring a localized or private deployment, mfusion can also be delivered as a dedicated hardware appliance or virtual appliance. The mfusion appliance comes with it’s pre-built, hardened, and optimized RansNetOS, packed with all necessary applications. This allows ISPs and MSPs to rapidly deploy mfusion and begin delivering managed services with minimal setup effort.
In addition to RansNet devices, mfusion supports the monitoring of third-party network and IoT devices using standard protocols such as SNMP (v2/v3), ICMP, and MQTT, providing administrators with holistic, end-to-end visibility across the entire network from a unified dashboard.
mfusion Software Architecture
mfusion Software Architecture
RansNet mfusion consists of multiple software components to deliver powerful monitoring and orchestration capabilities, while maintaining data security and preventing external attacks.
There's clear separation of functional software modules and segmentation of internal dataflow. Particularly, the proprietary secure framework provides a deep inner layer protection between front facing web/API access and internal application database.
mfusion Multi-tenancy
mfusion Multi-tenancy
The mfusion platform is super-tenanted and supports multi-tier access levels with strict role-based access control.
Each customer is provisioned as an entity (tenant), and the respective devices are allocated to the entity, and user accounts (administrator) are assigned to the respective entity with a pre-defined set of permission profile (access rights)- allowing multiple customers and partners to securely share the same platform while managing their respective devices, with complete access isolation, data separation, and security.
The permission profiles define user access rights within their respective tenant. Users are attached with respective permission profiles for given access rights. Below is an example of setting permission profile.
Data Security and Privacy
Data Security and Privacy
It's important to note that only the management data is transmitted between RansNet device and mfusion. The management data includes device configurations (commands), monitoring statistics and history reports. Within mfusion database, different customers' management data is separated and contained within their respective tenant, and stored in encrypted database.
For customers sharing RansNet cloud/hosted mfusion, all customer data is strictly kept confidential. As an ISO27001 certified company, RansNet acts solely as a data processor for the purposes of providing services; For customers using on-premise deployment, all management data is localized in on-premise mfusion database.
mfusion can regularly backup database into AES-256 encrypted files. The backup files can be stored locally on mfusion or SFTP out to external NAS server for long-term archival.
User data (business confidential data) does not flow through the mfusion. User data either breaks out locally from the device to Internet, or passes through the secure VPN tunnel between device and gateway (which is typically hosted at customer HQ/DC network).
Device to mfusion API Communication
Device to mfusion API Communication
The RansNet devices communicate with mfusion through a proprietary API-based management TLS tunnel (TLS1.2) with AES-256 encryption, while management data is in transit. The mfusion API authenticates/validates each device connection using a combination of device MAC, S/N, embedded certificates and proprietary algorithm, to ensure absolute device authenticity, prevent identify spoofing, and secure data transmission.
When user makes device configuration on mfusion dashboard, mfusion configuration compiler converts the GUI settings into a set of commands in an encrypted file which is stored on a secure command queue for the respective device, waiting for device to pull. Whenever the device is online (reachable to mfusion), it will "call-home" to mfusion via a management TLS tunnel every 5s:
check if there's any configuration changes (new command file)
if yes, it will pull the command file and apply locally
Hence, the communication is always "one-way" - the device initiates an outbound TLS tunnel to mfusion every 5s, gets authenticated and validated by mfusion API, and pulls configuration (if any) from mfusion.
This simple and secure management communication method has multiple advantages:
Removes device's WAN IP dependency (unlike SNMP monitoring requires static IP). The device can use any IP connectivity (dynamic, static, cellular, etc), as long as it's able to reach to mfusion IP address.
Protects the device from external threats. The call-home request is initiated outbound by the device itself, and only the return from mfusion is automatically permitted by mfusion stateful firewall. It doesn't need to open any ports or local services for inbound access.
Secures management data transmission, encrypted via AES-256 over TLS 1.2 tunnel.
Re-exchanges different session keys for each pull action, to prevent Man-in-the-Middle and TLS interception attacks.
The end result is a highly secure and efficient management communication, which consumes only 1-2kbps of bandwidth during active usage.
Report abuse