Cellular Challenges

Cellular Challenges

Remote industrial devices need protection too

Cellular ChallengesConnection of industrial network devices with a cellular modem can be challenging. In most cases, industrial network devices are operating backwards from how typical consumers utilize an Internet connection over a cellular modem. Consumers usually receive data from the Internet while industrial devices are a general source of information to users that have knowledge of the Internet address of the device.

To protect networked devices from unsolicited Internet probes, a firewall is used to restrict access from external users trying to gain access to internal network devices. A typical firewall does not restrict outbound requests to the Internet, while incoming requests from the Internet are tightly managed or forbidden. The only way to pass through a firewall from the Internet is to be invited by an internal user. The firewall registers and tracks each internal user’s outbound requests with corresponding responses from the Internet.

These matching responses from the Internet are approved by the firewall and forwarded onto the internal network user, whereas data coming from the Internet that doesn’t have a registered request is rejected.

A firewall’s registration process uses “port numbers” to keep track of the flow of incoming and outgoing data requests and responses. A port is registered and opened to a specific Internet address when an outbound request is made and the response comes back to the same port for validation by the firewall. Only responses from the queried Internet address are allowed through the firewall, but it is possible to manually setup ports on a firewall to “forward” incoming data requests from the Internet.

The firewall is programmed by its administrator to open specific ports and will then directly forward all data that is received on that port to a specific internal network address.

Port forwarding can be dangerous because it opens a hole in the firewall for Internet probing and network entry. Network safeguarding is now partly the responsibility of the device receiving the forwarded data. Devices that are receiving data from a forwarded port on the firewall must have well-architected security features because they will be directly visible to Internet users and hackers. Many legacy network devices do not have adequate security provisions since they were designed for use only by known users on safe internal networks.

Port forwarding works with traditional Internet service providers because they don’t restrict incoming ports from the Internet and they leave management of firewall protection to the customer. However, this is not the case with cellular-based Internet service providers. These providers use a filter, which blocks the incoming requests that would normally be handled by the user’s firewall. This filter does not impact consumers who send outbound (HTTP/web) requests to the Internet, but it does block inbound requests from hackers and, unfortunately, from well-intended users looking to make connections with their remote devices.

To gain access to a remote device, the cellular provider’s filter needs to be turned off. There are two challenges with this. The first is finding an authorized administrator of the carrier’s filter and convincing the person to do this. The second is that turning off the carrier’s filter may allow unsolicited probes to consume the user’s usage allowance from the carrier.

Upon clearing the hurdle of ensuring the unfiltered ability to correctly forward ports, the next challenge is to get a fixed Internet address. Cellular connections are typically pre-configured with a non-fixed IP address, where the IP address is assigned at the start of each connection and changes at points during the connection. A fixed address allows users to query the assigned ports for their devices at an unchanging location on the Internet.

An example address might be: http://184.172.128.161:8081. Adding the preestablished port number of :8081 to the fixed Internet address of 184.172.128.161 tells the remote firewall that access is wanted to the internally networked device that this port is forwarded to. The http:// tells the browser to expect an HTML response. Obtaining a fixed address from a cellular carrier can be difficult and often expensive. Once a fixed IP address is obtained and incoming ports are forwarded, an internal network device can be successfully located and queried over the Internet at a fixed address:port.

Due to the high cost and effort to obtain a fixed IP address, dynamic domain name services (DDNS) can be an attractive alternative. DDNS circumvents the non-fixed IP address ambiguity problem where a server is not at a fixed, unchanging network location and is a variation of the more familiar DNS service. The Internet uses domain name servers (DNS) to allow use of a human-recognizable word combination (the URL) to be matched up with an IP address for the desired server. An example DNS lookup would be “www.avalanwireless.com = 184.172.128.161”. The user has the choice in their browser to type the words (and use a DNS server) or to use the IP address numbers directly to connect to the desired Web site.

The user’s DNS server maintains lookup tables that get updated whenever a change occurs in the IP address of any Internet server, but this happens slowly as the information is propagated to DNS servers around the world. DDNS is a trusted intermediary service that provides a URL that is automatically updated by the cellular modem whenever the carrier changes the modem’s IP address. The user can now point their browser to the intermediary DDNS server and have a reliable “real-time” way to access the cellular modem’s IP address from anywhere and anytime the user might need. A basic account with a DDNS service provider, like www.dyndns.com, is free and allows the user to specify a human recognizable string like “avalan01.dyndns.org”, that will be reliably redirected to the current IP address of the user’s device. The port numbers that would normally be at the end of the IP address can be specified at the end of the word string and will be ap- pended to the IP address request sent to the remote device; for example, “avalan01. dyndns.org:8081 = 184.172.128.161:8081.”

Because cellular modem data plans can provide blocked incoming ports and non-fixed IP addresses, these limitations are difficult to overcome. Persistent efforts and setup fees paid to the carrier may yield a workable solution, but there is an easier way.

A network-to-network tunnel can be used to connect a remote device with a corporate management network. If the corporate network presents a fixed IP address to the Internet (most do), a carefully chosen tunneling appliance can be easy to setup and less expensive than paying for a fixed IP address at the remote end.

The tunneling appliance consists of two small network appliance boxes with matched encryption keys that are programmed with the basic information required for the devices to find each other over the Internet.

One appliance is installed behind the cellular modem’s firewall and initiates a connection by sending an outbound message to the other device that is installed behind the firewall at management network. The outbound message from the client creates a temporary port opening through the cellular firewalls. Once the management-side appliance receives the message to initiate handshaking from its remote partner, the connection is negotiated, authenticated and encrypted through this port. The cellular firewall’s temporary port remains open to bi-directional network traffic unless the IP address of the cellular firewall changes or the connection is interrupted. Upon loss of connection, the remote appliance immediately begins sending connection initiation messages to reestablish the connection.

A well-architected tunneling appliance forwards all broadcast and unicast Ethernet traffic to ensure that devices operate transparently over the tunnel. Tunnel-attached devices will appear to management side users to be directly on their own network and cellular side users will appear to be directly on the management side network. Advanced users may choose to employ additional port forwarding at the management side to allow Internet accessibility for the tunnelattached networked devices.

This management side port forwarding technique allows the tunnel-attached devices to appear to Internet users to be at the fixed IP address: port of the management side’s firewall. Some remote access applications may require that many users have the simultaneous ability to request data from the tunnel-attached devices and may benefit from buffered rebroadcasting techniques at the management side to conserve cellular data usage. This seamless network to network connectivity can ease the integration efforts required to enable rebroadcasting techniques.

AvaLAN Wireless Systems has recently introduced a product that implements this type of tunneling appliance. The AW-HSNetAppliance is a small hardware box used in pairs as described above, implementing a VPN tunnel that circumvents the challenges posed by retrieving remote data through the cellular network.

In addition, the AW-HSNetAppliance goes further by providing fully FIPS 140- 2 Level 2 certified hardware-based encryption to protect the security of data passed through the tunnel. Anyone in a government agency or sensitive private industry such as health care, energy or financial with a need to transfer sensitive but unclassified data is now required to encrypt this data with a method that conforms to NIST Standard FIPS 140.2.

This article originally appeared in the February 2013 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3