Cellular Challenges

Cellular Challenges

Remote industrial devices need protection too

Cellular ChallengesConnection of industrial network devices with a cellular modem can be challenging. In most cases, industrial network devices are operating backwards from how typical consumers utilize an Internet connection over a cellular modem. Consumers usually receive data from the Internet while industrial devices are a general source of information to users that have knowledge of the Internet address of the device.

To protect networked devices from unsolicited Internet probes, a firewall is used to restrict access from external users trying to gain access to internal network devices. A typical firewall does not restrict outbound requests to the Internet, while incoming requests from the Internet are tightly managed or forbidden. The only way to pass through a firewall from the Internet is to be invited by an internal user. The firewall registers and tracks each internal user’s outbound requests with corresponding responses from the Internet.

These matching responses from the Internet are approved by the firewall and forwarded onto the internal network user, whereas data coming from the Internet that doesn’t have a registered request is rejected.

A firewall’s registration process uses “port numbers” to keep track of the flow of incoming and outgoing data requests and responses. A port is registered and opened to a specific Internet address when an outbound request is made and the response comes back to the same port for validation by the firewall. Only responses from the queried Internet address are allowed through the firewall, but it is possible to manually setup ports on a firewall to “forward” incoming data requests from the Internet.

The firewall is programmed by its administrator to open specific ports and will then directly forward all data that is received on that port to a specific internal network address.

Port forwarding can be dangerous because it opens a hole in the firewall for Internet probing and network entry. Network safeguarding is now partly the responsibility of the device receiving the forwarded data. Devices that are receiving data from a forwarded port on the firewall must have well-architected security features because they will be directly visible to Internet users and hackers. Many legacy network devices do not have adequate security provisions since they were designed for use only by known users on safe internal networks.

Port forwarding works with traditional Internet service providers because they don’t restrict incoming ports from the Internet and they leave management of firewall protection to the customer. However, this is not the case with cellular-based Internet service providers. These providers use a filter, which blocks the incoming requests that would normally be handled by the user’s firewall. This filter does not impact consumers who send outbound (HTTP/web) requests to the Internet, but it does block inbound requests from hackers and, unfortunately, from well-intended users looking to make connections with their remote devices.

To gain access to a remote device, the cellular provider’s filter needs to be turned off. There are two challenges with this. The first is finding an authorized administrator of the carrier’s filter and convincing the person to do this. The second is that turning off the carrier’s filter may allow unsolicited probes to consume the user’s usage allowance from the carrier.

Upon clearing the hurdle of ensuring the unfiltered ability to correctly forward ports, the next challenge is to get a fixed Internet address. Cellular connections are typically pre-configured with a non-fixed IP address, where the IP address is assigned at the start of each connection and changes at points during the connection. A fixed address allows users to query the assigned ports for their devices at an unchanging location on the Internet.

An example address might be: http://184.172.128.161:8081. Adding the preestablished port number of :8081 to the fixed Internet address of 184.172.128.161 tells the remote firewall that access is wanted to the internally networked device that this port is forwarded to. The http:// tells the browser to expect an HTML response. Obtaining a fixed address from a cellular carrier can be difficult and often expensive. Once a fixed IP address is obtained and incoming ports are forwarded, an internal network device can be successfully located and queried over the Internet at a fixed address:port.

Due to the high cost and effort to obtain a fixed IP address, dynamic domain name services (DDNS) can be an attractive alternative. DDNS circumvents the non-fixed IP address ambiguity problem where a server is not at a fixed, unchanging network location and is a variation of the more familiar DNS service. The Internet uses domain name servers (DNS) to allow use of a human-recognizable word combination (the URL) to be matched up with an IP address for the desired server. An example DNS lookup would be “www.avalanwireless.com = 184.172.128.161”. The user has the choice in their browser to type the words (and use a DNS server) or to use the IP address numbers directly to connect to the desired Web site.

The user’s DNS server maintains lookup tables that get updated whenever a change occurs in the IP address of any Internet server, but this happens slowly as the information is propagated to DNS servers around the world. DDNS is a trusted intermediary service that provides a URL that is automatically updated by the cellular modem whenever the carrier changes the modem’s IP address. The user can now point their browser to the intermediary DDNS server and have a reliable “real-time” way to access the cellular modem’s IP address from anywhere and anytime the user might need. A basic account with a DDNS service provider, like www.dyndns.com, is free and allows the user to specify a human recognizable string like “avalan01.dyndns.org”, that will be reliably redirected to the current IP address of the user’s device. The port numbers that would normally be at the end of the IP address can be specified at the end of the word string and will be ap- pended to the IP address request sent to the remote device; for example, “avalan01. dyndns.org:8081 = 184.172.128.161:8081.”

Because cellular modem data plans can provide blocked incoming ports and non-fixed IP addresses, these limitations are difficult to overcome. Persistent efforts and setup fees paid to the carrier may yield a workable solution, but there is an easier way.

A network-to-network tunnel can be used to connect a remote device with a corporate management network. If the corporate network presents a fixed IP address to the Internet (most do), a carefully chosen tunneling appliance can be easy to setup and less expensive than paying for a fixed IP address at the remote end.

The tunneling appliance consists of two small network appliance boxes with matched encryption keys that are programmed with the basic information required for the devices to find each other over the Internet.

One appliance is installed behind the cellular modem’s firewall and initiates a connection by sending an outbound message to the other device that is installed behind the firewall at management network. The outbound message from the client creates a temporary port opening through the cellular firewalls. Once the management-side appliance receives the message to initiate handshaking from its remote partner, the connection is negotiated, authenticated and encrypted through this port. The cellular firewall’s temporary port remains open to bi-directional network traffic unless the IP address of the cellular firewall changes or the connection is interrupted. Upon loss of connection, the remote appliance immediately begins sending connection initiation messages to reestablish the connection.

A well-architected tunneling appliance forwards all broadcast and unicast Ethernet traffic to ensure that devices operate transparently over the tunnel. Tunnel-attached devices will appear to management side users to be directly on their own network and cellular side users will appear to be directly on the management side network. Advanced users may choose to employ additional port forwarding at the management side to allow Internet accessibility for the tunnelattached networked devices.

This management side port forwarding technique allows the tunnel-attached devices to appear to Internet users to be at the fixed IP address: port of the management side’s firewall. Some remote access applications may require that many users have the simultaneous ability to request data from the tunnel-attached devices and may benefit from buffered rebroadcasting techniques at the management side to conserve cellular data usage. This seamless network to network connectivity can ease the integration efforts required to enable rebroadcasting techniques.

AvaLAN Wireless Systems has recently introduced a product that implements this type of tunneling appliance. The AW-HSNetAppliance is a small hardware box used in pairs as described above, implementing a VPN tunnel that circumvents the challenges posed by retrieving remote data through the cellular network.

In addition, the AW-HSNetAppliance goes further by providing fully FIPS 140- 2 Level 2 certified hardware-based encryption to protect the security of data passed through the tunnel. Anyone in a government agency or sensitive private industry such as health care, energy or financial with a need to transfer sensitive but unclassified data is now required to encrypt this data with a method that conforms to NIST Standard FIPS 140.2.

This article originally appeared in the February 2013 issue of Security Today.

Featured

  • Until We Meet Again

    A short three years ago we were all pondering whether to attend any tradeshows all thanks to COVID-19. Sorry to bring that nightmare up again, but it seems that little pandemic is in the rear-view mirror, and it’s time to meet again. Read Now

    • ISC West
  • Cyber Hygiene: What it Looks Like for IoT Devices

    Cyber Hygiene: What it Looks Like for IoT Devices

    For our second pillar about the Industrial Internet of Things (IIoT) Pillars of Security, we are going to discuss what cyber hygiene looks like for IoT devices. Read Now

  • ISC West Announces 2023 Keynote Series Speaker Lineup

    The International Security Conference (ISC), in collaboration with premier sponsor Security Industry Association (SIA), announced five of this year’s ISC West Keynote Series speakers. ISC West will kick off its annual conference on March 28 (SIA Education@ISC: March 28-30 | Exhibit Hall: March 29-31) at the Venetian Expo in Las Vegas, Nevada. Read Now

    • ISC West
  • Accelerating Security Modernization

    In recent years, the term “digital transformation” has been one of the most frequently used buzzwords across industries. On its most basic level, it refers to the reimagining of how an organization leverages its technology systems to improve business processes. Read Now

Featured Cybersecurity

New Products

  • Camden Door Controls CV-603 2 Door Bluetooth Access Control System

    Camden Door Controls CV-603 2 Door Bluetooth Access Control System

    his app-based system is designed to provide ‘best in class’ security of doors and gates, with up to 2,000 users. The intuitive programming app is Apple® and Android® compatible, with easy to use system set-up, user administration, downloadable audit trail and data back-up. 3

  • ABLOY IP54-rated Integrated Dust Cover

    ABLOY IP54-rated Integrated Dust Cover

    One of the things that keep security managers on high alert is the real possibility the security locks used to safeguard their properties may unexpectedly fail due to environmental conditions. 3

  • Genetec Security Center

    Genetec Security Center

    This major new release allows more system components to run in the cloud, reducing the gap between cloud and on-premises security systems. It also makes it easier to connect external systems and tap external data for use in dashboards, maps and investigations without relying on complex, specialized integrations. 3