Making M2M safe and secure
M2MAPPS: Cellular networks are not secure unless they are private and managed. Can you substantiate that statement? It comes from a Wyless article.
STEVE BOYD: No network is safe and secure unless it’s privately managed in some way. You’re not going to allow workstations and application servers to connect to the Internet when the only protection is their own on-machine firewalls so why should cellular devices be any different? Eventually a single defense mechanism is going be exposed, maybe by a misconfigured device or by a new exploit such as HeartBleed. You need at least one additional defense layer and it can be provided by a basic private IP addressing scheme with an enterprise firewall that’s in front of all the devices. You can see that combination as a default second layer, so if a device is exposed it doesn’t immediately lead to a compromise. This protection from the Internet by a default second layer has been sufficient for smaller organizations that have relatively simple connectivity requirements.
M2MAPPS: There used to be a time when M2M solutions were thought to be secure because they were obscure. Hackers didn’t bother with them. However M2M has moved into enterprise and other key environments, so what is Wyless doing to make them really safe and secure?
STEVE BOYD: We’ve moved on and now nothing is too obscure for the hackers, but besides putting everything behind a firewall we can implement IP whitelisting. What this does is to allow data from the wireless device to only reach customer-allowed destinations and it blocks any IP addresses that are not specified on the list. In addition we can employ default-gateway IPsec tunnels as well as general routing encapsulation on the traditional IPsec tunnels in order to direct all device-initiated traffic towards the company’s network. This enables companies to use their own network filtering and protocols, which effectively brings the device behind the protection they already afford their core network. This protection is in place no matter what somebody does to the device in the field. It either routes all traffic to and from the company’s network, or it doesn’t route any traffic over any cellular network at all.
M2MAPPS: Does building this kind of secure wall around a business environment apply to all wireless communications? M2M traffic as well as wireless devices like smartphones and tablets.
STEVE BOYD: It does. All data traffic must be secured. The solution I outlined in the previous question is a neat way of addressing the BYOD (Bring Your Own Device) issue, from a cellular data perspective. Regular M2M vertical solutions are being increasingly integrated into mainstream enterprise applications like ERP and CRM so it makes business as well as technical sense to employ an integrated security solution and thereby enable a seamlessly secure environment.
M2MAPPS: When you build a secure wall around a business environment how do you enable remote access by authorized users?
STEVE BOYD: Well, it’s kind of obvious that we do need to provide a way for authorized users and services to access the devices remotely over the Internet. We’ve done that by employing two data communications technologies. PPTP (Point-to-Point Tunneling Protocol) client-server and IPsec site-to-site VPNs (Virtual Private Networks). With PPTP individual users can initiate a VPN and establish traffic to the devices on the fly, and with IPsec one or more sites can be linked to the devices over a private, permanent connection. I’d like to add that it is not necessary to have public IP addresses and they should be avoided wherever possible.
M2MAPPS: How and why does Wyless implement connectivity via the cloud?
STEVE BOYD: Enterprises are employing virtual pools of computing resources that operate very efficiently in private and public clouds and a key benefit is the flexibility it brings to their operation. M2M solutions are also moving to the cloud, either stand-alone or integrated, and of course this is something we anticipated and our response was to implement our own complementary cloud connectivity solution. This means that we can deliver secure network connectivity between our global MNO sites and both Amazon AWS and Microsoft’s Azure platform and several customers are already using this service.
M2MAPPS: What security developments do you expect to see later this year and in 2015?
STEVE BOYD: Heartbleed, which did not impact any Wyless technical resources, did cause everyone to take a step back and realize that any device, host, or resource can be exposed to a zero-day vulnerability eventually, and we’re seeing some people belatedly coming around to the idea of layered defenses. But going forward, as M2M and IoT take-up accelerates, I think the leading edge will be in comprehensive traffic analysis. We’re getting beyond putting up walls and into scanning traffic for unauthorized or malicious characteristics and blocking it as appropriate. The additional security benefits of that approach will be substantial for anyone investing in it, and I’m confident that Wyless will be at the forefront.
Company: Wyless
Wyless is the global leader in end-to-end managed data services for the M2M and Internet of Things marketplace. We provide products and deliver professional services that enable our leading enterprise customers, MNO partners and distribution channels to more easily deploy embedded cellular products and services, anywhere in the world. The company’s resilient platform, delivered in partnership with over 20 of the world’s largest network operators, provides secure, reliable communications on wireless embedded devices in over 150 countries.