Best practices to help your organization keep the bad guys out!
Managing a mission-critical mobile workforce has its challenges. You need wireless technology and management platforms to ensure employees are accessible anytime, anywhere – especially for workers in vehicles, on the move and at remote or temporary work sites such as First Responders. 4G LTE mobile gateways are the doorways that manage and understand the location and status of these mobile assets, but they need protecting properly otherwise serious security issues can occur.
At Black Hat in Las Vegas last month, I attended one of the busier sessions, “Snooping on Cellular Gateways and Their Critical Role in ICS” by F5 Networks, which drew a lot of interest from the attendees. The presentation looked at some recent security vulnerability research they had conducted, which found that more than 100,000 Internet-facing mobile cellular gateways are regularly broadcasting their exact whereabouts to the world. This included fleet vehicles, police cars, ambulance, etc.—making them easy prey for hackers and other attacks.
The research also shared possible real-world scenarios that can occur when taking advantage of these vulnerabilities that clearly show the brevity of vulnerabilities. However, with a few best practices these sort of issues can be fixed. Unfortunately, it’s not something that many seem to be aware of. Everyday there are thousands of warnings about this exposed equipment, but most go unheard.
Actually, the researchers did not expose any new security vulnerabilities. The issue is misconfigurations that get exploited because end users are not following best practices in securing their mobile assets, i.e. the routers within each vehicle. Misconfiguration means poor configuration management capabilities, poor designs for default passwords, lack of policies to restrict remote management and lack of a centralized management platform to control the whole process. Without centralized configuration and patch management of mobile network infrastructure, misconfigurations are going to happen and that leaves openings in your network for hackers to exploit.
In addition to resolving misconfigurations, best practices for securing mobile networks need to be followed. Some of the common best practices to follow to secure mobile 4G LTE enabled gateways:
- Use private IP networks that do not expose the routers to the Internet directly. Using Private APN LTE networks from the mobile operators are becoming common.
- Use access control lists (ACLs) on gateways to restrict remote access to only known hosts.
- Use firewall policies to restrict inbound connections to only specified ports and change default ports.
- Enforce strong password creation and controls to require changing the default passwords
- Use RADIUS or authentication services to authenticate and log user access and actions.
- Use encrypted VPN’s for data communications and management planes to secure the integrity and confidentiality of all communications from these mobile gateways including location data.
The detailed research and disclosed a report that Justin Shattuck, Scott Harvey, Sara Boddy, and Preston Crowe from F5 Networks completed was excellent work and hopefully raises awareness across our industry about the importance of following well-known practices for securing mobile network gateways.
The best practices mentioned are nothing new and are also followed for securing wireline network infrastructure. Sometimes, however, the customer teams that deploy and manage the mobile networks are not the same personnel that manages the rest of the enterprise infrastructure so controls and governance gaps may exist. Additionally, the maturity of the various mobile gateway vendors for configuration management and security capabilities may lag wireline network infrastructure in some cases.
If you are running a mobile network or considering deploying one, do a deep dive on the management platform capabilities with your network operations team. A cloud-based management platform will simplify the complex mobile configurations using best practices and thereby reducing the chance for errors and chances for compromise. This sort of platform also allows you to be very responsive to patching vulnerabilities. An example of this is when the Heartbleed bug was disclosed, our company and cloud management platform, NCM was able to deploy a fix for our customers within seven days across all of our customers globally.
If your tolerance for risk is very low you might want to consider using various private network options for your WAN connectivity using wireless carrier private networks or “zero trust” private network overlays that use Software-Defined Perimeter technology, such as NetCloud Perimeter. These private network options remove the gateways and the devices behind them from being directly attacked from the Internet and still allow secure remote access to them. Additionally, explore the use of specialized mobile LTE gateways that support Federal Information Processing Standard (FIPS) 140-2 Inside security validation. These specialized 4G LTE gateways support cryptographic modules tested by third parties for the U.S. government.
At Cradlepoint, we continue to invest heavily in maturing the security capabilities for our target customers such as first responders, leveraging best in breed technologies wherever possible. For mobile gateway use cases, consider also using an integrated Intrusion Prevention Engine (IPS). An IPS is an additional layer of protection for internet traffic against the evolving battle against malware attacks and recommended as a part of the Criminal Justice Information Standard (CJIS) Security Policy Guidelines.
Hopefully, vendors and researchers can continue to find ways to raise awareness with our customers on the best practices to follow to best secure their mobile networks. As solution providers, we push ourselves to deliver more simplicity in our products to minimize misconfigurations. In the future, we can make it easier for our customers to be more secure in leveraging emerging technologies such as machine learning, automation, and intelligent designs.
Keep calm and carry on security best practices—existing security technology works well when implemented correctly.
Questions / More Information Contact USAT: