Private APNs as a Key Factor in IoT Security

Eseye

IoT Hardware and Connectivity Specialists

LinkedIn

With billions of Internet of Things (IoT) and Machine-to-Machine (M2M) devices now online, and billions more expected within the next few years, IoT security is finally getting the attention it deserves.  

Comparatively poor security in most IoT deployments, versus other endpoints like laptops, servers, and phones, opens corporate networks and sensitive data up to risk of attack, theft, and other malicious activity.

Therefore, deploying a secure IoT infrastructure is critical in keeping your corporate network and data safe. In this article we’ll look at the role of the private APN (Access Point Name) as a key part of a secure IoT or M2M infrastructure.

What is an APN?

An Access Point Name (APN) is the name of the gateway – the access point – between the cellular network the IoT device is connected to, and another network, such as the public internet.

Like any other gateway, it acts as a demarcation point or perimeter between two networks, such as a public network and a private network and if exploited can serve as a jumping off point from external attacks against the internal network.

Any IoT device that uses a data connection must be configured with a valid APN. The role of an APN is to define various settings, including the allocation of IP addresses to IoT devices, quality of service (QoS) settings, and routing information including whether to use VPN (Virtual Private Network) tunnels.

Private APNs, typically controlled by the business, use static IP addresses, while public APNs, typically controlled by the mobile network operator, use dynamic IP addresses.

Public APNs

This is the more common flavor of APN you might encounter if connecting a consumer IoT device, like a camera, to the internet. Public APNs typically assign a dynamic IP address from a pool of available addresses. When the device no longer needs a connection, the IP address is returned to the pool. When the device needs to connect again, it receives another IP address from the pool.

Some public APNs can also issue static IPs. Though an uncommon configuration, this means once a device has been assigned an address, it uses that address every time it connects to the gateway.

Private APNs

This is a more typical configuration you might expect for corporate IoT deployments that need more security. Access to the private APN might require a password from the IoT device, or might filter connectivity to specific IP addresses. A typical configuration is to ensure the IoT device connects to the APN and then to the corporate network via a VPN.

A private APN can assign devices a dynamic public IP address from the pool of available ones when talking to the public internet, but can also issue a private static IP for connecting to another private network.

An example APN might look something like this:

apn.epc.mnc.mcc.3gppnetwork.org

Where is the mobile country code, and is the mobile network code which together uniquely identify a mobile network operator.

The ‘apn’ and ‘epc’ parts are labels associating the APN with a network.

The final part ‘.3gppnetwork.org’ associates the connection with a data standard.

So, any APN, whether public or private, will typically contain two attributes, but this isn’t always the case:

• The network identifier, which names the network
• The operator identifier, which designates the mobile network operator (MNO)

When connecting to the internet, the mobile carrier will determine the IP address to assign to the IoT device, including security parameters.

The SIM establishes public or private APN connection options

The available options for the IoT or M2M device to connect to a private or public APN are established by the SIM subscription – the ultimate decision is made by the modem firmware, so private APN infrastructures require the SIM to be pre-provisioned with the correct information.

For consumer IoT, the default option is for SIM subscriptions to enable the device to access the internet through a public APN.

When using a public or private APN, the SIM subscription must be provisioned with the appropriate settings and information on the HLR/HSS (Home Subscriber Register and Home Subscriber Server) – the mobile network’s primary database of subscriber information – and the specific gateway must match with the IoT device’s settings, including IP address allocation.

Benefits of private APN for secure IoT deployments

Private APNs offer far more security for IoT deployments, including:

• The use of firewall rules
• Restricted access to the public internet
• The use of VPNs
• Authentication methods
• Access restricted to trusted devices only
• Prevention of activity from low-level malware such as rootkits (while malware could bypass VPN enforcement, it could not bypass an APN and would be easier to detect with network monitoring services)
• Easier to detect network and device issues with network monitoring solutions

Private APNs are particularly useful for IoT deployments that want to keep the network and data traversing it secure. Healthcare, government, and legal, are three example use cases. The key is that traffic from the IoT devices can be routed directly into a private corporate network, meaning you’re no longer sharing the public internet and can add extra authentication policies.

IoT security with Eseye private APNs and AnyNet+ SIM

Eseye APNs are custom-built gateways that sit between the cellular network and the enterprise. These private APNs provide authentication of connections, allocate IP addresses and route the data from the IoT end-device to the cloud.

AnyNet+ SIMs are programmed to communicate only with Eseye’s secure private APN, which ensures the service is authorized. There is also a firewall at the APN level.

Eseye’s private APNs cover the vast majority of geographies worldwide and have built-in management and monitoring capability to ensure all connections get the best possible service. This capability can reveal a rich stream of information about your data sessions, as well as device activity and network usage.

Through constant monitoring, we ensure that action is taken immediately to block or mitigate any IoT attacks, meaning Eseye’s private Access Point Names (APNs) can be relied upon to provide a secure connection.

Want to know more?

Deploy connected devices anywhere in the world without the constant worry about IoT device security, while maintaining a high quality of service with our secure IoT connectivity solutions.

Learn more

Select to view linkedin profile Select to view twitter profile Select to view facebook profile Select to view youtube profile

Eseye

IoT Hardware and Connectivity Specialists

LinkedIn

Eseye brings decades of end-to-end expertise to integrate and optimise IoT connectivity delivering near 100% uptime. From idea to implementation and beyond, we deliver lasting value from IoT. Nobody does IoT better.

In this article