Technical White Paper



Similar documents
Disaster Recovery White Paper

Best Practices: Pass-Through w/bypass (Bridge Mode)

M2M Series Routers. Port Forwarding / DMZ Setup

Internet Services. Amcom. Support & Troubleshooting Guide

Using IPsec VPN to provide communication between offices

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Connecting an Android to a FortiGate with SSL VPN

VPN. Date: 4/15/2004 By: Heena Patel

ASA/PIX: Load balancing between two ISP - options

Cisco AnyConnect Secure Mobility Solution Guide

Com.X Router/Firewall Module. Use Cases. White Paper. Version 1.0, 21 May Far South Networks

Appendix C Network Planning for Dual WAN Ports

msuite5 & mdesign Installation Prerequisites

Barracuda Link Balancer

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

GPRS and 3G Services: Connectivity Options

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

Chapter 12 Supporting Network Address Translation (NAT)

Chapter 3 Security and Firewall Protection

Barracuda Link Balancer Administrator s Guide

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

Using a VPN with Niagara Systems. v0.3 6, July 2013

Digi Connect WAN Application Guide Using the Digi Connect WAN and Digi Connect VPN with a Wireless Router/Access Point

INTRODUCTION TO FIREWALL SECURITY

ReadyNAS Remote White Paper. NETGEAR May 2010

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Configuring IPsec VPN with a FortiGate and a Cisco ASA

LifeSize Transit Deployment Guide June 2011

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

Cisco Virtual Office Express

nexvortex Setup Template

Chapter 8 Router and Network Management

Course Syllabus. Fundamentals of Windows Server 2008 Network and Applications Infrastructure. Key Data. Audience. Prerequisites. At Course Completion

Security Technology: Firewalls and VPNs

Licenses are not interchangeable between the ISRs and NGX Series ISRs.

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

Scenario: Remote-Access VPN Configuration

Chapter 3 LAN Configuration

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

Scenario: IPsec Remote-Access VPN Configuration

VPN Only Connection Information and Sign up

athenahealth Interface Connectivity SSH Implementation Guide

F5 Silverline DDoS Protection Onboarding: Technical Note

Configuration Guide BES12. Version 12.2

Preparing for GO!Enterprise MDM On-Demand Service

What is the Barracuda SSL VPN Server Agent?

SSL VPN Technology White Paper

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

vcloud Director User's Guide

Implementing Core Cisco ASA Security (SASAC)

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

WAN Failover Scenarios Using Digi Wireless WAN Routers

UIP1868P User Interface Guide

Chapter 4 Customizing Your Network Settings

Cisco Expressway Basic Configuration

Configuration Guide BES12. Version 12.1

GPRS / 3G Services: VPN solutions supported

Configuring Global Protect SSL VPN with a user-defined port

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Virtual Data Centre. User Guide

Cisco Easy VPN on Cisco IOS Software-Based Routers

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Securing Networks with PIX and ASA

DEPLOYMENT OF I M INTOUCH (IIT) IN TYPICAL NETWORK ENVIRONMENTS. Single Computer running I m InTouch with a DSL or Cable Modem Internet Connection

ASUS WL-5XX Series Wireless Router Internet Configuration. User s Guide

Guideline for setting up a functional VPN

Personal Telepresence. Place the VidyoPortal/VidyoRouter on a public Static IP address

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

WestermoConnect User Guide. VPNeFree Service

Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost.

A Guide to New Features in Propalms OneGate 4.0

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Galileo International. Firewall & Proxy Specifications

Using a VPN with CentraLine AX Systems

BlackBerry Enterprise Service 10. Version: Configuration Guide

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

F-Secure Messaging Security Gateway. Deployment Guide

Application Note Startup Tool - Getting Started Guide

RAP Installation - Updated

Case Study for Layer 3 Authentication and Encryption

SonicWALL PCI 1.1 Implementation Guide

DEPLOYMENT GUIDE. This document gives a brief overview of deployment preparation, installation and configuration of a Vectra X-series platform.

21.4 Network Address Translation (NAT) NAT concept

Chapter 9 Monitoring System Performance

Step-by-Step Configuration

Ranch Networks for Hosted Data Centers

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

SSL Web Proxy. Generally to access an internal web server which is behind a NAT router, you have the following two methods:

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

Creating a VPN with overlapping subnets

Endpoint Security VPN for Mac

Evaluation guide. Vyatta Quick Evaluation Guide

redcoal SMS for MS Outlook and Lotus Notes

ERserver. iseries. Remote Access Services: PPP connections

Transcription:

Instant APN Technical White Paper Introduction AccessMyLan Instant APN is a hosted service that provides access to a company network via an Access Point Name (APN) on the AT&T mobile network. Any device on the AT&T mobile network may be configured to connect using Instant APN including Laptop Connect modems, Smartphones, mobile routers and M2M devices. The service does not require any specialist CPE (Customer Premise Equipment) as the Instant APN 'footprint' on the customer network consists of a software agent installed on any Windows system on the LAN. The software, known as a VPN Agent, makes an outbound SSL connection to the AccessMyLan service cloud which is hosted in multiple data centres around the globe. Typically, no firewall changes are required at the customer s network perimeter and deployment in DMZ-style scenarios is fully supported. With no open inbound ports, no externally published DNS and no inbound routes, there is no attack surface at the customer s network edge and dependency on fixed external IP's or specific ISP's is removed. Asavie Technologies Ltd. 24 Herbert Lane Dublin 2 Ireland w: www.accesssmylan.com e: sales@accessmylan.com t: +353 1 6763585 (Int) +1 866 576 9266 (USA) +44 158 263 5013 (UK)

Service Architecture AT&T Instant APN Internet LAN APN on AT&T wireless network VPN Agent on LAN Figure 1 - Service Architecture The VPN Agent installed on the LAN establishes and maintains an SSL tunnel to the service via the Internet. The APN settings on the mobile device are configured to connect to the Instant APN on the AT&T wireless network The service authenticates the mobile connection and brokers communication between the mobile client and devices on the LAN VPN Agents Connectivity between the customer network and the service cloud is maintained by VPN Agents. VPN Agents run as a service on any Windows platform (Windows 2000 or later) and establish a permanent SSL connection to the service. In the event of an Internet connection failure, the VPN Agent will automatically attempt to re-establish connectivity to the service over any available Internet route. Multiple VPN Agents can be deployed to provide resilience in the event of hardware or network failure. In a default configuration, the first VPN Agent to connect provides the route for remote traffic. If the first VPN Agent loses connectivity due to hardware or network problems, the other VPN agent will immediately start providing the route for remote traffic. VPN Agents may be deployed across multiple sites to enable totally transparent failover of remote access in a disaster recovery scenario or to provide concurrent connectivity to several sites. VPN Agents provide policy 2

based routing which can be used to split remote traffic between VPN agents based on the service type and/or destination host. Connecting Mobile Devices No additional software is required on the mobile device as connectivity is established by configuring Instant APN as a connection profile on the mobile device. Figure 2 Configuring AT&T Communication Manager for access The profile created can then be used to establish connectivity to the service. Figure 3 Connecting to the service 3

Once connected, mobile devices are assigned an IP Address, DNS server and default gateway by the service. The DNS server assigned relays DNS requests to the VPN Agent for resolution simplifying integration with the corporate namespace. The IP address assigned is a private address and by default is not contactable from other mobile devices. The Machine to Machine (M2M) section of this paper explains how the service supports applications that require static addressing and communications between devices. Mobile devices are assigned to users created by the system administrator with a username and password. The system administrator adds a mobile device to a user by specifying the mobile number or MSISDN of the device that the user will use to access the service. When a device connects, it must provide the username and password of the user to authenticate. The service will also verify the MSISDN/mobile number of the device before authorizing access. Using the MSISDN/Mobile number for access authorization provides additional security beyond basic username and password credentials. Network Architecture The VPN Agent behaves like a NAT proxy and all remote user traffic on the LAN has a source address of the system hosting the VPN Agent. Upon startup, the VPN Agent automatically discovers routable subnets and DNS services which are configured at connect time on remote devices. When a mobile device authenticates successfully, the service assigns an IP address to the remote device from an AccessMyLan address pool and configures DNS and routing. The DNS is configured to use a company-specific DNS proxy on the service which forwards requests to the VPN Agent for resolution. Routes are defined on the client to route all traffic for RFC1918 addresses via the APN. Remote user traffic is proxied by the VPN Agent so that all remote traffic on the LAN has the source IP address of the VPN Agent host. The following tracert example shows the routing in the network. 4

C:> tracert srv1.example.com Tracing route to srv1.example.com [192.168.1.21] over a maximum of 30 hops 1 32 ms 31 ms 32 ms 10.128.0.1 Client Access Server 2 34 ms 34 ms 35 ms 10.192.0.3 Virtualised Customer Router/Firewall 3 66 ms 67 ms 66 ms 192.168.1.20 VPN Agent IP address on LAN 3 69 ms 67 ms 69 ms 192.168.1.21 Server address on LAN Figure 4 - Network Routing Each customer is assigned a virtualised VPN router/firewall in AccessMyLan which is responsible for enforcing customer configured Access Controls and routing user traffic via connected VPN Agents. The virtualised VPN router also provides a DNS relay by forwarding any DNS UDP datagrams addressed to the VPN router address to VPN Agents that have a DNS route declared. Access Controls Access Rules Network access rules are applied to all remote traffic and control access based on the application protocol and the destination host. The administrator can define custom services in addition to the standard service definitions. Figure 5 - Network Access Rule Configuration 5

User access rules are applied on a per-user basis and are defined in the same manner as network access rules. User Authentication By default, users are authenticated against the integrated AAA service. The service implements a lockout policy which defines how many login failures a user may have before being locked out. The policy also defines the lockout period before the user may attempt to login again. User passwords are subject to an administrator configurable password policy which defines the minimum length and character set mix. The service can be configured to authenticate users with any RADIUS capable authentication server in the LAN such as Active Directory or SecureID. Authentication requests are proxied via the VPN Agent to the internal RADIUS server defined by the administrator. Instant APN Applications Internet Access Policy Compliance While providing staff with mobility is a powerful business enabler, it can also pose challenges as users have direct access from their mobile device to the Internet. This may result in users wasting time, visiting inappropriate sites and downloading dangerous material to company devices. By configuring the mobile device so that it can only connect to Instant APN, mobile users no longer have direct access to the internet. This restriction is applied by disabling access to the Internet APN on the AT&T network which means that the user cannot re-enable access through a local configuration. Access to the Internet can be provided by configuring the mobile device browser to use a proxy server located in the office. This approach subjects the mobile user to the same access restrictions and monitoring as desk based users and provides the controls to ensure that mobile users are in compliance with usage policies. 6

Machine to Machine Instant APN provides an easy and secure way to integrate remote machines using the AT&T wireless network. By using Instant APN, the devices are not exposed to the Internet and there is no requirement for complex client-side software. In an M2M environment, it may not be practical to configure each device with a unique username and password. In these cases, a shared set of credentials may be used with authorization of access being based on the MSISDN/Mobile number of the mobile device. Machine to Machine (M2M) applications will generally need static IP addresses on the mobile devices and permit bi-directional communications between mobile devices and LAN applications. The service supports the following two approaches to support M2M projects. Peer-to-Peer In a Peer-to-Peer M2M environment, the service will assign static private IP addresses to the mobile device from a service or customer defined pool of addresses. The address pool can be in the following ranges: 192.168.0.0 to 192.168.255.255 172.16.0.0 to 172.31.255.255 10.1.0.0 to 10.126.255.255 All mobile devices are assigned a static address from the pool and can communicate with each other. The AccessMyLan VPN Client is also supported by this Peer-to-Peer network allowing connectivity to M2M devices on the mobile network from Windows systems. M2M Routed Mode Where transparent routed connectivity between the M2M devices and servers on the LAN is required, a route must be provided from the LAN to the mobile devices. This is achieved by establishing a GRE tunnel between a router on the LAN and a VPN Agent installed on the LAN. With this approach, any LAN host may communicate with a mobile M2M device using the mobile device private static IP address. 7