Securing Devices Behind Cellular Routers

This post was authored by Mitch Rappard, Director of Technical Solutions; and Hugo Perez, NetSec Solutions Architect

In the world of security, visibility is everything. Visibility into the users, applications, protocols, threats and devices is a must for effective Zero Trust Security. While most agree with the need for this level of visibility, they also often agree that doing so is not always easy. Often pieces of the puzzle are missing. Perhaps the application is known, but not the device or user. Or the user is known, but not the underlying protocol. Any time a piece of the puzzle is missing, Implicit Trust is added to the network, and Implicit Trust is the enemy of Zero (or Explicit) Trust.

This Blog will discuss a specific use case that is gaining momentum in the IoT/OT space where visibility can be challenging. The use case we will focus on in this blog is one where legacy devices are connected to new 5G networks via 4G or 5G enabled routers or Customer Premise Equipment (CPE). This new form of connectivity has numerous advantages, such as low latency, SIM based authentication, less cabling (often miles and miles less) and plenty of throughput, but it also comes with some new risks as well. In a recent study, ABI found that 70% of those polled felt that using 5G introduced a new attack surface to their network. As we embrace the many benefits of 5G, we must also ensure that we mitigate any risks this new connectivity method might introduce. 

Securing Devices Behind Cellular Routers: Visibility Challenges

In Private Cellular Networks (PCNs) when devices are connected to a Cellular Router, their traffic is sent over the air (e.g. 4G or 5G) to a cellular Access Point (AP). From the AP, the traffic is sent over the network to the Packet Core for processing and forwarding. See the diagram below for a high-level illustration. 

Suppose that the cellular router had several devices attached to it, one of which was a camera, and another was a robotic arm (this is just for the sake of illustration) . The operator of the network wants the camera to only communicate back to the server controlling it and the robot to only communicate to a server running an application which controls it. By default, the cellular router is performing Network Address Translation (NAT) on all the traffic. This means as the traffic leaves the wireless router, the source IP is the same for the camera and the robotic arm. In this situation, it is very difficult to know for sure which traffic belongs to which device. Due to this uncertainty, it is also very difficult to create security policies specific to each device.

Securing Devices Behind Cellular Routers: The Solution

Palo Alto Networks has performed testing with various cellular router manufacturers to create a solution enabling visibility into the specific devices behind the wireless router. With our approach, network owners are able to distinguish between each device's traffic, gain visibility into the specific assets behind the router (e.g. make and model) and create policies that ensure a Zero Trust architecture. 

To allow visibility into the specific devices behind the wireless router, we encourage disabling NAT. This will allow each device’s IP address to be visible to the network firewall. If applicable, we also encourage configuring DHCP relay across the cellular interface towards a DHCP server on the customer LAN. By doing this, the Palo Alto Networks Next Generation Firewall (NGFW) can observe the MAC address of each device as it is assigned its IP address, along with other useful device information such as hostname, etc.. 

Below are two screenshots from different wireless router manufacturers (Cradlepoint and Digi) showing some of the steps mentioned above. 

For the Cradlepoint E300-5GB:

For the Digi EX50:

When these steps are taken, the NGFW will observe all the traffic to and from each device. Customers can leverage the IoT Cloud Delivered Security Service (CDSS) to discover and assess every device behind the wireless router, as well as other devices on the network (wired or wireless). Using the Palo Alto Networks Industrial OT Security subscription, customers can:

• Discover and identify all OT devices, including type, vendor, model, OS, and rich device context encompassing 50+ attributes for each
• Provide deep insights into device security posture, user and network information
• Assess risk and an associated risk score for every IoT/OT device, taking into account device compliance, vulnerabilities,threats, anomalies, and exploits
• Establish normal device baseline behaviors in comparison to crowdsourced behavioral data for similar devices
• Detect any behavioral anomalies that might indicate an attack
• Provide actionable policy recommendations for native enforcement

Asset Inventory

Device Behavior Visibility

With the NGFW inserted into the architecture, and the wireless routers configured to allow for better visibility, our new architecture now looks like the following:

No agents, probes or sensors are needed in this architecture, keeping the deployment architecture simple. Existing Palo Alto Networks customers can activate Industrial OT Security in a matter of minutes. 

Summary of Securing Devices Behind Cellular Routers

Begin your path towards cybersecurity transformation and optimize your investments. Assess what’s on your organization's network today with our free Security Lifecycle Review. This comprehensive analysis offers expert insights and tailored recommendations to enhance your cybersecurity strategy. Streamline your journey to adopting best practices, ensuring maximum ROI and bolstering your cyber resilience.