Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 5287 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mobile Phone App via NAT access

SMouting

Hi There,

Bit of background for you: -

 

I have 10 mobile phones that are using a dedicated industry app over the 4G network. They connect to our server and check for any new calls (jobs) for the people that use these devices.

The mobile phones "poll" the server every 5 minutes to check for any new jobs.

The app is password and username protected to ensure that the server software only accepts connections from approved apps.

There is only one port involved and this is NAT'd to the dedicated server for this function.

 

Now, I would like to secure this port on the UTM so that it only accepts connections from these 10 mobile phones and I was originally hoping I could have done this by MAC address but this won't work. I have also tried using a VPN on the mobile phones but that was a bit erratic and the phone users had to restart the VPN sometimes which is something I don't want them to be doing.

So at the moment, I have put a DYN DDNS client onto each phone and created an "allowed list" of devices that can only get through that port providing that their DNS address matches the agreed list. I have to say it works really well but am wondering if I have over-thought this and done something incredibly silly and not obvious.

Any one think of something better to fix this or have I possibly achieved the best solution ?



This thread was automatically locked due to age.
  • 0

    Hi, and welcome to the UTM Community!

    It is possible to make firewall rules based on MAC addresses, but the MACs can't be known outside Ethernet segments directly connected to the UTM.

    In this case, I think you've found the optimal solution.  If the server is a web server, you could use WAF for additional protection.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hi,

    weird idea to use Dyn DNS for Mobile devices I like your thought but I don't think that this will work reliable.

     

     

    The Device which connects via 4G to a broadcast tower and receives a private IPv4 Adress. At the tower (or somewhere in carrier backbone) it is masqueraded to a public IP.

    If your device roams from one tower to an other it could change its public IP and you'll need to force your DYN DNS Service to change the Record.

    If your mobile worker is roaming from one cell to another and his public ip changes faster than the DYN Client changes the Record he won't get updates / only gets updates in Lunchtime when the dyn client has time enough.

    an other (but negligible) thought is that everyone near to your mobile worker will be able to connect because of the shared pubic IP.

     

    I don't know if this explanation fits to your situation this is how 4G works in most parts of germany.

     

    Yours Lukas

    lna@cema

    SCA (utm+xg), SCSE, SCT

    Sophos Platinum Partner

  • 0 in reply to lna

    Hi Lukas

    Thanks for your reply - I do appreciate it.

    As the mobile phones travel around in the persons vehicles during the day, they occasionally do change their IP addresses as they move from one 4G area to another. However, the Dyn app I am using copes with this really well and as soon as it notices the IP address has changed, it updates quite quickly (just under two minutes in my tests).

    I have had the odd occasion when an app could try to call in during the time the IP address has just changed and the latest IP address for the DynDNS address hasn't yet updated on the UTM so the UTM refuses the connection - but it does shortly afterwards. I am lucky that the APP we use will continue to try to poll our server every few minutes regardless.

    I have been using this for about 2 months now and I am pleased to say that it is generally quite reliable.

    In an ideal world, it would be great if we could get static IP addresses for the mobile phones as this would make life so much easier but the carriers won't allow it unless you have a data only SIM card. I understand the negligible risk but this has got to be better than nothing at all I think.

    Once again, thanks for taking the time to reply

    Simon

Unfiltered HTML