Cellular remote management with an off-the-shelf SIM

Cellular out-of-band, just add SIM

The 3G and 4G LTE cellular network is proving a more compelling alternative to PSTN and DSL for out-of-band access for remote network provisioning, maintenance and repair.  In fact it’s been nearly 12 months since we reported that sales of our cellular-enabled remote management solutions had surpassed dial-up.

Reasons for this include speed of provisioning and ease of deployment, which is down to the mobile nature of the solution.  But it’s also about the bottom line – in the era of tablets and smartphones, mobile data has never been cheaper.

In a earlier post we reviewed the costs associated with using private APN or M2M data SIM for remote management, but in many cases this option may not be ideal.

M2M SIMs may not be offered by your preferred carrier, or the incremental pricing model may not make sense for your usage pattern – particularly where an always-up cellular connection is preferred, activities like continuous Nagios or SNMP monitoring can push data use into the 100s of MB per month.

On the other hand, commodity “SIM only” or “bring your own device” plans are readily available with generous blocks of data for as little as £5/month in the UK.  With the boom of unlocked Nexus and i-devices, the USA (that last hold-out of the contract locked device) is rapidly catching on too.

These dirt cheap SIMs are suitable for remote management, as long as you’re aware of a couple of caveats.

Caveat: You’ll probably be NATed by the carrier.  That is, your Opengear won’t be assigned a public, routable IP address that you can browse or SSH to for remote access.

Solution: Couple of options here.  Either contact your carrier and request an APN that assigns a routable IP address be activated for your SIM.  This may require moving to a “business grade” service and cost a bit more.

Or, have the Opengear establish a VPN or SSH tunnel back to your central network, e.g. to a Cisco ASA, SSH server or Opengear Lighthouse appliance.  More details here.

Caveat: You’re concerned about the security of remote management of critical systems over the public WAN.

Solution: Rightly so – however the Opengear authenticates and encrypts all connections out-of-the-box, using strong cipher HTTPS and SSH, and has the option to configure VPN for an added layer of security.

If your SIM has a public IP address (see above), the Opengear’s stateful firewall can lock down remote access to trusted source IP address ranges, and operates a default-deny policy for any WAN facing, unencrypted services.  As with any public service, always use strong passwords, or consider disabling password authentication entirely and using SSH key auth instead.

For true enterprise-grade security, use VPN.  All Opengear cellular appliances include IPsec and OpenVPN server and client, and PPTP server.  Where ESP protocol 50 isn’t available (e.g. carrier firewall) our Linux Openswan/KLIPS IPsec stack supports UDP encapsulation, or use OpenVPN which is firewall friendly by design.