How does your corporate cellular provider help your information security posture? Do they provide notifications when network devices display unusual DNS lookups? Or when a mobile device’s proportion of Tx (upload) vs. Rx (download) unexpectedly changes? Or if a protocol like Telnet appears on devices that never had it before?
The answer is probably not. The vast majority of corporate ISP services are “dumb pipes” – they’ll ship mostly unmonitored traffic to and from endpoints and services. For a long time, that behavior was probably desirable, particularly when network troubleshooting was complex enough without trying to account for an ISP getting in the way.
This concept is generally known as the “end-to-end principle”. The service provider passed packets as quickly and as reliably as possible and the endpoints or applications handled security. Depending on their criticality and capability, these endpoints would run host-based firewalls, intrusion detection systems and other software layers to defend themselves and provide reporting to owners or administrators.
In a world where endpoints are constrained (mobile, IoT), diverse and multiplying rapidly, it’s time to re-evaluate this concept. A smartwatch, a connected appliance, an industrial machine, a VR headset and countless other devices don’t have the capacity to be hardened or stay hardened over uncertain lifespans. Point defense at the devices network stack is not enough, and cloud security gateways are too distant to truly control packets at the interface.
It’s useful to note that ISP’s are already in the business of analyzing the traffic across their networks. Usually described as traffic “shaping,” ISPs have invested in so-called middle-boxes or deep packet inspection (DPI) that probe the traffic on their network.
Sometimes these probes are designed to spot disallowed usage, like tethering on wireless plans that disallow it or even copyright infringement (e.g. file sharing and torrent-ing of media content). Most ISP’s have tools and dashboards to report and manipulate traffic on their networks but reserve these for internal use. These tools, appropriately managed, are powerful weapons against all manner of cybersecurity threats. It’s time these tools became allies rather than observers to help CISO’s and infosec architects achieve a Secure Access Service Edge (SASE).
Some ISPs, mostly the big U.S. wireless providers, have a strong lead in this space. They offer end-enterprises the ability to insert their own rules and logic at the very edge of the LTE/5G network, before a device hits the public internet. This creates a Secure Internet Gateway (SIG) deserving of its name – unlike so-called SIG’s that are cloud-hosted.
A gateway at the “junction” where LTE/5G meets the Internet will see all threats, not just HTTP-based or those willing to obey client proxy or VPN rules.
Consider some of the unique things possible when the power of this vantage point is harnessed:
Location – a cellular provider knows location accurately and globally, but without a client-side application to maintain (or to be circumvented). Connect this to a SASE infrastructure, and it’s possible to shape access based on location or trigger additional control based on location.
All cellular devices contain a Hardware ID (the IMEI) - every time a cellular device requests a data session, its IMEI is visible to the network operator, but many ignore or accept any value. Instead, let’s make sure that value is visible to the enterprise as a form of network access control to ensure that access is taking place on an authorized device. This is similar to the principle of MAC-based authentication on LANs today.
Names resolution: is another place for networks to focus. Instead of proving a one-size-fits-all (or none!) resolver, enterprises should have the option to control their own secure DNS or precise view for their devices.
Enterprises may publish otherwise private resources or screen entire categories of content. Why would a field force tablet or IoT device need to resolve Netflix? It shouldn’t take local software or a cloud proxy to limit this, it ought to be a programmable function of the network.
Additionally, visibility at the egress of the mobile network provides insight into the volume, direction, contents and source/destination. Instead of being concealed behind a carrier grade NAT (CGNAT), enterprises should expect the same control as using corporate Wi-Fi.
The real win comes when these combined attributes are analyzed to create a new situational awareness level. A true SASE-ready mobile private network quickly spots unexpected or unexplained activity and is better placed to act without relying on a web of client-side tools.
Enterprises should demand more visibility and control from their ISPs and access to the tools that already exist. Moreover, ISPs should welcome this opportunity to create value by contributing to more secure, more trustworthy enterprise networks.