Private cellular network segmentation: APNs are not enough!
Segmentation is a mandatory security practice in enterprise networks. As enterprises adopt private cellular networks, they look for effective segmentation solutions that align with their existing strategy. They soon realize, however, that the existing segmentation solutions from the IP domain are not applicable to cellular networks.
In the absence of other alternatives, many enterprises adopt Access Point Names (APNs) as a basic solution for segmentation. APNs serve as gateways, connecting cellular devices to the IP network. They are defined to manage different Quality of Service (QoS) for each APN. This capability of grouping has been leveraged by enterprises to create subnets for each APN and assign policies in a network firewall for each subnet.
But while APNs may be a very basic starting point, they are not enough for a security solution. In this blog, we will explore why APNs are too limited for use in cellular network segmentation. At the end, we will touch on segmentation alternatives that offer a more promising solution.
Real segmentation relies on its context
In the world of segmentation, your journey begins with a well-thought-out approach. You might choose to align with established models such as the Purdue model, application ring-fencing, or a Zero Trust framework, or you might choose to go with a unique segmentation approach tailored to your enterprise’s unique needs.
Next, you must apply your chosen approach within your private cellular network. This step often proves challenging, as segmentation’s success relies on acquiring the right contextual information. For example, when adopting the Purdue model or application ring-fencing, identifying the device type becomes critical for accurate segmentation. Likewise, factors like device ownership by a particular department or its assigned location can be significantly helpful for segmentation, depending on your chosen strategy.
Unfortunately, APNs are of little use when trying to ascertain and use contextual information about cellular networks and assets. Here’s why.
Limitations of APN-based segmentation
APNs are tied to SIM cards, not to the devices themselves
When dealing with APNs, the available context is limited to the IMSI (International Mobile Subscriber Identity) of each device. The IMSI identifies the SIM card of the device, not the device itself.
While the IMSI can provide some degree of context, it often falls short on its own. Without seamless integration between context and your chosen segmentation tool, grouping based on contextual data becomes complicated and cumbersome. The focus on the SIM card as an identifier also introduces the risk of policies that follow the SIM card, which can be replaced or removed from the device.
Some organizations attempt to enhance context by including free-text descriptions for each IMSI. However, this method introduces the risk of human error and mismatches.
APNs do not have visibility of devices behind cellular routers
Due to the limited availability of pure cellular devices adhering to required bands, organizations often connect non-cellular devices to their cellular networks using cellular routers. Effective segmentation of these devices necessitates the ability to identify the individual devices behind the router.
APNs, however, are only able to discern the router itself, but not the devices that use it in order to connect to the cellular network. This presents a severe limit of segmentation and a security risk.
APNs are designed to be static, not dynamic
The devices connected to the cellular router may change from time to time, making the context dynamic. If factors such as location, assigned department, certification and more are part of your segmentation approach, the contextual data for your segmentation strategy is dynamic.
APNs, on the other hand, remain static and are intended to be configured just once, necessitating manual adjustments for any modifications. While these changes may seem manageable on a small scale, they quickly grow complex and time-consuming when applied to larger networks.
APNs are limited in number, preventing granular segmentation
The ability to create APNs is a functionality provided by your core vendor. The vendor, therefore, will stipulate the number of APNs that it will allow you to create. Whether that be a low number or a high number, it is never unlimited, and it often doesn’t approach the scale of devices and assets used across your private cellular network.
If your segmentation approach demands device-level micro-segmentation or high-resolution segmentation, therefore, you are stuck. APNs function as gateways, providing two configuration options: assigning a static IP address to each device or defining a dynamic IP range for each APN. The static IP approach is complex to implement and is not considered a security best practice. The dynamic approach only allows for policy assigning at the APN level. This can lead to overly permissive policies, as the policy must align with the least permissive device in the APN.
APNs create operational dependencies and friction
Relying on APNs for segmentation also creates an inter-operational challenge. Choosing APNs as a segmentation tool creates a dependency between two departments: the security team managing the private cellular network and the IT team responsible for the firewall. This dependency decreases the autonomy of the security team and necessitates inter-departmental processes for policy changes. While every organization operates differently, it is common for cross-departmental tasks to trigger friction and delays.
Alternative tools for effective segmentation
Fortunately, there are alternative tools for segmentation that provide the necessary context per device as a baseline for dynamic and context-based segmentation. These tools integrate seamlessly with your existing ecosystem and leverage the data it provides to offer an additional layer of information.
Key contextual data to leverage can include device certification details stored in your Mobile Device Management (MDM) system or information regarding the owning department of each device, which could be stored in your Configuration Management Database (CMDB). Both of these systems are valuable contexts for effective cellular network segmentation.
While it might seem easier to adapt your segmentation approach to fit the tools you are already using – APN-based segmentation being a prime example – don’t fall for that temptation! Don’t limit your organization and unwittingly sabotage your future growth!
What should you do instead? Choose a tool that provides you with the full contextual information required for your cellular network segmentation strategy and that grants you visibility of and control over every single device in your cellular network. In addition, make sure that the tool is flexible and dynamic to evolve with your organization’s ever-changing needs.
With the right tools for segmentation, you will both achieve highly effective cellular network security today and lay the groundwork for seamlessly scaling your network security in the future.
Are you in search of an alternative solution for private cellular network segmentation? Click here to learn more.