Visibility Behind Cellular Router/CPE: Do’s and Don’ts
As enterprises integrate private 5G and LTE networks with their existing IT and OT infrastructure, the use of cellular routers/CPEs to connect non-cellular devices becomes essential. Choosing the right network architecture is key to unlocking the full business value and security potential of these deployments.
There are two primary approaches: disabling the router’s NAT (Network Address Translation) or enabling NAT. After numerous discussions and experience gained with our customers, we are now sharing their most effective approach.
In this blog, we’ll explore the pros and cons of each architecture style, review the security and operational risks, and identify the best use cases for each.
Don’t: Don’t Disable Your Router’s NAT.
Introduction to Flat Architecture
Disabling the cellular router’s NAT attempts to flatten the network by aligning the cellular network with existing LAN structures. The router’s NAT is disabled to allow each device’s IP address to be visible in the network, thus exposing the device’s IP and its access to network solutions such as firewalls. With this method, DHCP relay is configured to allow network visibility to the device’s direct IP and information, and all the devices behind the routers are connected to a single network segment without any hierarchy or central control.
Challenges and Complexities of Cellular Router Setups with Disabled NAT: One-to-one and One-to-many
A Single Device Connected to a Router
Devices that lack built-in cellular connectivity often connect via cellular routers, with IPs directly allocated by the DHCP server through IP passthrough configurations. This flat architecture removes networking boundaries and, by doing so, disregards networking and cellular architecture best practices.
While this might work for Proof of Concept (PoC) stage networks in a sterile lab environment with a small number of devices, in which the goal is to “make the network work”, in production environments, this approach neglects cellular architecture best practices and weakens network security. The direct assignment of IPs without NAT exposes enterprise operational network assets to attacks from devices behind cellular routers and vice versa.
Multiple Devices Connected to a Router
Moreover, when multiple non-cellular devices are connected to a cellular router with Disabled NAT, IP address allocation and routing become a highly complex challenge. Without routing, there is no way for a package to get to its destination. The solution to that involves 3GPP’s “Framed Routing,” a method used in mobile networks to assign specific IP routes to user equipment (UE) based on the routing policies defined by the network. Implementing it is complex and expensive and requires additional core components such as Radius and DHCP servers. This increases complexity and operational overhead and requires careful IP management and individual attention for the security and management of each device. This approach doesn’t enable scale.
Challenges with Flat Architecture
Security Challenges with Flat Architecture
Flat architecture has significant security drawbacks. These include increased attack surface, exposure to direct attacks, complications in implementing security policies and the need to apply additional security measures. The direct assignment of IPs without NAT exposes enterprise operational network assets to attacks from devices behind cellular routers and vice versa. Devices are easily discoverable, allowing lateral movement between them using simple adversarial methods.
Operational Challenges with Flat Architecture
Disabling NAT increases operational complexity by requiring extensive IP management and planning, heightening the risk of external threats due to exposed internal IP addresses. This approach demands more robust security measures and adds to the troubleshooting and security operations burden, requiring more advanced configurations, particularly in large-scale deployments and in the cases of many devices connected behind a single cellular router.
Challenges of Cellular Core-Managed IP Domains
Some smaller core vendors attempt to mitigate these issues by using specific IP Domains to maintain visibility of devices behind Cellular Routers while avoiding NAT and managing routing at the Core. However, this approach can expose sensitive devices if security policies are not tightly managed. Removing NAT and allowing direct access complicates network management, adding operational overhead and limiting network growth, placing significant responsibility on the vendor’s core for routing, IP management, and visibility. Any issues with the core, such as downtime or misconfiguration, could disrupt the network’s functionality or device visibility.
Limitations of Flat Architecture for Critical Operational Use Cases
Flat architecture may be suitable for PoC stage networks prioritizing easy deployment and low operational support, but it is not appropriate for operational, production use cases such as Factory 4.0, utilities, Oil & Gas, ports and airports, or any other scenarios involving critical assets. This architecture compromises the essential security features of the cellular network and adds operational complexity. When choosing this architecture, it’s crucial to use an external security and management platform to maintain high enterprise security standards.
Do: Enable NAT. Obviously.
Introduction to masked IP Architecture
Enabling the router’s NAT, on the other hand, adheres to high-security standards and ensures network survivability. The router’s NAT is enabled, and thus obfuscates the device’s IP and provides robust security, making it nearly impossible for bad actors to access assets connected behind these routers or track IP sessions in real-time, making it ideal for operational deployments with hundreds or thousands of devices.
When multiple non-cellular devices are connected to a cellular router, enabling NAT simplifies IP management by allowing these devices to share a single IP address, reducing complexity and preventing conflicts. NAT also enhances security by masking internal IP addresses and providing a unified, secure interface for easier integration with IT systems and enterprise tools.
DO: Enable Router’s NAT – Private cellular network with masked IP architecture
Do Diagram: Enable CPE NAT
In an enabled NAT configuration, private cellular network routers utilize NAT to seamlessly translate internal IPs to other IPs when accessing other networks. No IP passthrough is configured for cellular routers. If direct inbound access to a device is needed, secured NAT pinholing is employed.
The NAT at the router’s network boundary provides robust security, making it nearly impossible for bad actors to access assets behind the router, eavesdrop on the network, or track IP sessions in real-time. This enhanced security posture makes it difficult for threat actors to compromise or manipulate asset data.
Enabling NAT simplifies network management by abstracting internal IP addresses, reducing the need for extensive IP planning, particularly in large networks, and facilitating easier network segmentation. It also enhances compatibility with other systems, allowing for smoother integration without major reconfigurations.
A masked IP architecture is ideal for operational networks with dedicated operational support. Its high-security standards make it well-suited for connecting critical assets with confidence. As the network matures, the need for asset visibility, management, and orchestration also grows.
Providing Visibility Behind Cellular Routers
The need for visibility behind cellular routers is clear. To effectively manage and secure a cellular network, one must have visibility to all assets connected, including hidden devices behind routers. Networking best practices include enabling NAT for cellular routers. Visibility in such cases should be provided without breaking or hindering such networking best practices. This calls for a solution that can provide visibility to assets connected behind routers, without any network changes, in any cellular router configuration method. This visibility should include identification of each asset and it’s connections, tracking the IPs assigned to the device behind the router, as well the IPs post the NAT.
Comprehensive Visibility and Security for Private LTE and 5G Networks
OneLayer brings complete visibility, asset management, and zero trust security to all devices connected to private LTE and 5G networks, including to all the non-cellular devices connected behind cellular routers without requiring any networking changes or specific router configurations. All activities are tracked to orchestrate and secure the environment. Through OneLayer’s solution, enterprises get complete asset management and operational intelligence capabilities to maximize operational excellence and zero trust security to prevent cellular breaches.
To learn more about managing and securing devices behind cellular routers – visit https://onelayer.com/control-devices-behind-cellular-routers/