BGAN M2M firewall traffic rules reside at the BGAN satellite teleports and effectively block all traffic except what you provide Ground Control in a whitelist of allowed IP addresses.
By default, all outgoing traffic from the BGAN terminal is open, and all incoming ‘initiated’ traffic from the internet is blocked. Incoming initiated traffic is allowed if a BGAN M2M SIM card is assigned a public IP address for an added cost of $20 per SIM each month, or is using IPSec VPN.
With M2M, if no public IP is used, a firewall can slash unauthorised outgoing BGAN usage by limiting what IP addresses the connected device may communicate with. Without a firewall, any destination on the internet is open. (Note this ‘default’ outgoing open setting is preferred by many clients).
If your M2M is using a public IP, Ground Control requires that you provide a whitelist of approved IP addresses that may communicate with the device connected to the M2M terminal. Limiting incoming initiated traffic to this whitelist protects the BGAN terminal from malicious incoming scans that the subscriber would otherwise be financially responsible for.
Simply ask your sales rep or write to firstname.lastname@example.org with how you wish to use the BGAN firewall with your M2M service.
BGAN M2M Firewall Rule Possibilities
- Allow/deny any IP address or range of IP addresses for Whitelist/Blacklist.
- Allow/deny Email by SMTP and/or POP3 and/or IMAP and/or secure SMTP
- Allow/deny TCP, UDP, ICMP, SKIP, GRE, ESP, and IP protocols
- Allow/deny HTTP (Web Browsing), and/or HTTPS
- Allow/deny FTP (File Transfer Protocol)
- ALL other traffic will be denied from the list of rules chosen above.
Creating BGAN M2M Firewall Traffic Rules
To quickly understand how this service works, the below screen shows how one (or more) traffic rules would be created for each individual BGAN M2M SIM card.
Multiple firewall rules will establish a more complete whitelist or blacklist. Above is a typical whitelist that allows limited traffic from the Internet to the BGAN terminal. Whitelists are a common rule since they limit traffic to certain IP addresses, such as between a remote BGAN terminal IP address and a corporate server IP address.
There are four possible traffic types that can be configured:
- Whitelist to allow listed IP traffic from the internet to the BGAN terminal
- Whitelist to allow listed IP traffic from the BGAN terminal to the internet
- Blacklist to deny listed IP traffic from the internet to the BGAN terminal
- Blacklist to deny listed IP traffic from the BGAN terminal to the internet
To establish firewall rules for your BGAN SIM card or for more information regarding setting up traffic rules, please email your firewall whitelist, your Ground Control account number, and the BGAN SIM card number to email@example.com.
Other BGAN M2M Security Options
Ground Control provides many ways to secure your BGAN connection, such as IPSec VPN, co-location, point-to-point, and private networks.