BGAN Firewall Traffic Rules reside at the BGAN satellite teleports and effectively block all traffic except what you provide Ground Control in a whitelist of allowed IP addresses. By default, ALL outgoing traffic from the BGAN terminal is open, and ALL incoming “initiated” traffic from the Internet is blocked (Note: incoming initiated traffic is only allowed if a BGAN SIM card is assigned a public IP address for an added cost of $25 per SIM each month, or is using IPSec VPN).
An effective firewall can slash unauthorized BGAN usage and save thousands of dollars by limiting what the BGAN terminal may connect with, like certain IP addresses and/or just email, or by any combination of rules possibilities in the table below. We highly recommend all of our subscribers use this free service. Simply ask your sales rep, or email email@example.com with details on how you would like to use this service.
BGAN Firewall Rule Possibilities
- Allow/deny any IP address or range of IP addresses for whitelist/blacklist.
- Allow/deny email by SMTP and/or POP3 and/or IMAP and/or secure SMTP.
- Allow/deny TCP, UDP, ICMP, SKIP, GRE, ESP, and IP protocols.
- Allow/deny HTTP (web browsing) and/or HTTPS.
- Allow/deny FTP (file transfer protocol).
All other traffic will be denied from the list of rules chosen above.
Creating BGAN Firewall Traffic Rules
The below screen shows how one or more traffic rules can be created for each individual BGAN M2M SIM card.
Multiple firewall rules will establish a more complete whitelist or blacklist. Above is a typical whitelist that allows limited traffic from the internet to the BGAN terminal. Whitelists are a common rule since they limit traffic to certain IP addresses, such as between a remote BGAN terminal IP address and a corporate server IP address.
Four Possible Traffic Types that can be Configured:
- Whitelist to allow listed IP traffic from the internet to the BGAN terminal.
- Whitelist to allow listed IP traffic from the BGAN terminal to the internet.
- Blacklist to deny listed IP traffic from the internet to the BGAN terminal.
- Blacklist to deny listed IP traffic from the BGAN terminal to the internet.
To establish firewall rules for your BGAN SIM card or for more information about setting up traffic rules, please email your firewall whitelist, your Ground Control account number, and the BGAN SIM card number to firstname.lastname@example.org.
Other BGAN Security Options
Ground Control also provides many other ways to secure your BGAN connection, such as IPSec VPN, co-location VPN, point-to-point VPN, and private MPLS networks. More information on BGAN Network Security.