Security is on top of mind for every stakeholder of IoT device deployments and discussions of the best way to secure data is ongoing and constantly evolving. We are regularly consulted on how to harden IoT device data specifically related to IoT SIM cards and data transfer. The goal of this article is to share best practices we have learned over the many years we have been dealing with this question particularly related to the risk of Public Static IP’s and how to mitigate this risk.
Most devices that are deployed with IoT SIM cards deliver data unidirectionally by sending data from the device to your server based on time interval or event triggers and no reply/response is required from the server back to the device, or bidirectionally sending data to and receiving data from the IoT device. This bidirectional communication is where we will concentrate.
Bidirectional data transfer without using Static IPs is typically accomplished using 2 distinct methods:
- Polling – this is accomplished by the IoT device initiating communication with your server using protocols like HTTP to request information from the server. Your server can then capture the IP address of the IoT SIM and send its response back to the device using this now known dynamic IP address. This works well for cases when the IoT device is able to initiate communication, or “poll,” typically based on time intervals or if a certain event triggers this communication.
- Socket based – where the device maintains an open connection with your server using protocols such as MQTT. The persistent, open connection allows both the IoT device and your server to communicate with each other independently from one another. Unlike polling, neither the device nor the server relies on the other to initiate communication.
While these examples of bidirectional communication are viable, they do have significant drawbacks:
- Polling relies on the IoT device to initiate communication with the server and this, as previously mentioned, is based on time or event triggers which don’t allow for you to connect with the IoT device whenever you want; you have to wait for the device to initiate and this could be too long of a period of time.
- Socket based communication relies on the persistent connection which for a number of reasons could get interrupted. If the connection is interrupted, then you must wait for the device to open another connection because the dynamic IP address of the IoT SIM card could have changed and there is no way of knowing the new IP address for the IoT SIM card.
- Not all devices support these types of communication protocols and this limits your choices when choosing IoT devices for your project.
Because of these considerable drawbacks, enterprises use Static IPs on IoT SIM cards for much more reliable bidirectional communication. Static IPs allow you to communicate with the IoT device at any time because, by definition, you always know the IP address of the SIM card. There are two types of Static IPs, Public and Private. We are going to talk about replacing Public Static IPs with Private Static IPs because of the security and cost concerns with Public Static IPs.
First, it is important to understand a bit more about Public Static IPs.
Public Static IPs
IoT SIM cards with Public Static IPs have been used for IoT deployments for bidirectional communication between IoT devices and servers for many years. These static IPs allow you to proactively reach out to a remote IoT device in the field at any time using the known IP address. Because these are Public IP addresses, you can communicate with your devices from any machine which, on first blush, seems like a handy solution. This access raises an enormous security concern though. By definition, these IPs are addressable to any machine on the public internet, which forces organizations to implement ancillary security methods like rotating passwords, whitelisting incoming connections and turning off services which aren’t being used. This security concern also extends to the server to which the IoT device connects, because that server also needs to be publicly available. Here is a diagram of this design:
As you can see, this design is inherently flawed from a security standpoint because the use of publicly accessible IPs exposes your deployment to intrusion by hackers from anywhere in the world.
Security isn’t the only concern when using IoT SIM cards with Public IPs, though. Cost is another consideration. Just like Real Estate, there is a finite number of Public IPs available. This drives the cost of Public Static IPs higher and it takes time to deploy these Public IPs from the network carriers. Cost and time are major hindrances to effective IoT device deployment.
IoT SIM cards with Private Static IPs – The Solution to Replace Public Static IPs
The other method to bidirectional communication is to deploy Private Static IPs on your IoT SIM cards. Just like Public Static IPs, Private Static IPs allow you to always know the address of your device and access the device at any time. However, IoT Sim cards with Private Static IPs do not allow public access to the IoT device because only devices or servers on the private network are allowed to communicate with the devices within the network. It is possible, if necessary, to send data from the IoT device to a place on the public internet (external site) but proactive communication to the IoT SIM card can only be initiated from within the private network. We create this private network in 2 ways.
- Peer to Peer communication. This method uses an IoT SIM card with Private Static IP in your IoT device and another IoT SIM card either in a router behind your firewall, or in another IoT device if the devices need to communicate with each other. Peer to Peer communication is typically used when small amounts of data is being used because you are essentially doubling your cellular data consumption because the IoT SIM card on your server is acting as the data connection rather than traditional ISPs. This can be expensive if large amounts of data are being transferred, and;
- VPN connection. VPN (IPsec or OpenVPN) is a much more common method to create the connection to the IoT SIM card with Private Static IP. The way this works is a VPN connection is made from your server to our server which, by rule, is connected to all of our IoT SIM cards. This tunnel communicates securely to your IoT devices because the traffic is encrypted end to end and all traffic is kept within this secure tunnel. This is by far the most secure and cost-effective way to maintain bidirectional communication with your IoT devices.
Below are diagrams demonstrating Peer to Peer and VPN connections with Private Static IPs:
Peer to Peer Connection:
VPN Connection with Private Static IPs:
Clearly, using Private Static IPs on IoT SIM cards is a much more elegant and secure way to communicate. This setup will allow reliable, cost-effective bidirectional communication between your servers and your IoT devices and it reduces the need for further hardening which is required when using Public Static IPs.
If you would like to speak with one of our IoT experts, please reach out to us anytime at email@example.com.