Technical White Paper
Instant APN
Introduction
AccessMyLan Instant APN is a hosted service that provides access to a company network via an Access Point Name (APN) on the AT&T mobile network. Any device on the AT&T mobile network may be configured to connect using Instant APN including Laptop Connect modems, Smartphones, mobile routers and M2M devices.
The service does not require any specialist CPE (Customer Premise Equipment) as the Instant APN 'footprint' on the customer network consists of a software agent installed on any Windows system on the LAN. The software, known as a VPN Agent, makes an outbound SSL connection to the AccessMyLan service cloud which is hosted in multiple data centres around the globe. Typically, no firewall changes are required at the customer’s network perimeter and deployment in DMZ-style scenarios is fully supported.
With no open inbound ports, no externally published DNS and no inbound routes, there is no attack surface at the customer’s network edge and dependency on fixed external IP's or specific ISP's is removed.
Service Architecture
AT&T Instant APN Internet LAN
VPN Agent on LAN APN on AT&T
wireless network
Figure 1 - Service Architecture
▪ The VPN Agent installed on the LAN establishes and maintains an SSL tunnel to the service via the Internet.
▪ The APN settings on the mobile device are configured to connect to the Instant APN on the AT&T wireless network
▪ The service authenticates the mobile connection and brokers communication between the mobile client and devices on the LAN
VPN Agents
Connectivity between the customer network and the service cloud is maintained by VPN Agents. VPN Agents run as a service on any Windows platform (Windows 2000 or later) and establish a permanent SSL connection to the service. In the event of an Internet connection failure, the VPN Agent will automatically attempt to re-establish connectivity to the service over any available Internet route.
Multiple VPN Agents can be deployed to provide resilience in the event of hardware or network failure. In a default configuration, the first VPN Agent to connect
based routing which can be used to split remote traffic between VPN agents based on the service type and/or destination host.
Connecting Mobile Devices
No additional software is required on the mobile device as connectivity is established by configuring Instant APN as a connection profile on the mobile device.
Figure 2 Configuring AT&T Communication Manager for access
The profile created can then be used to establish connectivity to the service.
Once connected, mobile devices are assigned an IP Address, DNS server and default gateway by the service. The DNS server assigned relays DNS requests to the VPN Agent for resolution simplifying integration with the corporate namespace.
The IP address assigned is a private address and by default is not contactable from other mobile devices. The Machine to Machine (M2M) section of this paper explains how the service supports applications that require static addressing and
communications between devices.
Mobile devices are assigned to users created by the system administrator with a username and password. The system administrator adds a mobile device to a user by specifying the mobile number or MSISDN of the device that the user will use to access the service. When a device connects, it must provide the username and password of the user to authenticate. The service will also verify the MSISDN/mobile number of the device before authorizing access. Using the MSISDN/Mobile number for access authorization provides additional security beyond basic username and
password credentials.
Network Architecture
The VPN Agent behaves like a NAT proxy and all remote user traffic on the LAN has a source address of the system hosting the VPN Agent. Upon startup, the VPN Agent automatically discovers routable subnets and DNS services which are configured at connect time on remote devices.
When a mobile device authenticates successfully, the service assigns an IP address to the remote device from an AccessMyLan address pool and configures DNS and
routing. The DNS is configured to use a company-specific DNS proxy on the service which forwards requests to the VPN Agent for resolution. Routes are defined on the client to route all traffic for RFC1918 addresses via the APN. Remote user traffic is proxied by the VPN Agent so that all remote traffic on the LAN has the source IP address of the VPN Agent host.
Figure 4 - Network Routing
Each customer is assigned a virtualised VPN router/firewall in AccessMyLan which is responsible for enforcing customer configured Access Controls and routing user traffic via connected VPN Agents.
The virtualised VPN router also provides a DNS relay by forwarding any DNS UDP datagrams addressed to the VPN router address to VPN Agents that have a DNS route declared.
Access Controls
Access Rules
Network access rules are applied to all remote traffic and control access based on the application protocol and the destination host. The administrator can define custom services in addition to the standard service definitions.
Figure 5 - Network Access Rule Configuration
C:> tracert srv1.example.com
Tracing route to srv1.example.com [192.168.1.21] over a maximum of 30 hops
1 32 ms 31 ms 32 ms 10.128.0.1 Client Access Server
2 34 ms 34 ms 35 ms 10.192.0.3 Virtualised Customer Router/Firewall 3 66 ms 67 ms 66 ms 192.168.1.20 VPN Agent IP address on LAN
User access rules are applied on a per-user basis and are defined in the same manner as network access rules.
User Authentication
By default, users are authenticated against the integrated AAA service. The service implements a lockout policy which defines how many login failures a user may have before being locked out. The policy also defines the lockout period before the user may attempt to login again. User passwords are subject to an administrator
configurable password policy which defines the minimum length and character set mix.
The service can be configured to authenticate users with any RADIUS capable
authentication server in the LAN such as Active Directory or SecureID. Authentication requests are proxied via the VPN Agent to the internal RADIUS server defined by the administrator.
Instant APN Applications
Internet Access Policy Compliance
While providing staff with mobility is a powerful business enabler, it can also pose challenges as users have direct access from their mobile device to the Internet. This may result in users wasting time, visiting inappropriate sites and downloading dangerous material to company devices.
By configuring the mobile device so that it can only connect to Instant APN, mobile users no longer have direct access to the internet. This restriction is applied by disabling access to the Internet APN on the AT&T network which means that the user cannot re-enable access through a local configuration.
Machine to Machine
Instant APN provides an easy and secure way to integrate remote machines using the AT&T wireless network. By using Instant APN, the devices are not exposed to the Internet and there is no requirement for complex client-side software.
In an M2M environment, it may not be practical to configure each device with a unique username and password. In these cases, a shared set of credentials may be used with authorization of access being based on the MSISDN/Mobile number of the mobile device.
Machine to Machine (M2M) applications will generally need static IP addresses on the mobile devices and permit bi-directional communications between mobile devices and LAN applications. The service supports the following two approaches to support M2M projects.
Peer-to-Peer
In a Peer-to-Peer M2M environment, the service will assign static private IP addresses to the mobile device from a service or customer defined pool of addresses. The address pool can be in the following ranges:
▪ 192.168.0.0 to 192.168.255.255 ▪ 172.16.0.0 to 172.31.255.255 ▪ 10.1.0.0 to 10.126.255.255
All mobile devices are assigned a static address from the pool and can communicate with each other. The AccessMyLan VPN Client is also supported by this Peer-to-Peer network allowing connectivity to M2M devices on the mobile network from Windows systems.
M2M Routed Mode
