Organisations may be leaving their data open for exploitation

Satellite technology has been an incredibly useful connectivity option for organisations operating in regional areas of Australia. To name a few, emergency services and utilities organisations operating in regional areas have experienced complete turnarounds in the services that they’re able to offer their customers.

One area that’s not being talked about enough is how secure those satellite connections are. As a result, many organisations don’t realise that they might be leaving their data open for exploitation.

We know that satellite is attractive as a backup to cellular or as a primary connection where cellular coverage is unavailable, but how do we secure those connections?

Let’s start with a quick overview of link bonding. Link bonding or link aggregation combines multiple LAN or WAN interfaces into a single virtual connection to increase bandwidth availability, efficiency, and application resiliency. For link aggregation in the WAN, any type of connection works, including wired, cellular, satellite, and Wi-Fi as WAN. This technology is also referred to as intelligent bonding, WAN bonding, teaming, or bundling.

Dual-modem routers in vehicles can accommodate multiple connectivity options, including cellular and satellite. For first responders, utility fleets, and more, WAN bonding using these various connections plays a key role in application resiliency and improved throughput when it matters most. Flow duplication supports critical communications by replicating flows across both WAN connections as the vehicle moves between coverage areas. Alternatively, bandwidth aggregation combines two data links to create a fatter pipe that would support higher bandwidth applications such as video uploads.

When we look at the security of LEO satellites, they are typically encrypted from the low Earth orbit (LEO) satellite down to the modem. However, the connection from the modem to the device that is supporting applications is not secure. In order to accomplish end-to-end security, organisations need to look to secure link bonding.

Secure link bonding

For security coverage, link bonding generally runs over encrypted IPsec tunnels. These tunnels essentially act as a site-based VPN, enabling secure communication across the bonded connections. Some of the challenges with this include the significant added overhead that comes with IPsec — which can not only impact cellular data plans, but can also negatively impact performance. Therefore, it is important to invest in solutions that provide inherent security without having such a negative impact on performance.

Another consideration is the trend of replacing VPN technology with zero-trust based solutions. A technology now thirty years old, site-based VPNs have known security limitations, including their inability to effectively block lateral movement. Once authenticated to the network, users have untethered network access to all resources, meaning that if a bad actor hacks into one part of the network, they can easily traverse the network and find other high value targets.

Ericsson is the only vendor that offers wireless link bonding built on a true zero-trust foundation. Rather than using site-based VPN technology to provide encrypted communications across the WAN, Ericsson’s Cradlepoint routers, powered by NetCloud, construct a true zero-trust network that is default deny and then builds link bonding on top. The benefits of zero-trust link bonding for enterprises include:

• Obscures all public IP addresses: Ericsson’s zero-trust link bonding offers a carrier network address translation (NAT) functionality that translates complex IP addresses to more intuitive names. Without IP addresses in the network, if a malicious actor tries to run an IP scan to discover the network topology and attached resources, the scan is ineffective, preventing lateral movement and discovery of key assets.
• Resources must be defined before they are accessible: Rather than new applications or IoT devices being instantly visible and accessible the moment they are network connected, in a zero-trust network, resources must be explicitly defined before they can be accessed or seen by anyone or anything.
• Deny-all by default: Instead of starting with broad network access where every authorised user has access to all the resources on the network and policies are built to restrict access, zero-trust starts with restricted access and policies are built to enable access.
   

This zero-trust foundation is similar to the foundation of a house. With the right foundation, the house is free from cracks that could allow moisture or pests to get inside. With the right foundation to link bonding and other advanced networking services, the network is inherently more secure, minimising the potential attack surface for malicious actors.

Furthermore, the right zero-trust link bonding solution eliminates the manual device-by-device security configuration that is typically required. Instead, a zero-trust network is dynamically constructed, offering simplified deployment, management, and troubleshooting for lean IT teams.

Image credit: iStock.com/Andrey Suslov