IoT - APNs and VPNs, why do I need it?

An Access Point Name is a link between a mobile network and the internet. The device trying to connect to the internet needs to have this parameter configured and presented to the mobile carrier, who can then decide which IP address to assign to the device and which security method to use.

APN Types

An Access Point Name consists of two parts:

• the network identifier
• the operator identifier

The operator identifier in turn consists of two other parts: 

• Mobile Network Code (MNC) - used to uniquely identify the mobile network to the user
• Mobile Country Code (MCC) - used in combination with the Mobile Network Code to uniquely identify the country of domicile of the mobile station

 The APN might look like this: “web.gprs.mtnnigeria.net”, but, it might also use a customised domain name from a Domain Name Service (DNS) operator. This will give you an APN like “internet”, which for example is the most common APN used for MTN SIM cards. A custom APN is linked with the same network and operator identifier parameters but is just translated by the DNS.

Types of APN

An Access Point Name (APN) is a point of entry onto an IP network for a mobile device. An APN can be either private or public (private APNs are also known as corporate APNs within the South African industry). Furthermore the IP address associated with the device can be either dynamic or static.

Taking this into account we get four different types:

•  Public APN - A public APN is typically associated with all subscribers by default and allows all subscribers access to the internet. t. For a subscriber to be able to access a particular APN, the subscriber’s SIM must be provisioned on the APN. 
• Public APN with static IP - the gateway assigns a static IP address to the device based on the available IP pool of the public network.
• Private APN -  APNs are typically set up to terminate their traffic onto a customer’s network. Once a corporate user has established a connection on the corporate APN, the GSM device will be able to exchange data with the customer’s corporate network (sometimes mistaken as a VPN).
• Private APN with static IP - the gateway assigns a static IP address to the device based on the available IP pool of the private network.

Dynamic IP is not accessible to inbound connections and therefore it cannot be used to initiate communications to the IoT or M2M device as this IP address is not known until the device initiates the connection itself. 

APNs with static IP are fully routable and it is possible to initiate communication externally.

Why would anyone need Private APNs?

As per its name, Private APN gives more control over how to secure and configure the data connection.

There are several benefits of using Private APN for customers, including:

• Configurability. It offers the ability to configure various settings such as IP addressing (either static or dynamic) and authentication methods. 
• Security. Subscribers are only visible to other devices on the same APN. This makes Private APNs a superior solution in terms of data security when compared to using Public APN or any other Internet access. It allows data to remain only on the customer's private network.
• Organization Policies. When applied as part of a mobile security solution, it benefits from having mobile users conform to security and usage policies. This feature limits potential misuse of mobile services.
• Global Coverage. With a network of global carrier partners, users have access to their Private APN across the globe, allowing for convenient and secure access to all the customer organisation's applications.

The Private APN solution offers truly secure mobile connectivity, comparable to the level of protection applied in private networks that allow sending customer organisation's data traffic within a closed and private group of hosts.

What is a VPN?

VPN stands for Virtual Private Network. It is a layer of security for Internet access from an IoT device. It allows for the data exchange to remain confidential via encryption and decryption mechanisms. It is crucial when a device remains connected to the Internet via a public network, including Public APN.

A VPN is set up as a site-to-site connection. It creates a so-called VPN tunnel, which is stretched between two endpoints. One end, the Software VPN Client, is running on an IoT device, and the VPN Server on the other side, which is usually the organisation's back-end server or specialised hardware firewall or router.

These two endpoints add headers to the original packet, with these headers including fields that allow the VPN devices to make the traffic secure. The VPN devices also encrypt the original IP packet, meaning that the original packet's contents are indecipherable to anyone who happens to see a copy of the packet as it is transmitted over the Internet.

The picture below illustrates the VPN tunnel concept.

For creating a VPN tunnel on the IoT device side, there is a need to assign an IP address. This IP address is assigned by use of an APN gateway via APN settings applied on the IoT device. It enables connections directly to the device through a VPN tunnel and extends this private and secure network to the IoT devices.

Specialised mobile VPN solutions are used for IoT devices where an endpoint of the VPN is not fixed to a single IP address, but instead roams across various data networks without dropping the secure VPN session or losing application sessions.

Here, Mobile VPN tunnels are not tied to physical IP addresses and instead each tunnel is bound to a logical IP address. That logical IP address is assigned to the IoT device (being a device in motion) no matter where it may roam. Applications running on the device and inside the customer organisation’s network communicate through that one logical IP address, remaining unaware of the user's motion and the different physical IP addresses and data network transitions.

It is common for Industrial Automation applications to make use of Gateways with VPN functionality to reach remote control systems in a secure way to execute tasks such as troubleshooting, configuration changes and routine maintenance.

Please do not hesitate to contact us for assistance with your remote monitoring and control applications.

Please do not hesitate to contact us for assistance with your remote monitoring and control applications.