FastRTK base stations deliver real-time kinematic (RTK) correction data for precise GNSS positioning through three primary services:
NTRIP Caster
- Port: 10000/TCP
- Purpose: Delivers GPS correction data over the internet using the NTRIP protocol, enabling centimeter-level accuracy for GNSS receivers.
- Security:
- Employs HTTP Basic authentication for client-server interaction. Rovers (clients) authenticate with the NTRIP caster (server) using usernames and passwords transmitted via the HTTP Authorization header.
- Data Format: Binary RTCM data streamed over a persistent TCP connection.
- Rovers periodically transmit their approximate location ($GPGGA sentence) to the caster to enable optimal correction data delivery.
Web Server
- Ports: 80/TCP (HTTP), 443/TCP (HTTPS)
- Purpose: Provides a web interface for managing base station settings, data, and configuration.
- Security:
- Accessible via HTTP (unencrypted) or HTTPS (encrypted using SSL/TLS).
- Requires a valid SSL certificate for secure HTTPS access.
SSH Server
- Port: 2525/TCP
- Purpose: Enables secure remote access and management of the base station.
- Security:
- Utilizes a non-standard port (2525) to minimize automated attacks and reduce log noise from bot activity.
- Password authentication is disabled. Access is granted only through strong SSH keys, enhancing security against brute-force attacks.
- Disable SSH by blocking port 2525.
- Whitelist support IPs for secure remote access.
Firewall
A robust firewall is implemented to further bolster security. It operates on a "deny-all" principle, meaning all traffic is blocked by default. Only connections to the essential ports required for the services described above (10000, 80, 443, and 2525) are explicitly allowed.Key Security Measures
- Strong Authentication: SSH key-based authentication and HTTP Basic authentication for NTRIP.
- Encryption: HTTPS for secure web server access, SSH for encrypted remote management.
- Port Security: Non-standard SSH port and a restrictive firewall policy to limit exposure.
This multi-layered security strategy helps ensure the confidentiality, integrity, and availability of the FastRTK base station and its critical services.
Network Configuration
Connecting any IoT device to the internet requires consideration of security and functionality. FastRTK base stations are no exception. There are many possible network configurations, here are some of the common approaches.
1. Connect to an existing LAN - Disconnected from the internet
The FastRTK base connects to your local area network (LAN) like a computer or printer. However, it's isolated from the internet by firewall rules or physical network segmentation.
- Pros:
- Increased security: Limited exposure to external threats.
- Local control: Manage and interact with the device within your LAN.
- Cons:
- No external access: Cannot be accessed by users outside the local network. Users' mobile devices on cellular connections need a VPN to connect. Cannot be monitored remotely.
- Limited functionality: Limited ability to monitor the station using FastRTK monitor services. Difficult to get remote support.
2. Connect to an existing LAN - Port Mapping
The FastRTK base connects to your LAN, and specific ports are opened in your firewall to allow inbound or outbound traffic for delivering of RTK corrections.
- Pros:
- Enables connection from field users on cellular devices without a VPN
- Remote monitoring & support
- Full functionality: Allows features that require internet communication.
- Cons:
- Increased security risk: Opening ports exposes the device and potentially your network to external threats.
- Requires careful configuration: Incorrect firewall rules can create vulnerabilities.
Example port mapping rules:
1. NTRIP (Port 10000 TCP)
Service Name: NTRIP
External Port: 10000 (or any desired external port)
Internal Port: 10000
Protocol: TCP
Internal IP Address: [IP address of your FastRTK base station]
2. Web Server Admin UI (Ports 80 and 443 TCP)
Service Name: Web Admin
External Port: 80 (or any desired external port)
Internal Port: 80
Protocol: TCP
Internal IP Address: [IP address of your FastRTK base station]
Service Name: FastRTK Web Admin (HTTPS)
External Port: 443 (or any desired external port)
Internal Port: 443
Protocol: TCP
Internal IP Address: [IP address of your FastRTK base station]
3. SSH Server (Port 2525 TCP)
Service Name: FastRTK SSH Access
External Port: 2525 (or any desired external port)
Internal Port: 2525
Protocol: TCP
Internal IP Address: [IP address of your FastRTK base station]
3. Cellular Modem
The FastRTK base uses a cellular modem to connect directly to the internet via a mobile network, bypassing your LAN and corporate network entirely. When the base is operating in stand alone mode the SIM needs to be provisioned with a public static IP to allow incoming traffic.
- Pros:
- Isolation: Keeps the device separate from your internal networks, reducing the risk of compromise.
- Flexibility: Can be deployed anywhere with cellular coverage.
- Cons:
- Cellular data costs: Ongoing expenses for data usage.
- Management of SIM card subscription service.
- Public static IP SIM cards can be more difficult to obtain and configure.
Choosing the right connection option
The best approach depends on the specific IoT device, its purpose, and your security requirements.
- Security-critical devices: Prioritize isolation and minimal external exposure.
- Devices requiring remote access: Carefully configure firewalls and implement strong security measures.
- Devices in remote locations: Consider cellular connectivity for flexibility.
Remember to always prioritize security best practices, such as strong passwords, encryption, and regular firmware updates, regardless of the connection method chosen. Contact us at support@gps-mapping.com for help with additional network architecture considerations.
Comments
0 comments
Article is closed for comments.