?
Solved

Possible to restrict WiFi so only one app (apple or google) can run?

Posted on 2013-12-11
6
Medium Priority
?
707 Views
Last Modified: 2013-12-13
Hello Experts - I'm trying to determine if its possible to setup a wireless LAN so that only one app from the google and apple app stores will run.  The goal is to setup a wireless network for our customers to use that will let them download and run our app but nothing else.  Possible?  If so how would it be accomplished?
0
Comment
Question by:First Last
  • 3
  • 3
6 Comments
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39713091
I recommend you become familiar with the Open Systems Interconnection (OSI) model (ISO/IEC 7498-1).  Wireless technology is primarily addressed in Layer 1 (physical) and Layer 2 (Data Link)

OSI Model (Relevant to WiFi)
The restrictions your requesting reside in Layer 7 (Application) of the ISO model.  This means that you cannot address it at lower layers.  In other words, you'd need to develop/utilize a Layer 7 application which essentially acts as a software firewall/policy enforcement program-- restricting communication/execution based on the executable name and/or download location.

The Windows Firewall, for example, has the capability to restrict network communication based on the executable name.  It's conceivable you could develop a stronger "application authentication" mechanism, based on SHA256 hash or digital signature, etc. of the preapproved application(s).  This is known as a "white list".

Additionally, consider placing a Layer 7 application proxy between your WiFi access point and the Internet.  This application proxy could restrict URIs (only direct access to the app in the relevant stores permitted, etc.)

It would be an undertaking, though definitely possible.  Bear in mind if its too restrictive it could be considered malware.

All that being said, if this is for Android/Apple devices, you may not have access to lock these devices down in this manner, without them being rooted, etc.
0
 
LVL 1

Author Comment

by:First Last
ID: 39714065
Thank you for the detailed explanation!  Unfortunately this will be for the general public to use and obviously I won't have access to their devices ahead of time.  I'm curious about the "Layer 7 proxy" device and how that might work.  I called both google and apple this morning, both companies said what I want to do isn't possible because the app and play stores both use the same ip/ports for all apps.  How could a firewall distinguish between the different apps in order to allow one but block another?  Also, can you recommend a specific proxy?  I'm not too familiar with the offerings in that category.  Thanks again for the info!
0
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 2000 total points
ID: 39714270
What apple and google told you was correct in terms of a typical Layer 2 or Layer 3 firewall.  Generally, whenever IT refers to a "firewall" they are referencing this type of firewall.  A typical firewall operating on these layers only has access to restrict ports, protocols, IP addresses, etc. as they have no visibility into the higher layers.

Now an application (Layer 7) proxy/firewall can achieve what you're intending, and definitely would be the way to go in your scenario.

A free proxy worth considering is Squid with the squidGuard plug-in.

Blocking urls
In order to block a single url enter this url in the urls file in the category in question:
example.com/some/path/to/page.html

Open in new window


Blocking access below a certain path
Sometimes you want to block everything located beneath a certain path in the URL but leave anything else open for access. Lets assume that your users shall not access documents beneath http://www.example.com/foo/bar like http://www.example.com/foo/bar/test.html. In this case your entry to the urls file will look like:
example.com/foo/bar/

Open in new window


Ref: http://www.squidguard.org/Doc/aboutblocking.html

In your situation you'll reverse the process.  That is to say, you'll block everything and only permit specific URLs or paths.  This is white listing as opposed to black listing.

There is another layer of complexity to consider, and that would be HTTPS communication to approved locations.  This requires configuring SSL Bump.  This allows squid to create a secure connection between itself and connected mobile devices, and a separate secure connection to the app store(s) on the users behalf.

This is considered a "man-in-the-middle attack" from a network security point of view, as any credentials, personal identifying information, and financial details transmitted back and forth between the app store(s) and the end user devices could easily be intercepted and logged by the proxy.  Another caveat here is the certificate presented to the mobile device will be inherently untrusted.  So the mobile user would need to confirm the security exception, before being able to browse to authorized locations.

At the end of the day, it's completely possible to achieve your intended result without touching the mobile device.  You may want to customize your "access denied" page to redirect to a landing page you host, which allows the customer to go to one store or the other.  This page could auto-detect the mobile user-agent and redirect automatically based on the mobile device used as well.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:First Last
ID: 39714969
Its taking me some time to absorb all this and I wanted to thank you again for such an excellent post.  I'll go through this in detail and see if its something I can handle.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39715501
In which City/State is the store located?  Do you have an implementation budget?  :-)
0
 
LVL 1

Author Comment

by:First Last
ID: 39716635
No budget unfortunately, doing it on the cheap!  :)
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question