Solved

Possible to restrict WiFi so only one app (apple or google) can run?

Posted on 2013-12-11
6
669 Views
Last Modified: 2013-12-13
Hello Experts - I'm trying to determine if its possible to setup a wireless LAN so that only one app from the google and apple app stores will run.  The goal is to setup a wireless network for our customers to use that will let them download and run our app but nothing else.  Possible?  If so how would it be accomplished?
0
Comment
Question by:First Last
  • 3
  • 3
6 Comments
 
LVL 14

Expert Comment

by:Giovanni Heward
Comment Utility
I recommend you become familiar with the Open Systems Interconnection (OSI) model (ISO/IEC 7498-1).  Wireless technology is primarily addressed in Layer 1 (physical) and Layer 2 (Data Link)

OSI Model (Relevant to WiFi)
The restrictions your requesting reside in Layer 7 (Application) of the ISO model.  This means that you cannot address it at lower layers.  In other words, you'd need to develop/utilize a Layer 7 application which essentially acts as a software firewall/policy enforcement program-- restricting communication/execution based on the executable name and/or download location.

The Windows Firewall, for example, has the capability to restrict network communication based on the executable name.  It's conceivable you could develop a stronger "application authentication" mechanism, based on SHA256 hash or digital signature, etc. of the preapproved application(s).  This is known as a "white list".

Additionally, consider placing a Layer 7 application proxy between your WiFi access point and the Internet.  This application proxy could restrict URIs (only direct access to the app in the relevant stores permitted, etc.)

It would be an undertaking, though definitely possible.  Bear in mind if its too restrictive it could be considered malware.

All that being said, if this is for Android/Apple devices, you may not have access to lock these devices down in this manner, without them being rooted, etc.
0
 
LVL 1

Author Comment

by:First Last
Comment Utility
Thank you for the detailed explanation!  Unfortunately this will be for the general public to use and obviously I won't have access to their devices ahead of time.  I'm curious about the "Layer 7 proxy" device and how that might work.  I called both google and apple this morning, both companies said what I want to do isn't possible because the app and play stores both use the same ip/ports for all apps.  How could a firewall distinguish between the different apps in order to allow one but block another?  Also, can you recommend a specific proxy?  I'm not too familiar with the offerings in that category.  Thanks again for the info!
0
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 500 total points
Comment Utility
What apple and google told you was correct in terms of a typical Layer 2 or Layer 3 firewall.  Generally, whenever IT refers to a "firewall" they are referencing this type of firewall.  A typical firewall operating on these layers only has access to restrict ports, protocols, IP addresses, etc. as they have no visibility into the higher layers.

Now an application (Layer 7) proxy/firewall can achieve what you're intending, and definitely would be the way to go in your scenario.

A free proxy worth considering is Squid with the squidGuard plug-in.

Blocking urls
In order to block a single url enter this url in the urls file in the category in question:
example.com/some/path/to/page.html

Open in new window


Blocking access below a certain path
Sometimes you want to block everything located beneath a certain path in the URL but leave anything else open for access. Lets assume that your users shall not access documents beneath http://www.example.com/foo/bar like http://www.example.com/foo/bar/test.html. In this case your entry to the urls file will look like:
example.com/foo/bar/

Open in new window


Ref: http://www.squidguard.org/Doc/aboutblocking.html

In your situation you'll reverse the process.  That is to say, you'll block everything and only permit specific URLs or paths.  This is white listing as opposed to black listing.

There is another layer of complexity to consider, and that would be HTTPS communication to approved locations.  This requires configuring SSL Bump.  This allows squid to create a secure connection between itself and connected mobile devices, and a separate secure connection to the app store(s) on the users behalf.

This is considered a "man-in-the-middle attack" from a network security point of view, as any credentials, personal identifying information, and financial details transmitted back and forth between the app store(s) and the end user devices could easily be intercepted and logged by the proxy.  Another caveat here is the certificate presented to the mobile device will be inherently untrusted.  So the mobile user would need to confirm the security exception, before being able to browse to authorized locations.

At the end of the day, it's completely possible to achieve your intended result without touching the mobile device.  You may want to customize your "access denied" page to redirect to a landing page you host, which allows the customer to go to one store or the other.  This page could auto-detect the mobile user-agent and redirect automatically based on the mobile device used as well.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Author Comment

by:First Last
Comment Utility
Its taking me some time to absorb all this and I wanted to thank you again for such an excellent post.  I'll go through this in detail and see if its something I can handle.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
Comment Utility
In which City/State is the store located?  Do you have an implementation budget?  :-)
0
 
LVL 1

Author Comment

by:First Last
Comment Utility
No budget unfortunately, doing it on the cheap!  :)
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now