So we’re trying to use the Mimosa Cloud to monitor a bunch of our devices. Since our devices are on the “public” internet, we basically whitelist the access to them on the edges of our network (we have several egress points so managing the ACL list is difficult).
It appears that Mimosa is using AWS as their cloud provider “without” using Elastic-IPs for their VPCs. What does this mean? It means that every time they spin up a new gateway or release new software, the gateway IPs change. This plays hell with our Cisco ACL lists as it is impossible to filter on a DNS name…
For instance, As of 21SEP2017 our ACL list looked like:
! Allow Mimosa monitoring point(s)
! (as of 21 SEPT 2017)
! ;; ANSWER SECTION:
! connect-all.mimosacloud. co. 9 IN A 18.104.22.168
! connect-all.mimosacloud. co. 9 IN A 22.214.171.124
! connect-all.mimosacloud. co. 9 IN A 126.96.36.199
! connect-all.mimosacloud. co. 9 IN A 188.8.131.52
! connect-all.mimosacloud. co. 9 IN A 184.108.40.206
! connect-all.mimosacloud. co. 9 IN A 220.127.116.11
remark Access to the connect-all.mimosacloud. co system (hack)
permit ip host 18.104.22.168 any
permit ip host 22.214.171.124 any
permit ip host 126.96.36.199 any
permit ip host 188.8.131.52 any
permit ip host 184.108.40.206 any
permit ip host 220.127.116.11 any
Here we are only a week later and 2 out of the 6 addresses have already changed. Actually looking this morning its now 3 out 6 have changed. And its playing hell with our monitoring as it keeps saying things are down when in fact they aren’t, just that Mimosa has been checking with a new unplublished IP again.
I’ve dealt with dozens of cloud services and this is the first time I’ve found one in the ISP business that seems to go out of their way to not work well with larger ISPs. If you’re running a simple service or one that you don’t care that the entire internet is constantly scanning your network (and you trust the security of an embedded linux device) then this model is probably ok for you. But our radios are probed at least 3-5 times a minute and based on experience with other vendors, my radio network is the last thing I want exposed.
Any suggestions to mitigate this? Build a proxy communications network? Something else? This direct access bit won’t scale at all if the IPs constantly change (I already have 5 exit point ACLs to update and my access counters zero out every time I have to update the list… These are normally static lists for months if not years, not weekly as is the case now)
P.S. The “names” look weird above because the forum software things that they are “links” and refuses to post this as is. Talk about fighting the software…