I am working on a university project where I am supposed to find out how to approach the following topic. I am not actually programming something, it is only a matter of working out a concept.
A company has set up sensor stations to send data to a server via an LTE connection. The server uses MongoDB. Due to the fact that most LTE connections provide dynamic IP adresses these stations never have the same IP adress.
This means that only the sensor station can access the server, but the server cannot access the sensor station - which is fine.
The stations must be able to down- and upload data, so I came across the option the set the IP binding to 0.0.0.0
I think this is the only option since the IP adresses randomly change.
The question now is what security measures are necessary to prevent unauthorized users from accessing the server.
The sensor stations have a computer build in that runs Windows, same as the server.
This is only a small side task of the project and therefore there is not so much time to deal with the topic intensively. When the system runs later, then of course more time is invested there.
Internet security is definitely not my speciality and this is only about getting a rough overview on what we will have to deal with later.
Security is always a tricky subject. To help you, you might find the Security Checklist useful for this.
Note that even with this, systems can still be compromised in other ways that may or may not be due to the database (vulnerable OS, or vulnerable processes that run in the server, for example), so the checklist is a starting point instead of the only thing you should care about. Limiting the network exposure of the server is a big first line of defense, so opening it up to 0.0.0.0 should be done only as a last resort (in my opinion).
Instead of opening the server up to 0.0.0.0, you might also want to investigate other potential solutions, such as:
Use a REST API server fronting the database server. This would allow you to: 1) not open the database to 0.0.0.0 but only to the API server’s IP, and 2) limit what clients using the API can do via code. Of course you must also harden the API server. If you’re using Java, Restheart is one example of such a server.
Use Atlas, where you can create custom HTTPS endpoints that does basically the same job as an API server. Of course this would require you to store your data in Atlas, which may or may not be feasible for your use case. Having said that, Atlas is setup to be secure by default, so you’ll have less worry in that sense.