- A TechNote on Wireless and Mobility
- Lisa Phifer, President
- Core Competence, Inc.
For over a year, Apple has been nudging iPhone and iPad users into the cloud -Apple's iCloud. By October 2012, 190 million users had joined iCloud, uploading over 125 million documents. By comparison, Facebook took five years to reach 200 million users. And the "iCrowd" continues to grow, fueled by holiday iPad Mini, iPhone 5, and other Apple BYOD purchases.
Apple gives each iCloud user 5 GB in which to freely store documents, photos, videos, books, contacts, calendars, email, and more, with an option to purchase another 10-50 GBs. With this much data being synchronized across mobile broadband WWANs and enterprise WLANs every day, network administrators are seeking ways to throttle iCloud traffic.
Pushing iEverything into the cloud
iCloud is a public cloud storage platform used by Apple to offer numerous services to registered users and devices, including:
- iTunes in the Cloud: synchronizes iTunes-purchased media, apps, and books to every other device associated with a user's iTunes account;
- Photo Stream: auto-shares photos taken by iPhones and iPads with every other device associated with a user's iCloud account;
- Documents in the Cloud: keeps iWork Keynote slides, Pages documents, and Numbers spreadsheets - along with Notes and Reminders - synchronized across a user's iCloud-registered devices;
- Backup: auto-archives iOS devices to enable one-button restoration by backing up device settings, app data, home screen layout, text messages, voicemails, ringtones, camera roll, and iTunes-purchased media onto iCloud;
- iCloud Mail, Contacts, Calendars, Safari, Passbook: synchronizes these items associated with a user's iCloud.com mailbox to all other registered devices, including those running OS X Mail or Microsoft Outlook 2007/2010; and
- Find My iPhone, iPad, iPod, or Mac: lets users remotely request actions on their own iDevices, including lock, map or wipe, display a message, or play a sound.
Apple is aggressively expanding iCloud services, so the kinds and amounts of data exchanged by iCloud services will no doubt continue to grow. Furthermore, iOS and Mac OS X application developers can now use iCloud storage APIs to sync app-specific documents, key values, and core data with the iCloud.
Where does iEverything go?
Under the covers, the iCloud isn't limited to content distribution network servers in Apple's 17.0.0.0/8 block, but also cloud servers from Amazon EC2 and Microsoft Azure. This dynamic distributed platform prevents using IP filters to throttle iCloud traffic. Even if you identified IPs used by iCloud in one location at one time, addresses would differ later elsewhere, and blocking traffic to selected IPs could impact far more than iCloud.
Most iCloud sessions ride over TCP ports 80 or 443, except for iCloud mail (that uses SMTP, POP, and IMAP ports) and iCloud photo stream, contacts, calendars, and bookmarks (that use APNS port 5223). All use SSL to protect data in transit. As a result, you can't throttle iCloud by applying simple TCP port filters or clear-text app data filters.
Some network admins have reportedly used DNS to resolve icloud.com to a private IP they can block. But there's a better way to control iCloud traffic, along with similar traffic generated by Google Drive, DropBox, and other cloud storage services: use "application aware" firewalls to fingerprint and apply policies to iCloud traffic and individual iCloud services.
Applying App-Aware Firewalls to iCloud
Many next-generation firewall vendors can classify traffic by matching application signatures (aka fingerprints) to streams passing through an app-aware inspection engine - including SSL-encrypted traffic. For example, Palo Alto Networks and Check Point next-gen firewalls can detect and apply different policies to iCloud mail traffic and all other iCloud traffic.
Such firewalls can be applied to iCloud traffic entering an enterprise network, but that leaves iCloud generating wireless traffic that will ultimately discarded. Fortunately, several WLAN vendors have integrated app-aware firewall polices into their controllers, including Aruba, Meraki, and Xirrus. For example, Xirrus Application Control can be used by a Xirrus Array to fingerprint more than 900 apps in 15 categories, applying policies to individual apps or app categories to block, prioritize, or otherwise limit their use. Throttling iCloud traffic at the wireless edge (preferably inside each AP) can be an effective way to prevent waste and control the flow of bandwidth-sapping apps like iCloud.
Controlling iCloud everywhere
Firewall policies, applied at the wired or wireless network edge, can manage on-site enterprise resource utilization. This may be top of mind for network administrators, but it still will not fully address iCloud concerns.
Specifically, some employers wish to prevent any corporate data from being stored on consumer clouds - no matter where an iDevice might roam. This can be partially accomplished using Apple iOS configuration profiles and MDM APIs to restrict iCloud use.
Users can manually configure iDevices to enroll in iCloud, enable iCloud Backup, and turn iCloud on for Mail, Contacts, Calendars, Reminders, Safari, Notes, Passbook, Photo Stream, Documents and Data, and Find My iDevice. Users worried about cellular bandwidth can disable Document and Data sync over cellular. Once data is backed up, users can disable selected app backups.
Administrators don't have this granularity but can still use profiles to enable/disable iCloud Backup, Document sync, App Setting sync, and Photo Stream (entirely or just sharing with other users). These settings can be applied remotely to iDevices enrolled in MDM - for example, turning iCloud Backup off on IT-issued iPads.
Ultimately, the right answer for your workforce and network may be a combination of device settings and network bandwidth limits. Seek opportunities to craft solutions capable of throttling not just iCloud, but other consumer cloud storage services as well.
