Fight Industrial Data Security Breaks with Secure Enterprise MQTT Broker

Fight Industrial Data Security Breaks with Secure Enterprise MQTT Broker

We all know that our world is more connected. Billions of intelligent tools and machines are generating enormous amounts of data, which creates enormous potential for businesses and other organizations to optimize their operations and achieve efficiency. As IoT devices continue to evolve, every newly connected product is vulnerable to hackers, and security turns into a significant concern. Fighting the industrial data security breaks is a 100% mandate to protect critical data in any place it dwells. Bevywise MQTTRoute provides an option to enable encrypted data transmission for better MQTT data security. It works with all standard SSL / TLS certificates and runs with a self-signed certificate. This article provides complete guidance on securing the delicate data that you transfer over the Enterprise MQTT Broker.

MQTT Broker Security Fundamentals

With regards to security in Enterprise MQTT Broker, there are some fundamental concepts to take into account they are identity, authentication, authorization, and encryption. In this tutorial, we take a gander at how you can confine access to a broker, and protect your data using different security systems.

Identity

Every client has a unique Client ID. The Enterprise MQTT broker indicates that the client must report the client ID when requesting a connection. When the broker receives a connect command from the client, it determines whether to allow the client to connect only if the received message contains a legitimate client ID, user name, and password. The client can use UUID, mac address of the network device, or other unique client information as the client ID.

Authentication With X.509

This is the safest method for client authentication. In addition to authentication with username and password, the MQTT broker allows a device to authenticate with an X.509 certificate. This certificate provides authentication at the transport level. X.509 uses a public key infrastructure to verify that a public key belongs to a client. In the X.509, a certificate authority is introduced to verify the identity of a client. During the handshake process, the client presents the broker with its certificate, which contains information such as identity and public key. Then the broker relays this certificate to the certificate authority for verification. After verifying the client certificate, the broker ensures it is genuine or not and gain trust in the binding with the client name and public key.

Client Authentication

There are three ways to verify the identity of the MQTT client on Bevywise MQTT broker : the Client IDs, Usernames and Passwords, and the Client Certificates.

Client ids

All MQTT clients must provide a client id. When a client subscribes to a topic the client id links the topic to the client and the TCP connection. With constant connections, the broker remembers client IDs and subscribed topics. When configuring the MQTT client you need to relegate the Name / ID to the client. However the Bevywise MQTT Broker allows you to impose client id prefix restrictions on the client name, and this provides some basic client security. You will find this setting in the security settings section of the broker.conf file.

########### prefix for Random Clientid Generation ###########
[MQTT]
CLIENTID_PREFIX = Bevywise-

Username and Password

An Enterprise MQTT broker can request a valid username and password from a client before allowing a connection. The username and password combination is transmitted in plain text and is not secure without some form of transport encryption. However, it does provide an easy way of restricting access to a broker and is probably the most common form of identification used. The username used for authentication can also be used in restricting access to topics. On the Bevywise MQTT broker, you need to configure settings for this to work. Again you will find these settings in the security section of the broker.conf file. The devices can connect using MQTT Username / Password or you can connect it without the username and password. You have to change NO to YES if you are planning to use Authentication.

################ Device Authentication #################
[AUTHENTICATION]
AUTHENTICATION_ENABLED = YES
# YES || NO

To create the passwords you will need to use the utility that comes with the broker. You can add the Username and passwords on the UI under the Security tab for secure client connections.

Authorization

Authorization is managing the clients’ rights. The most common types of authorization used are Role-Based Access Controls (RBAC) and Access Control List (ACL). RBAC provides a level of abstraction between the client and the main resources. It facilitates the administration of security in a large organization. This allows the broker to authorize the clients published or subscribed topic. ACL associates certain clients with a list of permissions that includes who can access the resources and which operations are allowed. ACL provides policies on what topics a client can subscribe / publish. Using ACL or RBAC, the broker implements topic permissions to restrict a client from publish / subscribe to unauthorized topics. Each topic permission allows the broker to specify authorization for clients and limit them to subscribe and publish messages. If a client attempts to perform an unauthorized operation, the broker can perform actions such as disconnect the client by preventing it from publishing data to other clients.

Authorization with Access Tokens

Another approach to providing authorization is a token authorization. Token authorization permits a client to request the scope or privileges that the client has. To connect to the broker with an access token, the client must use the password field to send the access token with the connect message. The client must be given an access token before requesting a connection. There are a variety of token services available. The most commonly used are OAuth and OAuth 2.0.

OAuth

It is a token-based authentication that is used to provide SSO and permits information to be utilized by third party services. It likewise requires an identity provider for authenticating clients’ access.

OAuth 2.0

It authorizes third-party applications to access the client account and authenticates the client by following the authorization code flow.

Securing Data

There are numerous possibilities to hack the data transfer between Clients and Broker. To protect the contents of your MQTT messages, you can use TLS or SSL Security and Payload encryption. Enterprise MQTT Broker eliminates “Man in Middle attack” by enabling data transfer through TLS port.

TLS / SSL Security

TLS / SSL security is a more commonly known security used on the web. This security is part of the TCP / IP protocol. TLS provides a secure communication channel between the client and the server. TLS certificate is provided for both server and client, and those certificates will be verified and authenticated by Certificate Authority before connection. The broker will connect only if the Certificate and host IP match.

Communication between clients and the server must be ensured by enabling TLS mode and setting passwords for the connection. You can use a single password for all clients or individual passwords for each client. Open conf/ folder on broker.conf and update TLS_ENABLED to TRUE . All other values can be changed if necessary. Using a non-regular port number for Broker and a secure web socket will further enhance security against DDOS.

#########MQTT BROKER CONFIG#######
[CONFIG]
PORT_NO = 8883
WS_PORT_NO = 10443
TLS_ENABLED = TRUE
# TLS_PORT must be 88xx.
TLS_PORT_NO = 8883
WSS_PORT_NO = 11443

Payload Encryption

This is done at the application level and not by the broker. You can encrypt data without configuring the broker. It likewise implies that data is eventually encrypted and not just between the broker and the client. However, this type of encryption doesn’t protect passwords on the connection itself. Because it doesn’t involve any broker configuration or support this is likely to be a very popular method of protecting data.

WILL and Retained message

Last WILL, will help the subscribers to know when the publishing device has gone down or got disconnected from the broker. Retain tag tells the broker to keep the last published message for the new subscribers to know the last published messages while connecting for the first time. Besides, the Enterprise MQTT Broker provides both these messages as needed for the realtime.

DataBase Storage

The broker will store the data into the database for further analysis and decision making. The default DB supported is SQLite. But the DB Configuration can be modified to make it work with MySQL or any other Big Data engine. Please refer to the help document to set up MySQL, its dependency packages, and other big data engines.

Intuitive User Interface

Through a web-based primitive User Interface broker, you can view the active devices and recent activities of different devices. It also helps to view the activities and messages sent from and to specific devices.

mqtt-dashboard

Get your free version of MQTT Broker now for secure data transfer.

download now

The product page and the help documentation will provide more information on configuring and running the Broker securely. For more queries, feel free to contact us at [email protected].

Effective use of MQTT Last WILL Messages

Effective use of MQTT Last WILL Messages

Every IoT network is a collaborative working of edge devices. All devices should work in unison to make the environment conducive for the humans. This article helps you make the best use of the MQTT Last WILL Messages.

Last Will is a way of peer to peer monitoring between MQTT clients that operate in a more understanding way. Before we go into the real time use cases, it is better to understand the spec better.

What is the MQTT Last WILL ?

Last Will is a message stored in the MQTT broker specific to particular clients. The Last Will message is a normal MQTT Message that has a will topic, will message , QoS and retain flag. These messages will be sent to the clients who have subscribed to those WILL topics by the broker when the particular client disconnects ungracefully.

The Last WILL Message should be sent to the broker when the clients connect to the broker via the Connect packet.

A more detailed explanation of how you have to send the connect packet is available here.

When it will be published ?

The WILL Messages will be published by the broker to all the interested subscribers when the particular client gets disconnected from the broker ungracefully. When the client disconnects using a proper disconnect message, the WILL will not be published. The client needs to notify the interesting parties on going down by publishing proper message by itself.

Putting it to use

All mission critical devices needs a back up. Let us take an example of a Database server in an online application. It is one of the core component that needs to run always for the complete service to be useful.

These applications will have masters , slaves and standby servers which needs to be deployed when any of the servers fails. The master server should add a WILL on Connection. The slave will be subscribing to the particular WILL. The WILL should be configured specific to each cluster of the master slave. In this scenario, the broker should be configured to publish the WILL for the graceful as well as ungraceful disconnection of the Master. When the master disconnects, the slave receives the master unavailable message and the necessary scripts can be triggered for the slave to become the master. The standby servers will  become slave and now will subscribe to the WILL of the new master.

This is one scenario of automated take over. Such scenarios exist in all industries like Medical, all kind of Manufacturing industries. We can also use the WILL Message triggers for monitoring the devices and their uptime from a central server.

You can avoid a lot of unwanted monitoring messages to each devices by making the right use of MQTT Last WILL Messages.