Securing MQTT Traffic with Cloud Internet Services

Basic Architecture
Architecture with CIS
CIS Structure

CIS Configuration

  1. Deployed the CIS instance by using the IBM Cloud console or API.
  • Click on Add Domain, if setting up the first domain in the CIS or
  • On the upper right corner click on three dots to popup option (a) new domain and (b) delete, if a domain is already configured.
  • Type Nameserver
  • Host domain (this is name of the domain, for example, example.com
  • Point to ns004.name.cloud.ibm.com
  • TTL ½ hour
  1. Active: It indicates that the domain is set up correctly and CIS is configured successfully.
  2. Inactive: It indicates that the CIS could not be successfully configured for the domain.
Origin pools
Origin pool details
Origin pool with health check
Health check
  1. Message Gateway Admin UI — This was only to test CIS set up and not needed for the actual use case testing
Global Load Balancers
MQTT GLB
NodeRED GLB
Message Gateway UI GLB

OpenShift Configuration

Updated routes
Expanded Route

CIS Security

  1. Configuring proxies
  2. Configuring WAF ruleset sensitivity and response behaviour
  3. Adding rate limiting
  4. Adding firewall rules
  1. Go to Reliability tab on the left side menu.
  2. Go to Global load balancers tab on the top-center.
  3. Move the slider switch of each load balancers to enable proxies for them.
Enabling GLB proxies
  1. Go to Security on the left side menu.
  2. Go to WAF tab on the top.
  3. Move the slider switch under Web Application Firewall to enable WAF for the domain.
  4. Select CIS Ruleset tab.
  5. You may enable one or more applicable group by moving its slider to the right, which would configure the rule in the ‘default mode’.
  6. Default mode leaves individual ruleset in CIS pre-set mode.
  7. You may change the mode by clicking on a mode, which would allow you to choose from one of the five modes.
CIS WAF Rulesets
  1. Select OWASP Ruleset tab.
  2. You may enable one or more group by moving its slider to the right, which would configure all individual rules under the group name.
  3. You can expand the group name to view and configure individual rulesets if you do not want to enable all individual rules of a group name.
  4. Finally configure ‘sensitivity’ and ‘action’ to enable the OWASP ruleset.
  5. Select from 4 sensitivity option and 3 actions to configure the OWASP WAF
OSWASP Ruleset
  1. IP Access Rules — Recommended for blocking multiple IP addresses, /16 or /24 IP ranges, or Autonomous System Numbers (ASNs).
  2. Firewall Rules — Recommended for blocking a country, any valid IP range, or more complex attack patterns.
  1. Navigate to Security then Firewall Rules.
  2. Click Create Firewall Rule.
  3. Enter a rule name and optional description.
  4. Optionally, input a priority, if necessary. If a priority is zero then it is evaluated last.
Firewall configuration
Edge Functions
Edge Function Trigger
  1. Navigate to overview.
  2. Locate service modes.
  3. Enable defence mode by moving corresponding slider to the right.
  4. Click on confirm in the pop up to enable the defense mode

Testing

Load generated direct to message gateway

  1. Subscribe to a topic
  2. Publish message to the topic
  3. On receipt of message close connection
Test overview
Message Gateway WebUI

Load generated using web app in protected domain

Application Load Test
Message Gateway Load

Load generated using web app outside protected domain

Direct connection load test
Direct connection load

Conclusions

  1. Its hard to generate a DDoS attack against MQTT
  2. Edge Functions provide an approach for restricting access to MQTT “routes”
  3. “Out of the box” CIS provides a comprehensive web protection layer

--

--

--

I‘ve worked for IBM all of my career and am an avid technologist who is keen to get his hands dirty. My role affords me this opportunity and I share what I can

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Traits over Interfaces

The Highway

The Easiest TOEFL Practice Tips for TOEFL Exam

Filtering expired items DynamoDB TTL implementation

👨🏼‍💻Guide for showing Huawei Ads with Applovin Mediation

Laravel 9 User Roles and Permissions Without Package

Sep 29: Inside Cardstack This Week

Basics of Distributed Systems

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tony Hickman

Tony Hickman

I‘ve worked for IBM all of my career and am an avid technologist who is keen to get his hands dirty. My role affords me this opportunity and I share what I can

More from Medium

Quick Introduction to Cloud Computing

Produce and consume messages from a Kafka topic using docker

Strong Read on Master-Slave MySQL Setup — Part 1

Opening SSH connection to Google Cloud VM in VS Code