How to ensure the security and robustness of the IoT platform

Introduction: Multiple Protection Mechanisms to Ensure IoT Security

Since the development of the global Internet of Things, the network environment has become increasingly large and complex, and the security of the Internet of Things systems and services is facing more severe challenges. At the same time, the rapid expansion of the IoT business of various enterprises also requires the underlying infrastructure services to have extremely high stability and reliability.

As the world's leading IoT MQTT message server, EMQX has a complete solution for IoT security. Through out-of-the-box functions, designs that meet industry and national security and quality standards, and carrier-grade product architecture for enterprise security scenarios And unique security technology to help users build a safe and robust IoT platform and system.

This article will introduce in detail the various security mechanisms and functions adopted by EMQX 5.0 to help users understand how EMQX ensures IoT security.

SSL/TLS system ensures communication security

As a message middleware, ensuring the security of communication is the most basic and core issue. Because traditional TCP communication uses plaintext communication, the security of information is difficult to guarantee, and it faces the following risks:

• Eavesdropping: Information is transmitted in clear text, and attackers can directly obtain sensitive information
• Tampering: After the attacker intercepts the channel, he can tamper with the communication content at will
• Forgery: Same as above, attackers may hide forged data in real data, and the harm is more hidden
• Impersonation: The attacker impersonates an identity to communicate with another party

The emergence of SSL/TLS has solved the risk problem in communication very well. It uses asymmetric encryption technology as the backbone and mixes different modes of encryption, which not only ensures that messages in communication are transmitted in ciphertext, and avoids eavesdropping. risk, and at the same time prevent the message from being tampered with through the signature.

EMQX provides rich and complete SSL/TLS support, including: one-way, two-way, X.509 certificate, load balancing SSL, TLS-PSK and other authentication methods. Users can choose the appropriate method to connect according to their actual scenarios. enter. Through SSL/TLS technology, EMQX can ensure the data transmission security of client data transmission, communication between cluster nodes, and enterprise system integration.

EMQX also supports the use of the national secret algorithm for encryption in the transmission process. Under the condition of providing higher security performance, State Secret SSL can maintain lower resource overhead and faster transmission speed. EMQ provides a transmission encryption and authentication integration scheme based on the national secret algorithm, which can be applied to the Internet of Things information system in various important fields such as the Internet of Vehicles, financial banking, education, communication, and defense industry. For details, please refer to "Application of State Secrets in Internet of Vehicles Security Authentication Scenarios" .

Introduction to SSL/TLS

The communication process under the TLS/SSL protocol is divided into two parts.

The first part is the handshake protocol. The purpose of the handshake protocol is to identify the identity of the other party and establish a secure communication channel. After the handshake is completed, the two parties will negotiate the cipher suite and session key to be used next.

The second part is the record protocol, which is very similar to other data transmission protocols, and carries information such as content type, version, length, and payload. The difference is that the information it carries is encrypted.

The following figure shows the process of the TLS/SSL handshake protocol, from the client's "hello" to the server's "finished" to complete the handshake.

Self-signed certificate one-way authentication configuration

In the digital certificate system, in addition to the two communication parties, there is also a trusted third-party CA that issues certificates. A truly trusted certificate needs to be purchased from a certificate service provider.

For internal communication, self-signed certificates can be used. In most scenarios, the security of one-way authentication is reliable enough, and the deployment is more convenient. The steps to configure client-side SSL/TLS for one-way authentication connection using self-signed certificate in EMQX 5.0 are as follows:

Certificate preparation

Prepare a private key for the self-signed CA certificate.

 openssl genrsa -out ca.key 2048

Use this private key to generate a CA certificate.

 openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem

After we have the CA certificate, we need to authenticate the server/domain name through the certificate, and also prepare the server private key first.

 openssl genrsa -out emqx.key 2048

Then prepare a certificate request configuration for generating certificate request files.

 [req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = Zhejiang
localityName = Hangzhou
organizationName = EMQX
commonName = CA
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1

Generate request file.

 openssl req -new -key ./emqx.key -config openssl.cnf -out emqx.csr

Finally, sign our server with the previously generated CA private key, certificate and the request file.

 openssl x509 -req -in ./emqx.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out emqx.pem -days 3650 -sha256 -extensions v3_req -extfile openssl.cnf

Configure EMQX

Copy the generated emqx.key, emqx.pem, and ca.pem to the etc/certs directory of EMQX, and then modify the ssl configuration in emqx.conf as follows:

 listeners.ssl.default {
  bind = "0.0.0.0:8883"
  max_connections = 512000
  ssl_options {
    keyfile = "etc/certs/emqx.key"
    certfile = "etc/certs/emqx.pem"
    cacertfile = "etc/certs/ca.pem"
  }
}

Test with MQTT X CLI

Start EMQX, then use the MQTT X CLI to test the connection:

 # 使用服务器证书中的地址和端口进行连接
mqttx-cli conn -l mqtts -h 127.0.0.1 -p 8883 --ca ca.pem
# Connected
# 使用非法的地址进行连接
mqttx-cli conn -l mqtts -h 0.0.0.0 -p 8883 --ca ca.pem
# Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 0.0.0.0 is not in the cert's list: 127.0.0.1

In this demonstration, the client verifies the server's certificate through the CA certificate. Only when the server certificate is legal and reliable, the two parties will establish an encrypted communication channel to ensure the security of communication.

If higher security is required to ensure that both the client and the server are trusted, it is recommended to use a reliable CA agency to deploy certificates for both the client and the server, and perform mutual authentication during communication. For details, please refer to EMQX Enable mutual SSL/TLS security connect

certified

Communication security is only the first step in the security assurance of the entire system. In most cases, a trusted client that can pass two-way authentication does not necessarily meet the login conditions. Even if the login conditions are met, its behavior may need to be restricted in some scenarios.

For these complex authentication and authorization needs, EMQX provides out-of-the-box solutions that are easy to use and deploy. Especially in the newly released EMQX 5.0 , the client authentication and authorization function is built-in: through simple configuration, users can connect to various data sources and authentication services without writing code, and realize security configuration at various levels and in various scenarios. Get more security with higher development efficiency.

For details, please refer to: "Flexible and diverse authentication authorization, zero development investment to ensure IoT security"

Overload protection

In EMQX 4.x, for the sake of system stability, when the load of a session reaches the set threshold, EMQX will actively kick the session. This part of the function has been continued and enhanced in version 5.0.

If users want to modify the forced shutdown policy, they can add the following configuration in emqx.conf:

 force_shutdown {
  enable = true
  max_message_queue_len = 1000 # 会话进程消息队列的最大长度
  max_heap_size = "32MB" # 会话进程的最大堆内存大小
}

In addition, in EMQX 5.0, we introduced the concept of overload protection. When EMQX judges that the system is under high load, it will shut down some functions (see the configuration example below) to maintain the overall reliability of the service.

The overload protection function is disabled by default. If necessary, users can add the following configuration in emqx.conf:

 overload_protection {
  enable = true
  backoff_delay = 10 # 过载时，不重要的任务将会被延迟 10s 处理
  backoff_gc = true # 过载时，允许跳过强制 GC
  backoff_hibernation = true # 过载时，允许跳过休眠
  backoff_new_conn = true # 过载时，停止接收新的连接
}

rate control

EMQX 5.0 introduces a new hierarchical rate control system with higher precision, which supports three levels of slave nodes, listeners, and connections to control the consumption speed of resources, which can ensure that the system runs according to the user's expected load.

connection level

The connection-level rate limit is for a single connection. Assuming that the inflow rate of each session accessed through port 1883 needs to be limited to 100 messages per second, you only need to modify the configuration of port 1883 in emqx.conf as follows:

 listeners.tcp.default {
  bind = "0.0.0.0:1883"
  max_connections = 1024000
  limiter.client.message_in {
    rate = "100/s"
    capacity = 100
  }
}

listener level

The listener level is aimed at the total rate limit of all sessions accessed through a certain port. For example, if you want all sessions accessed through port 1883, the sum of input messages generated per second does not exceed 100, you can modify the configuration as follows :

 listeners.tcp.default {
  bind = "0.0.0.0:1883"
  max_connections = 1024000
  limiter.message_in {
    rate = "100/s"
    capacity = 100
  }
}

Node level

The node-level control is the resource consumption speed on the current node. If you want to limit the number of messages flowing in the current node per second to no more than 100, you can add the following configuration to emqx.conf:

 limiter.message_in.rate = "100/s"

Note: Because the node level has the widest range of influence, the current design is conservative and only affects the listeners with rate limits set. If there are no rate-related settings on the listeners, it will not be affected by this configuration.

blacklist system

In some cases, some clients may experience abnormal behavior in the pattern of " *login-disconnect-reconnect* " which is repeated repeatedly due to network or authentication problems. In this regard, EMQX provides a simple abnormal login defense, supports automatic banning of these clients that are detected to log in frequently in a short period of time, and rejects the login of these clients for a period of time, so as to avoid excessive use of server resources by such clients. Affect the normal use of other clients.

This function is disabled by default. Users can add the following configuration to the emqx.conf configuration file to enable it:

 flapping_detect {
  enable = true
  # 客户端最大离线次数
  max_count = 15
  # 检测的时间范围
  window_time = "1m"
  # 封禁的时长
  ban_time = "5m"
}

Non-stop hot update/upgrade

Thanks to the native hot loading support of Erlang/OTP and the well-designed hot update process of EMQX, in most cases, EMQX can achieve seamless, smooth, real-time hot update without downtime and business suspension, ensuring that While the system safely fixes bugs, it also ensures the stability and reliability of the service.

Epilogue

This paper briefly introduces the basic security components of EMQX to ensure communication, system operation and other functions. These components are not only well-designed, but also have sufficient depth and ductility, laying a solid foundation for users to build a reliable, trustworthy, secure and robust IoT system. good foundation.

In the future, EMQX will continue to pay attention to the security of the Internet of Things. Starting from the actual application scenarios, it will continuously optimize and enhance various security components to provide a strong security guarantee for the ecological development of the Internet of Things.

Copyright statement: This article is original by EMQ, please indicate the source when reprinting.

Original link: https://www.emqx.com/zh/blog/how-to-ensure-the-security-of-the-iot-platform