Security considerations

TLS

IMPACT Data Collector supports TLS for transport layer security predominantly for encryption. It is recommended that this be implemented. TLS is not used for mutual authentication.

Note: For Release 21, TLS versions supported by IMPACT are tlsv1 and tlsv1.2.

Token

The use of token-based authentication is a major aspect of MQTT for IMPACT. The token is a string and is included in the MQTT topic names for all communication with IMPACT.

The token is created by IMPACT using APIs on a per device basis. This token is then used to authenticate the device when it connects.

Network based authentication

As an alternative token-based authentication it is possible for the 3GPP cellular network to authenticate the MQTT. This uses the cellular subscription to determine if the device is allowed to connect and determines which Enterprise the Device connects to. This relies on the cellular subscription as identified by MSISDN or External Identifier, being inserted into IMPACT prior to the device connecting.

To ensure that the device remains secure the MQTT session will only use cellular access. Even if alternatives such as Wireless LAN are available they will not be used for MQTT traffic.

Encryption is provided by the cellular network. Some networks are more secure than others, for example 4G and 5G are more secure than 2G and 3G. Because of this the device may want to decide if the Radio Access Type is suitable for the type of data that the device is using.

Also, the device may also want to consider what types of network it is using. For example, it may not want to allow roaming, as this is not as secure and may incur additional costs.

MQTT username and password based authentication

It is also possible to use MQTT username and password for authentication. This is conceptually the simplest mode of authentication since you need to enter only the username and password in the Device. For this to operate the username needs to be unique.

MQTT router broker security

The following are the key features of broker security:

  • Supports MQTT wildcard on or off feature.
  • Topic and device authorization support with ${token}
  • Subscriber cannot subscribe to # directly.
  • RabbitMQ credentials are not shared with the vendor for device to connect.
  • Secret is generated via API which acts as password for broker to connect.