AWS IoT Core Provides Solution to Keep Devices from Hitting Firewalls
- By Richard Seeley
Internet of Things (IoT) device-makers utilizing AWS IoT Core, Amazon's managed platform for IoT, have a new option to help avoid having communications blocked by corporate firewalls or home routers.
"Beginning today, you have more options to securely connect your devices to AWS IoT Core," according to a Feb. 7 Amazon announcement. "You can use MQTT (Message Queuing Telemetry Transport) with certificate based client authentication on port 443. Previously this combination of protocol and authentication mechanism was only supported on port 8883."
Port 8883? Port 443? What's the big deal?
It could be the difference between having your IoT device utilizing AWS IoT Core actively transmitting data, or being locked out in the Internet cold.
"Corporate firewalls and home routers often block inbound and outbound traffic on all ports except port 443 by default, which is the standard port for HTTPS (that is, Internet) traffic," the AWS announcement explained. "This is done as a security measure to limit the attack surface for possible cyber attacks. With this update, we enable you to deploy your IoT devices with minimal network and firewall changes, while still using certificate based authentication. This is especially beneficial for those who need to deploy devices into environments where they do not control the IT infrastructure."
Jared Sharfin explained the technical details in a post, MQTT with TLS client authentication on port 443: Why it is useful and how it works on The Internet of Things on AWS – Official Blog.
"TCP connections are typically associated with a combination of IP address and port number. This immediately raises the question of which port number to use to ensure that your application can communicate with other third party applications," according to the blog.
Problems arise because 8883 was the registered port for MQTT over TLS under the Internet Assigned Numbers Authority (IANA) mapping of Internet protocols. But 8883 is often blocked by IT departments and designers of consumer routers, according to AWS.
"If you are manufacturing IoT devices that will ultimately be used in IT environments that you do not control, this can cause serious headaches," Sharfin explained. "For example, if you manufacture medical devices that are sold to hospitals around the country, you do not want to have to negotiate separately with each hospital's IT department to open port 8883 in their firewall so that your devices can connect to your IoT application running on AWS IoT Core. It just so happens that there is a standard extension to the TLS protocol that can help with precisely this issue."
The blog points out that the solution comes through "Application Layer Protocol Negotiation (ALPN), an extension to TLS supported by many of the most common TLS implementations. This can be used to solve this problem of port 8883 roadblocks.
"ALPN enables clients connecting to a TLS server to pass an extra parameter, known as a ProtocolNameList, as part of the ClientHello message during the TLS handshake," Sharfin explained. "The ProtocolNameList is a preference ordered list of the application protocols that the client would like to use to communicate. As part of the ServerHello message, the TLS server selects one protocol from this list that will be used to transmit application data over the connection."
The blog provides details on how this handshake works and lists the following steps to use port 443 for the IoT devices communications:
Register your device with AWS IoT Core by creating, activating, and downloading a certificate or bring your own certificate.
Configure the ALPN extension on your device with the "x-amzn-mqtt-ca" protocol*.
Connect to AWS IoT Core on port 443.
- Ensure your device's TLS client implementation supports the ALPN extension.