Skip to content

Communication Monitoring with Coreflux

Introduction

In the vast realm of IoT, communication is the foundation that ensures seamless interaction between devices. Coreflux's communication monitoring is designed to provide a secure, efficient, and reliable communication framework. This is achieved by integrating directly with the operating system of the device, allowing Coreflux to have a comprehensive view of all communications, irrespective of the underlying system.

Benefits

  • For Large Enterprises: With an extensive network of devices and connections, large enterprises can:
  • Monitor all UDP/TCP activities in real-time, ensuring that unauthorized behaviors are immediately detected and rectified.
  • Seamlessly integrate Coreflux as the backend solution for their platform, be it cloud, edge, or hybrid, ensuring a unified communication protocol.

  • For Small Businesses: The scale might be different, but the importance of secure communication is the same. With Coreflux, small businesses can:

  • Keep an eye on all communication activities, ensuring that data integrity is maintained at all times.
  • Use Coreflux as the backbone of their IoT solution, ensuring that as they grow, their communication infrastructure scales with them.

Technical Deep Dive

System Compatibility

Coreflux is designed to be versatile and can integrate with a variety of operating systems. Here's how Coreflux identifies the system it's running on:

  • Windows:

    • 64-bit: Win-x64
    • 32-bit: Win-x86
    • ARM64: Win-Arm64
  • Linux:

    • 64-bit: Linux-x64
    • ARM64: Linux-Arm64

Using this identification, Coreflux tailors its communication monitoring to the specificities of the system, ensuring optimal performance and security.

UDP/TCP Activity Monitoring

For each detected system, Coreflux provides detailed insights into both UDP and TCP activities:

  • Active Listeners:
  • UDP: $SYS/{DetectedOS}/Comms/UDP/Listeners
  • TCP: $SYS/{DetectedOS}/Comms/TCP/Listeners

These topics provide a full list of active listeners, ensuring you're aware of all communication endpoints.

  • New Listeners:
  • UDP: $SYS/{DetectedOS}/Comms/UDP/Listeners/New
  • TCP: $SYS/{DetectedOS}/Comms/TCP/Listeners/New

Any new listener is immediately reported, allowing for real-time monitoring and potential threat detection.

  • Active Connections:
  • TCP: $SYS/{DetectedOS}/Comms/TCP/ActiveConnections

This topic provides a real-time view of all active TCP connections, ensuring you're always aware of who's communicating with your data hub.

For instance, a sample JSON from $SYS/Linux-x64/Comms/TCP/ActiveConnections might look like:

[
  {
    "State": "Established",
    "LocalEndPoint": "172.17.0.6:1883",
    "RemoteEndPoint": "192.168.100.34:55464"
  },
  {
    "State": "Established",
    "LocalEndPoint": "172.17.0.6:1883",
    "RemoteEndPoint": "192.168.100.31:34444"
  },
  {
    "State": "Established",
    "LocalEndPoint": "172.17.0.6:1883",
    "RemoteEndPoint": "192.168.100.40:58753"
  }
]

From the above data, we can infer:

  • There are three active TCP connections.
  • All connections are in the "Established" state, indicating active and stable connections.
  • The local endpoint for all connections is 172.17.0.6:1883, which might be the central Coreflux server.
  • The remote endpoints are different devices or services communicating with the Coreflux server.

For listeners:

[
  {"Address":"0.0.0.0","Port":"1883"},
  {"Address":"::","Port":"1883"},
  {"Address":"::","Port":"80"}
]

From this data:

  • There are three active listeners.
  • Two listeners are set up for MQTT communication on port 1883, one for IPv4 (0.0.0.0) and another for IPv6 (::).
  • One listener is set up for HTTP communication on port 80 for IPv6.

Behavior Analysis

Behavior analysis in Coreflux is a proactive approach to identifying and addressing potential security and operational threats. By continuously monitoring communication patterns and comparing them against predefined rules or baselines, Coreflux can detect anomalies and take appropriate actions.

Integration

Coreflux's topics can be seamlessly integrated into your applications, systems, or solutions. This ensures that Coreflux not only monitors but also communicates with your entire IoT ecosystem, making it the backbone of your platform, whether it's cloud, edge, or hybrid.

Example: Detecting Unauthorized Connections

Let's consider a scenario where you have a set of known devices that are authorized to communicate with your Coreflux server. Any connection attempt from an unknown device or IP address can be considered suspicious.

  1. Setting a Baseline: First, you would establish a list of known and authorized IP addresses or device IDs. This list serves as your baseline.

  2. Monitoring Active Connections: Coreflux continuously monitors the $SYS/{DetectedOS}/Comms/TCP/ActiveConnections topic to track all active TCP connections.

    Sample data from the topic:
    ```json
    [
        {
        "State": "Established",
        "LocalEndPoint": "172.17.0.6:1883",
        "RemoteEndPoint": "192.168.100.34:55464"
        },
        {
        "State": "Established",
        "LocalEndPoint": "172.17.0.6:1883",
        "RemoteEndPoint": "192.168.100.31:34444"
        },
        {
        "State": "Established",
        "LocalEndPoint": "172.17.0.6:1883",
        "RemoteEndPoint": "192.168.100.40:58753"
        }
    ]
    ```
    
  3. Anomaly Detection:

    We would need to extract the RemoteEndPoint from the payload and then compare it against a list of authorized endpoints, which could be read from a file.

    Note: To implement this functionality, you would need to create a proper Action using the Language of Things (LOT). The specific implementation would involve defining an Action that subscribes to the topic, processes the data, and takes appropriate steps when unauthorized connections are detected.

  4. Taking Action:

    Once an anomaly is detected, Coreflux can help in several actions: - Alert: Notify system administrators about the unauthorized connection attempt. - Log: Record the unauthorized connection attempt for further analysis. - Block: If configured, Coreflux can block the IP address to prevent further communication attempts. - Trigger devices: Activate physical devices like sirens or warning lights.

    Note: The actual implementation would involve creating appropriate Actions in the Language of Things (LOT) that handle these responses. Please refer to the LOT Actions documentation for more information on implementing these capabilities.

  5. Review and Update:

    It's essential to periodically review the baseline list and the detected anomalies. This ensures that the system adapts to legitimate changes (like adding a new device) while staying vigilant against potential threats.

By implementing such behavior analysis, Coreflux ensures that only authorized devices can communicate with the system, enhancing the security and integrity of the entire IoT ecosystem.

Next Steps

Now that you understand how Coreflux monitors communications, you might want to explore:

  • Resource Management - Learn how Coreflux manages system resources and memory consumption
  • Logging Capabilities - Discover how Coreflux logs system activities and security events
  • LOT Actions - Implement automated responses to communication events using the Language of Things