Security strategy for on-premise scenarios?

We are thinking of using MQTT as our standard protocol for communication between our devices. But some of our scenarios are internal, i.e., we don’t want the MQTT broker to be exposed publicly on the Internet. At the same time we want a secure solution for our customers, with authn/authz and encryption. Our customers are within process industry, and a typcial scenario would include 5-50 PC-based clients. What would be a good security strategy for such use cases? It seems that TLS is for Internet and cloud-based solutions. We have those use cases as well, but we are not sure how to solve security on-premise.

Hi @stormbringer,

Welcome to the HiveMQ Community Forums! Awesome to see that you are looking to implement MQTT as the standard communication protocol for your devices.

You are already naming the most important factors for security here yourself. Encryption, Authentication and Authorization
For AuthN & AuthZ HiveMQ offers you the possibility to utilise the Extension SDK for implementing custom solutions.
There are also pre-built solutions available:

  • The HiveMQ File RBAC Extension - An OpenSource Extension that implements Authentication and Authorization based on Username/Password and credentials stored in an xml file on the broker
  • The HiveMQ Enterprise Security Extension - A commercial solution that integrates with a number of external systems (LDAP, OAuth 2.0, SQL Databases) to provide a centralised credential and permission management soltution.

When it comes to encryption I would personally recommend using TLS for purely on-prem solutions as well.
A use case like that of course suits itself very well for the use of self-signed certificates.
The HiveMQ User Guide provides a HowTo on creating and using self-signed certificates with HiveMQ.

Let me know, if you have any follow up questions.

Florian from the HiveMQ Team.

Ok, many thanks for your tips. We will start experimenting and learn as we go. Thanks for now.