Hi Salvador,
Very important to be sure, that you are running such functionality in a secure environment. Even if your environment is not secure enough remember that streaming URI is valid only 24 hours and you can easily delete access, just need to delete a channel with GC API.
You can easily update your streaming URI every one hour, with creating of the new channel and deleting old one, to avoid all chances.
IP restriction can be implemented for your own environment with secure access to the application for example based on Azure AD, in my opinion best one.
In case of Noralogix we do development regarding to Azure security recommendations.
Some basic recommendations:
To enabled all Azure infrastructure security settings.
Authenticate through Azure Active Directory
Data encryption on top of Azure Storage.
Protect keys inside Azure Key Vault with auto-renewal.
We implemented Noralogix GCEvents on top of GC Notifications based on Azure AD security and native integration with other Azure Services like Azure Functions, Azure LogicApps, Azure EventHub, PowerBI.
If you want more information you are welcome to contact me on email.
------------------------------
Taras Buha
taras@noralogix.comwww.noralogix.com------------------------------
Original Message:
Sent: 05-19-2021 02:28
From: Salvador Leon Carmona
Subject: Websocket security
Hi Taras,
first of all, thank you for your response.
I'm not saying that we can create channels without security, I explained myself wrong. I say that once you have created the channel, you can use this channel from any PC and network without any authentication or IP restriction.
I think that although the string that identifies the channel is complex, i don't know if someone can obtain access by applying for example brute force methods or either you just get the URI "by chance", or the URI is filtered by some employee.
These are the reasons why I ask myself those questions.
Thank you again in advance.
Regards.
Salvador León
salvador.leon@euigs.com
------------------------------
Salvador Leon Carmona
AIS SA - L'Olivier Assurance
Original Message:
Sent: 05-18-2021 06:14
From: Taras Buha
Subject: Websocket security
Hi,
First of all you can't create channel and use API "/api/v2/notifications/channels" without security.
GC use a connection wss://streaming.mypurecloud.ie/channels/streaming-
WSS is secure, so it prevents things like man-in-the-middle attacks. A secure transport prevents many attacks from the start.
We use it a lot in our own development and some of them already shared with community https://www.nuget.org/packages/Genesys.Client.Notifications/
Also we bring GC Notifications to Azure
https://www.youtube.com/watch?v=jLQsH4AeKIo
https://www.youtube.com/watch?v=bIQxOQ7PRtg
------------------------------
Taras Buha
taras@noralogix.com
www.noralogix.com
Original Message:
Sent: 05-18-2021 03:47
From: Salvador Leon Carmona
Subject: Websocket security
Hi,
I have a doubt regarding the security of the websockets that we can create with the API "/api/v2/notifications/channels".
When you create a channel, you can open the websocket from whatever PC / network without any security.
Is this normal behavior? Can we not control who accesses the websocket (IP, user, etc)?
Regards.
Salvador León
#Ask Me Anything (AMA)
#ArchitectureandDesign
------------------------------
Salvador Leon Carmona
AIS SA - L'Olivier Assurance
------------------------------