Cloud Infrastructure Security
The Application Server resides in the Talkative internal network and the only non-internal network components with which it communicates directly are the Media Broker and the Web Server. Agents can only communicate with the application server via the reverse proxy in the Web Server, which manages the security context into the network. Agents who do not have the correct session token will not be able to connect to the Application Server.
The Application Server communicates to the Media Broker using the Control Protocol, meaning that the Media Broker does not need to establish a connection into the Application Server.
The Web Server is deployed in the DMZ and acts as a reverse proxy to components in the internal network, hiding their topology, as well as a HTTP server serving up the administrator’s console.
The Media Broker sits in the DMZ and provides edge server functionality between the external network and the internal network. The Media Broker will only allow authenticated traffic from a known Agent, with a route through the Media Broker pre-allocated by the Application Server. This traffic is authenticated using the SSRC, of which only the Agent Application and Media Broker have a record.
The Media Broker segregates its traffic so that communication with the external network is performed on a different network interface to the Proxy Control Protocol and the RTP interface with the internal network. This means that access is restricted to the internal-facing network interfaces to just those servers in the internal network and ensure that no external traffic can attempt to access any other network port. Additionally, the Media Broker uses RTP multiplexing and SSRC identifiers to ensure that only a single port is required on the external firewall to forward all RTP traffic to the Media Broker. Only RTP packets that conform to the limits set for packet size and throughput rate are allowed into the Media Broker.
Talkative secures the media stream between the Agent and the Media Broker using SRTP. The WebRTC specification mandates that this media stream is secure.