Phase 2 Sprint 2.1 - Message Queue Isolation
Threat Model
- Asset: accepted telemetry events in transit between gateway and downstream processing.
- Adversary: malformed event sender, queue poisoner, replay/burst actor.
- Trust boundary: telemetry gateway to internal queue transport.
Attack Vectors Considered
- Public exposure of queue endpoint.
- Malformed payloads bypassing controls and entering processing stream.
- Message tampering during handoff to downstream consumers.
Mitigations Implemented
- Introduced internal NATS queue service on private network only.
- Gateway publishes accepted telemetry to dedicated ingest subject.
- Malformed payloads are routed to DLQ subject with error metadata.
- Every queued message includes SHA-256 integrity hash over canonical payload.
- Gateway fails closed when queue publish cannot be completed.
Residual Risk
- Consumer-side integrity verification is not yet enforced in this sprint.
- NATS ACL hardening is pending in later infrastructure hardening phases.
Future Improvements
- Enforce consumer-side hash verification and reject hash mismatches.
- Add per-subject retention and poison message quarantine workflows.
- Add NATS account-level authz and mTLS between gateway and queue.