Securing your MongoDB Implementation

Transcript

1. Mark Hillick - @markofu – [email protected] Engineer, 10gen #mongodbdays Securing

   your MongoDB Implementation

2. Agenda 1.  Securing MongoDB 2.2 2.  Securing MongoDB 2.4 3. 

   Outside MongoDB 4.  Documentation & Notifications 5.  Conclusion 6.  Futures 7.  Questions Securing your MongoDB Implementation, Mark Hillick

3. Securing MongoDB 2.2

4. Securing MongoDB 2.2 Authentication –  Simple user/password scheme stored in

   MongoDB Authori(s|z)ation –  Per database: no access, read, or read-write Auditing –  Very Little Securing your MongoDB Implementation, Mark Hillick

5. MongoDB SSL Keyfile establishes trust http://docs.mongodb.org/manual/administration/ssl/ Application SSL encryption for

   client connection SSL encryption for inter-server traffic Primary Secondary Data Files Data Files Securing your MongoDB Implementation, Mark Hillick

6. Securing MongoDB 2.4

7. Authentication

8. Who? Securing your MongoDB Implementation, Mark Hillick

9. Authentication with password hash •  Use one-way function F mongod

   I am “[email protected]”, let me in Prove it, here is a random # N Here is F(N, hash(<mypwd>)) Nobody else could know that, welcome back marko! Knows only my password hash Hash never transmitted over the network! Securing your MongoDB Implementation, Mark Hillick

10. External Authentication Use common / standardized authentication SASL: Simple Authentication

    and Security Layer –  Framework for building authentication Kerberos –  GSSAPI, drivers will be updated –  Mixed system.users can work during transition Securing your MongoDB Implementation, Mark Hillick

11. Authentication with Kerberos KDC 1. I am “[email protected]”, help me

    prove it to mongod to UDP:88 - 2. Here is a TGT Mongod 3. TCP:27017 Here is a Kerberos TGT 4. Welcome, here is a Service Ticket! { user: ”[email protected]", roles: ["readWrite"], userSource: "$external" } Securing your MongoDB Implementation, Mark Hillick Keytab

12. Starting the Database Securing your MongoDB Implementation, Mark Hillick env

    KRB5_KTNAME=/etc/kserver1b.keytab mongod –auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/ mongod_auth.log --replSet realm4 --keyFile /etc/keyfile

13. Authenticating & Connecting Securing your MongoDB Implementation, Mark Hillick #

    kinit mongouser …. # klist … 03/11/13 09:30:30 03/12/13 09:30:30 … # mongo mongodb.10gen.com/\$external -- authenticationMechanism=GSSAPI -u [email protected]

14. Authori(s|z)ation

15. What? Securing your MongoDB Implementation, Mark Hillick

16. AUTHORI(S|Z)ATION •  Issues with 2.2 –  Only read / readWrite

    L –  Edge-case with possible privilege escalation •  2.4 introduces roles –  Admin level roles •  userAdmin •  clusterAdmin –  DB level roles •  userAdmin •  dbAdmin •  Read •  ReadWrite Corresponding Admin level roles for “AnyDatabase” Securing your MongoDB Implementation, Mark Hillick

17. ADMIN DB •  clusterAdmin •  AnyDatabase Securing your MongoDB Implementation,

    Mark Hillick Source:https://wellsted135.files.wordpress.com/2012/10/special.gif

18. Super-User userAdmin & userAdminAnyDatabase are Securing your MongoDB Implementation, Mark

    Hillick Only these users can view details about other users – system.users collection

19. I can do anything but I won’t be required to

    do much DB Admin: userAdmin DB Admin: clusterAdmin I can add and remove shards DB Accounts: userAdmin I can create new users but I can’t grant them privileges to other DB’s DB App: userAdmin DB App: dbAdmin I can grant privileges to the App DB only I can create indices, set profiling, compact Securing your MongoDB Implementation, Mark Hillick

20. Admin DB •  userAdmin •  clusterAdmin Accounts DB •  userAdmin

    App DB •  readWrite •  read Product DB •  userAdmin •  dbAdmin •  readWrite •  read Password hashes Securing your MongoDB Implementation, Mark Hillick

21. In App.system.users : { user: “fred” , usersource: “Accounts” ,

    roles: [ “userAdmin” ] } { user: “george” , usersource: “Accounts” , roles: [ “dbAdmin“ ] , } Each DB’s userAdmin gets to grant privileges separately DB App: dbAdmin I can grant privileges to the App DB only I can create indices, set profiling, compact Credentials from Accounts DB Securing your MongoDB Implementation, Mark Hillick DB App: userAdmin

22. Auditing

23. Additional Logging Monitor user activity: –  userID added to standard

    output –  No separate audit log –  Much more coming in 2.6

24. SSL

25. Securing your MongoDB Implementation, Mark Hillick Enhancements Client Cert Validation

    –  CRL –  CA –  Expiration –  Hostname FIPS

26. Validation

27. Validation Objcheck –  Helps prevent DOS –  Validates input – 

    SERVER-7769 (default) Securing your MongoDB Implementation, Mark Hillick

28. JS Engine

29. JS Engine Move to V8 –  Primarily performance reasons but

    some security benefits –  Restrictions on $where (SERVER-9124) & M/R/F –  SERVER-8104 & 2.4 Release Notes Securing your MongoDB Implementation, Mark Hillick

30. Outside MongoDB

31. Securing your MongoDB Implementation, Mark Hillick Outside MongoDB Firewalls – 

    iptables & netsh –  Ports, Addresses, Times, Throttle etc. F/S –  Encrypt (Gazzang) [HIPAA, PCI, SOX] Best Practices –  Internal Policies (Password Reuse, Scan etc.)

32. Securing your MongoDB Implementation, Mark Hillick MongoDB Partners with Gazzang

    •  File System Encryption •  5% performance hit with HDD, 10-15% with SSD File System – All contents encrypted OS Gazzang Gazzang Key Mgmt

33. Documentation & Notifications

34. Documentation Manual –  http://docs.mongodb.org/manual/security/ •  Security Features within MongoDB • 

    Best Practices & Strategies •  Tutorials •  Vulnerability Notifications Securing your MongoDB Implementation, Mark Hillick

35. Potential Security Issues How do YOU know? –  MongoDB Alerts

    How, What, Where? –  Vulnerability Notification –  Jira (HTTPS) & (Secure) Email Securing your MongoDB Implementation, Mark Hillick

36. Futures

37. Disclaimer Statements about future releases, availability dates, and feature content

    reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors. Securing your MongoDB Implementation, Mark Hillick

38. Futures Auditing –  Logging to output userID associated with actions

    (SERVER-1891) Passwords –  Stronger Hashing (SERVER-2360) Authorization –  User Defined & More Granularity SSL –  Client & Security Improvements Securing your MongoDB Implementation, Mark Hillick

39. Conclusion

40. Conclusion •  2.2 wasn’t great •  2.4 is much better

    & Enterprise-Level •  Authentication & Authori(s|z)ation •  Within & Outside Securing your MongoDB Implementation, Mark Hillick

41. Thanks •  Thanks to Mike Stimpson for the awesome pics

    J http://imgur.com/a/0XvKw Securing your MongoDB Implementation, Mark Hillick

42. Engineer, 10gen – Star Wars Fan  Mark Hillick -

    @markofu – [email protected] #mongodbdays Questions?