Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing your MongoDB Implementation

Securing your MongoDB Implementation

MongoDB #mongodbdays presentation on 2013-04-09 (in London) on how to secure your MongoDB Implementation.

Mark Hillick

April 09, 2013
Tweet

More Decks by Mark Hillick

Other Decks in Technology

Transcript

  1. Agenda 1.  Securing MongoDB 2.2 2.  Securing MongoDB 2.4 3. 

    Outside MongoDB 4.  Documentation & Notifications 5.  Conclusion 6.  Futures 7.  Questions Securing your MongoDB Implementation, Mark Hillick
  2. Securing MongoDB 2.2 Authentication –  Simple user/password scheme stored in

    MongoDB Authori(s|z)ation –  Per database: no access, read, or read-write Auditing –  Very Little Securing your MongoDB Implementation, Mark Hillick
  3. MongoDB SSL Keyfile establishes trust http://docs.mongodb.org/manual/administration/ssl/ Application SSL encryption for

    client connection SSL encryption for inter-server traffic Primary Secondary Data Files Data Files Securing your MongoDB Implementation, Mark Hillick
  4. Authentication with password hash •  Use one-way function F mongod

    I am “[email protected]”, let me in Prove it, here is a random # N Here is F(N, hash(<mypwd>)) Nobody else could know that, welcome back marko! Knows only my password hash Hash never transmitted over the network! Securing your MongoDB Implementation, Mark Hillick
  5. External Authentication Use common / standardized authentication SASL: Simple Authentication

    and Security Layer –  Framework for building authentication Kerberos –  GSSAPI, drivers will be updated –  Mixed system.users can work during transition Securing your MongoDB Implementation, Mark Hillick
  6. Authentication with Kerberos KDC 1. I am “[email protected]”, help me

    prove it to mongod to UDP:88 - 2. Here is a TGT Mongod 3. TCP:27017 Here is a Kerberos TGT 4. Welcome, here is a Service Ticket! { user: ”[email protected]", roles: ["readWrite"], userSource: "$external" } Securing your MongoDB Implementation, Mark Hillick Keytab
  7. Starting the Database Securing your MongoDB Implementation, Mark Hillick env

    KRB5_KTNAME=/etc/kserver1b.keytab mongod –auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/ mongod_auth.log --replSet realm4 --keyFile /etc/keyfile
  8. Authenticating & Connecting Securing your MongoDB Implementation, Mark Hillick #

    kinit mongouser …. # klist … 03/11/13 09:30:30 03/12/13 09:30:30 … # mongo mongodb.10gen.com/\$external -- authenticationMechanism=GSSAPI -u [email protected]
  9. AUTHORI(S|Z)ATION •  Issues with 2.2 –  Only read / readWrite

    L –  Edge-case with possible privilege escalation •  2.4 introduces roles –  Admin level roles •  userAdmin •  clusterAdmin –  DB level roles •  userAdmin •  dbAdmin •  Read •  ReadWrite Corresponding Admin level roles for “AnyDatabase” Securing your MongoDB Implementation, Mark Hillick
  10. ADMIN DB •  clusterAdmin •  AnyDatabase Securing your MongoDB Implementation,

    Mark Hillick Source:https://wellsted135.files.wordpress.com/2012/10/special.gif
  11. Super-User userAdmin & userAdminAnyDatabase are Securing your MongoDB Implementation, Mark

    Hillick Only these users can view details about other users – system.users collection
  12. I can do anything but I won’t be required to

    do much DB Admin: userAdmin DB Admin: clusterAdmin I can add and remove shards DB Accounts: userAdmin I can create new users but I can’t grant them privileges to other DB’s DB App: userAdmin DB App: dbAdmin I can grant privileges to the App DB only I can create indices, set profiling, compact Securing your MongoDB Implementation, Mark Hillick
  13. Admin DB •  userAdmin •  clusterAdmin Accounts DB •  userAdmin

    App DB •  readWrite •  read Product DB •  userAdmin •  dbAdmin •  readWrite •  read Password hashes Securing your MongoDB Implementation, Mark Hillick
  14. In App.system.users : { user: “fred” , usersource: “Accounts” ,

    roles: [ “userAdmin” ] } { user: “george” , usersource: “Accounts” , roles: [ “dbAdmin“ ] , } Each DB’s userAdmin gets to grant privileges separately DB App: dbAdmin I can grant privileges to the App DB only I can create indices, set profiling, compact Credentials from Accounts DB Securing your MongoDB Implementation, Mark Hillick DB App: userAdmin
  15. Additional Logging Monitor user activity: –  userID added to standard

    output –  No separate audit log –  Much more coming in 2.6
  16. SSL

  17. Securing your MongoDB Implementation, Mark Hillick Enhancements Client Cert Validation

    –  CRL –  CA –  Expiration –  Hostname FIPS
  18. Validation Objcheck –  Helps prevent DOS –  Validates input – 

    SERVER-7769 (default) Securing your MongoDB Implementation, Mark Hillick
  19. JS Engine Move to V8 –  Primarily performance reasons but

    some security benefits –  Restrictions on $where (SERVER-9124) & M/R/F –  SERVER-8104 & 2.4 Release Notes Securing your MongoDB Implementation, Mark Hillick
  20. Securing your MongoDB Implementation, Mark Hillick Outside MongoDB Firewalls – 

    iptables & netsh –  Ports, Addresses, Times, Throttle etc. F/S –  Encrypt (Gazzang) [HIPAA, PCI, SOX] Best Practices –  Internal Policies (Password Reuse, Scan etc.)
  21. Securing your MongoDB Implementation, Mark Hillick MongoDB Partners with Gazzang

    •  File System Encryption •  5% performance hit with HDD, 10-15% with SSD File System – All contents encrypted OS Gazzang Gazzang Key Mgmt
  22. Documentation Manual –  http://docs.mongodb.org/manual/security/ •  Security Features within MongoDB • 

    Best Practices & Strategies •  Tutorials •  Vulnerability Notifications Securing your MongoDB Implementation, Mark Hillick
  23. Potential Security Issues How do YOU know? –  MongoDB Alerts

    How, What, Where? –  Vulnerability Notification –  Jira (HTTPS) & (Secure) Email Securing your MongoDB Implementation, Mark Hillick
  24. Disclaimer Statements about future releases, availability dates, and feature content

    reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors. Securing your MongoDB Implementation, Mark Hillick
  25. Futures Auditing –  Logging to output userID associated with actions

    (SERVER-1891) Passwords –  Stronger Hashing (SERVER-2360) Authorization –  User Defined & More Granularity SSL –  Client & Security Improvements Securing your MongoDB Implementation, Mark Hillick
  26. Conclusion •  2.2 wasn’t great •  2.4 is much better

    & Enterprise-Level •  Authentication & Authori(s|z)ation •  Within & Outside Securing your MongoDB Implementation, Mark Hillick
  27. Thanks •  Thanks to Mike Stimpson for the awesome pics

    J http://imgur.com/a/0XvKw Securing your MongoDB Implementation, Mark Hillick