Slide 1

Slide 1 text

Mark Hillick - @markofu – mark@10gen.com Engineer, 10gen #mongodbdays Securing your MongoDB Implementation

Slide 2

Slide 2 text

Agenda 1.  Securing MongoDB 2.2 2.  Securing MongoDB 2.4 3.  Outside MongoDB 4.  Documentation & Notifications 5.  Conclusion 6.  Futures 7.  Questions Securing your MongoDB Implementation, Mark Hillick

Slide 3

Slide 3 text

Securing MongoDB 2.2

Slide 4

Slide 4 text

Securing MongoDB 2.2 Authentication –  Simple user/password scheme stored in MongoDB Authori(s|z)ation –  Per database: no access, read, or read-write Auditing –  Very Little Securing your MongoDB Implementation, Mark Hillick

Slide 5

Slide 5 text

MongoDB SSL Keyfile establishes trust http://docs.mongodb.org/manual/administration/ssl/ Application SSL encryption for client connection SSL encryption for inter-server traffic Primary Secondary Data Files Data Files Securing your MongoDB Implementation, Mark Hillick

Slide 6

Slide 6 text

Securing MongoDB 2.4

Slide 7

Slide 7 text

Authentication

Slide 8

Slide 8 text

Who? Securing your MongoDB Implementation, Mark Hillick

Slide 9

Slide 9 text

Authentication with password hash •  Use one-way function F mongod I am “mark@10gen.com”, let me in Prove it, here is a random # N Here is F(N, hash()) Nobody else could know that, welcome back marko! Knows only my password hash Hash never transmitted over the network! Securing your MongoDB Implementation, Mark Hillick

Slide 10

Slide 10 text

External Authentication Use common / standardized authentication SASL: Simple Authentication and Security Layer –  Framework for building authentication Kerberos –  GSSAPI, drivers will be updated –  Mixed system.users can work during transition Securing your MongoDB Implementation, Mark Hillick

Slide 11

Slide 11 text

Authentication with Kerberos KDC 1. I am “mark@10gen.com”, help me prove it to mongod to UDP:88 - 2. Here is a TGT Mongod 3. TCP:27017 Here is a Kerberos TGT 4. Welcome, here is a Service Ticket! { user: ”mark@10gen.com", roles: ["readWrite"], userSource: "$external" } Securing your MongoDB Implementation, Mark Hillick Keytab

Slide 12

Slide 12 text

Starting the Database Securing your MongoDB Implementation, Mark Hillick env KRB5_KTNAME=/etc/kserver1b.keytab mongod –auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/ mongod_auth.log --replSet realm4 --keyFile /etc/keyfile

Slide 13

Slide 13 text

Authenticating & Connecting Securing your MongoDB Implementation, Mark Hillick # kinit mongouser …. # klist … 03/11/13 09:30:30 03/12/13 09:30:30 … # mongo mongodb.10gen.com/\$external -- authenticationMechanism=GSSAPI -u mongouser@10GEN.COM

Slide 14

Slide 14 text

Authori(s|z)ation

Slide 15

Slide 15 text

What? Securing your MongoDB Implementation, Mark Hillick

Slide 16

Slide 16 text

AUTHORI(S|Z)ATION •  Issues with 2.2 –  Only read / readWrite L –  Edge-case with possible privilege escalation •  2.4 introduces roles –  Admin level roles •  userAdmin •  clusterAdmin –  DB level roles •  userAdmin •  dbAdmin •  Read •  ReadWrite Corresponding Admin level roles for “AnyDatabase” Securing your MongoDB Implementation, Mark Hillick

Slide 17

Slide 17 text

ADMIN DB •  clusterAdmin •  AnyDatabase Securing your MongoDB Implementation, Mark Hillick Source:https://wellsted135.files.wordpress.com/2012/10/special.gif

Slide 18

Slide 18 text

Super-User userAdmin & userAdminAnyDatabase are Securing your MongoDB Implementation, Mark Hillick Only these users can view details about other users – system.users collection

Slide 19

Slide 19 text

I can do anything but I won’t be required to do much DB Admin: userAdmin DB Admin: clusterAdmin I can add and remove shards DB Accounts: userAdmin I can create new users but I can’t grant them privileges to other DB’s DB App: userAdmin DB App: dbAdmin I can grant privileges to the App DB only I can create indices, set profiling, compact Securing your MongoDB Implementation, Mark Hillick

Slide 20

Slide 20 text

Admin DB •  userAdmin •  clusterAdmin Accounts DB •  userAdmin App DB •  readWrite •  read Product DB •  userAdmin •  dbAdmin •  readWrite •  read Password hashes Securing your MongoDB Implementation, Mark Hillick

Slide 21

Slide 21 text

In App.system.users : { user: “fred” , usersource: “Accounts” , roles: [ “userAdmin” ] } { user: “george” , usersource: “Accounts” , roles: [ “dbAdmin“ ] , } Each DB’s userAdmin gets to grant privileges separately DB App: dbAdmin I can grant privileges to the App DB only I can create indices, set profiling, compact Credentials from Accounts DB Securing your MongoDB Implementation, Mark Hillick DB App: userAdmin

Slide 22

Slide 22 text

Auditing

Slide 23

Slide 23 text

Additional Logging Monitor user activity: –  userID added to standard output –  No separate audit log –  Much more coming in 2.6

Slide 24

Slide 24 text

SSL

Slide 25

Slide 25 text

Securing your MongoDB Implementation, Mark Hillick Enhancements Client Cert Validation –  CRL –  CA –  Expiration –  Hostname FIPS

Slide 26

Slide 26 text

Validation

Slide 27

Slide 27 text

Validation Objcheck –  Helps prevent DOS –  Validates input –  SERVER-7769 (default) Securing your MongoDB Implementation, Mark Hillick

Slide 28

Slide 28 text

JS Engine

Slide 29

Slide 29 text

JS Engine Move to V8 –  Primarily performance reasons but some security benefits –  Restrictions on $where (SERVER-9124) & M/R/F –  SERVER-8104 & 2.4 Release Notes Securing your MongoDB Implementation, Mark Hillick

Slide 30

Slide 30 text

Outside MongoDB

Slide 31

Slide 31 text

Securing your MongoDB Implementation, Mark Hillick Outside MongoDB Firewalls –  iptables & netsh –  Ports, Addresses, Times, Throttle etc. F/S –  Encrypt (Gazzang) [HIPAA, PCI, SOX] Best Practices –  Internal Policies (Password Reuse, Scan etc.)

Slide 32

Slide 32 text

Securing your MongoDB Implementation, Mark Hillick MongoDB Partners with Gazzang •  File System Encryption •  5% performance hit with HDD, 10-15% with SSD File System – All contents encrypted OS Gazzang Gazzang Key Mgmt

Slide 33

Slide 33 text

Documentation & Notifications

Slide 34

Slide 34 text

Documentation Manual –  http://docs.mongodb.org/manual/security/ •  Security Features within MongoDB •  Best Practices & Strategies •  Tutorials •  Vulnerability Notifications Securing your MongoDB Implementation, Mark Hillick

Slide 35

Slide 35 text

Potential Security Issues How do YOU know? –  MongoDB Alerts How, What, Where? –  Vulnerability Notification –  Jira (HTTPS) & (Secure) Email Securing your MongoDB Implementation, Mark Hillick

Slide 36

Slide 36 text

Futures

Slide 37

Slide 37 text

Disclaimer Statements about future releases, availability dates, and feature content reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors. Securing your MongoDB Implementation, Mark Hillick

Slide 38

Slide 38 text

Futures Auditing –  Logging to output userID associated with actions (SERVER-1891) Passwords –  Stronger Hashing (SERVER-2360) Authorization –  User Defined & More Granularity SSL –  Client & Security Improvements Securing your MongoDB Implementation, Mark Hillick

Slide 39

Slide 39 text

Conclusion

Slide 40

Slide 40 text

Conclusion •  2.2 wasn’t great •  2.4 is much better & Enterprise-Level •  Authentication & Authori(s|z)ation •  Within & Outside Securing your MongoDB Implementation, Mark Hillick

Slide 41

Slide 41 text

Thanks •  Thanks to Mike Stimpson for the awesome pics J http://imgur.com/a/0XvKw Securing your MongoDB Implementation, Mark Hillick

Slide 42

Slide 42 text

Engineer, 10gen – Star Wars Fan  Mark Hillick - @markofu – mark@10gen.com #mongodbdays Questions?