securing your mongodb implementation
DESCRIPTION
In this session, we'll provide a preview of the security features that we are working on for the next version of MongoDB.TRANSCRIPT
Mark Hillick - @markofuEngineer, 10gen
#MongoDBLondon
Securing your MongoDB Implementation
Agenda
1. Securing MongoDB 2.2
2. Securing MongoDB 2.4
3. Outside of MongoDB
4. Vulnerabilities
5. Documentation
6. Futures
7. Q & A
Securing your MongoDB Implementation, Mark Hillick
Securing MongoDB 2.2
Securing MongoDB 2.2
Authentication
– Simple user/password scheme stored in MongoDBAuthorization
– Per database: no access, read, or read-write
Auditing
– Authentication requests logged– Some actions / changes captured in log
Securing your MongoDB Implementation, Mark Hillick
MongoDB SSL
Keyfile establishes trust
http://docs.mongodb.org/manual/administration/ssl/
Application
SSL encryption for
client connection
SSL encryption for inter-server
traffic
Primary Secondary
Data Files Data Files
Securing your MongoDB Implementation, Mark Hillick
Securing MongoDB 2.4
Authentication
External Authentication
Use common / standardized authentication
SASL: Simple Authentication and Security Layer
– Framework for building authentication
Kerberos
– GSSAPI, drivers will be updated– Mixed system.users can work during transition
Securing your MongoDB Implementation, Mark Hillick
Authentication with only pwd hash• Use one-way function F
Mongod
I am “[email protected]”, let me in
Prove it, here is a random # N
Here is F(N, hash(<mypwd>))
Nobody else could know that, welcome back marko!
Knows only my password hash
Hash never transmitted over the network!
Securing your MongoDB Implementation, Mark Hillick
Authentication with Kerberos (2.4)
KDC
I am “[email protected]”, help me prove it to mongod
UDP:88 - Here is a TGT
Mongod
TCP:27017Here is a KerberosTGT
Welcome, here is a Service Ticket!
{ user: ”[email protected]", roles: ["readWrite"], userSource: "$external"}
Securing your MongoDB Implementation, Mark Hillick
UDP:88
Authenticating & Connecting
Securing your MongoDB Implementation, Mark Hillick
# kinit mongouser….# klist…03/11/13 09:30:30 03/12/13 09:30:30…# mongo mongodb.10gen.com/\$external --authenticationMechanism=GSSAPI -u [email protected]
Starting the Database
Securing your MongoDB Implementation, Mark Hillick
env KRB5_KTNAME=/etc/kserver1b.keytab
/usr/local/bin/mongodb/bin/mongod --auth
--setParameter authenticationMechanisms=GSSAPI
--dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log
--replSet realm4 --keyFile /etc/keyfile
Authorization
AUTHORIZATION
• Issues with 2.2
• 2.4 introduces roles– Admin level roles• UserAdmin• ClusterAdmin
– DB level roles• User Admin• DB Admin• Read• ReadWrite
AUTHORIZATION
• Issues with 2.2– Only Read / ReadWrite – Edge-case with possible privilege escalation
• 2.4 introduces roles– Admin level roles• UserAdmin• ClusterAdmin
– DB level roles• User Admin• DB Admin• Read• ReadWrite
Corresponding Admin level
roles for AllDatabases
Securing your MongoDB Implementation, Mark Hillick
ADMIN DB
• ClusterAdmin
• AllDatabases
Securing your MongoDB Implementation, Mark Hillick
Source:https://wellsted135.files.wordpress.com/2012/10/special.gif
Admin DB
• UserAdmin• ClusterAdm
in
Accnts DB
• UserAdmin
App DB• UserAdmi
n• dbAdmin• ReadWrit
e• Read
Product DB
• UserAdmin• dbAdmin• ReadWrite• Read
Customer DB
• UserAdmin• dbAdmin• ReadWrite• Read
Password hashes
BI DB• UserAdmi
n• dbAdmin• ReadWrit
e• Read
Securing your MongoDB Implementation, Mark Hillick
I can do anything but I won’t be required to do
much
DB Admin: UserAdmin DB Admin: ClusterAdmin
I can add and remove shards
DB Accnts: userAdmin
I can create new users but I can’t
grant them privileges to other DB’s
DB App: userAdmin DB App: dbAdmin
I can grant privileges to the App
DB only
I can create
indices, set
profiling, compact
Securing your MongoDB Implementation, Mark Hillick
Super-User
userAdmin & userAdminAnyDatabase
are
Securing your MongoDB Implementation, Mark Hillick
Only these users can view details about other users – system.users collection
In App.system.users :
{ user: “fred” , usersource: “Accnts” , roles: [ “userAdmin” ]}
{ user: “george” , usersource: “Accnts” , roles: [ “dbAdmin“ ] ,}
Each DB’s userAdmin gets to grant privileges separately
DB App: dbAdmin
I can grant privileges to the App
DB only
I can create
indices, set
profiling, compact
Credentials from Accnts
DB
Securing your MongoDB Implementation, Mark Hillick
DB App: UserAdmin
Auditing
Additional Logging
Monitor user activity:
– userID added to standard output
– Not currently a separate audit log
– Much more coming in 2.6
Validation
Validation
Objcheck
– Helps prevent DOS
– Validates input
– SERVER-7769 (default)
Securing your MongoDB Implementation, Mark Hillick
JS Engine
JS Engine
Move to V8
– Primarily performance reasons but some security benefits
– Restrictions on $where & M/R/F
– SERVER-8104 & Aaron Heckmann’s Blog
Securing your MongoDB Implementation, Mark Hillick
Outside of MongoDB
Outside of MongoDB
Firewalls
– iptables & netsh– Ports, Addresses, Times, Throttle etc
F/S
– Encrypt (Gazzang)
Best Practices
– Internal Policies (Password Reuse, Scan etc)
Securing your MongoDB Implementation, Mark Hillick
MongoDB - Gazzang
• File System Encryption
• 5% performance hit with HDD, 10-15% with SSD
File System – All contents encrypted
OS Gazzang
Gazzang Key
Mgmt
Vulnerabilities
Vulnerabilities (1)
Notify
– Let us know
How, What, Where?
– http://docs.mongodb.org/manual/administration/vulnerability-notification/
– Jira (HTTPS) & (Secure) Email
Securing your MongoDB Implementation, Mark Hillick
Vulnerabilities (2)
How do YOU know?
– MongoDB Alerts
How, What, Where?
– Vulnerability Notification– Jira (HTTPS) & (Secure) Email
Securing your MongoDB Implementation, Mark Hillick
Documentation
Documentation
Manual
– http://docs.mongodb.org/manual/security/• Security Features within MongoDB• Best Practices & Management• Strategies• Tutorials• Vulnerability Notifications• References
Securing your MongoDB Implementation, Mark Hillick
Futures
Disclaimer
Statements about future releases, availability dates, and feature content reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors.Securing your MongoDB Implementation, Mark Hillick
Futures
Auditing
– Logging to output userID associated with actionsPasswords
– Stronger HashingAuthorization
– User Defined & More GranularitySSL
– Client Cert Validation
Securing your MongoDB Implementation, Mark Hillick
Thank You