Mark Hillick - @markofuEngineer, 10gen

#MongoDBLondon

Securing your MongoDB Implementation

Agenda

1. Securing MongoDB 2.2

2. Securing MongoDB 2.4

3. Outside of MongoDB

4. Vulnerabilities

5. Documentation

6. Futures

7. Q & A

Securing your MongoDB Implementation, Mark Hillick

Securing MongoDB 2.2

Securing MongoDB 2.2

Authentication

– Simple user/password scheme stored in MongoDBAuthorization

– Per database: no access, read, or read-write

Auditing

– Authentication requests logged– Some actions / changes captured in log

Securing your MongoDB Implementation, Mark Hillick

MongoDB SSL

Keyfile establishes trust

http://docs.mongodb.org/manual/administration/ssl/

Application

SSL encryption for

client connection

SSL encryption for inter-server

traffic

Primary Secondary

Data Files Data Files

Securing your MongoDB Implementation, Mark Hillick

Securing MongoDB 2.4

Authentication

External Authentication

Use common / standardized authentication

SASL: Simple Authentication and Security Layer

– Framework for building authentication

Kerberos

– GSSAPI, drivers will be updated– Mixed system.users can work during transition

Securing your MongoDB Implementation, Mark Hillick

Authentication with only pwd hash• Use one-way function F

Mongod

I am “marko@10gen.com”, let me in

Prove it, here is a random # N

Here is F(N, hash(<mypwd>))

Nobody else could know that, welcome back marko!

Knows only my password hash

Hash never transmitted over the network!

Securing your MongoDB Implementation, Mark Hillick

Authentication with Kerberos (2.4)

KDC

I am “mark@10gen.com”, help me prove it to mongod

UDP:88 - Here is a TGT

Mongod

TCP:27017Here is a KerberosTGT

Welcome, here is a Service Ticket!

{ user: ”mark@10gen.com", roles: ["readWrite"], userSource: "$external"}

Securing your MongoDB Implementation, Mark Hillick

UDP:88

Authenticating & Connecting

Securing your MongoDB Implementation, Mark Hillick

# kinit mongouser….# klist…03/11/13 09:30:30 03/12/13 09:30:30…# mongo mongodb.10gen.com/\$external --authenticationMechanism=GSSAPI -u mongouser@10GEN.COM

Starting the Database

Securing your MongoDB Implementation, Mark Hillick

env KRB5_KTNAME=/etc/kserver1b.keytab

/usr/local/bin/mongodb/bin/mongod --auth

--setParameter authenticationMechanisms=GSSAPI

--dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log

--replSet realm4 --keyFile /etc/keyfile

Authorization

AUTHORIZATION

• Issues with 2.2

• 2.4 introduces roles– Admin level roles• UserAdmin• ClusterAdmin

– DB level roles• User Admin• DB Admin• Read• ReadWrite

AUTHORIZATION

• Issues with 2.2– Only Read / ReadWrite – Edge-case with possible privilege escalation

• 2.4 introduces roles– Admin level roles• UserAdmin• ClusterAdmin

– DB level roles• User Admin• DB Admin• Read• ReadWrite

Corresponding Admin level

roles for AllDatabases

Securing your MongoDB Implementation, Mark Hillick

ADMIN DB

• ClusterAdmin

• AllDatabases

Securing your MongoDB Implementation, Mark Hillick

Source:https://wellsted135.files.wordpress.com/2012/10/special.gif

Admin DB

• UserAdmin• ClusterAdm

in

Accnts DB

• UserAdmin

App DB• UserAdmi

n• dbAdmin• ReadWrit

e• Read

Product DB

• UserAdmin• dbAdmin• ReadWrite• Read

Customer DB

• UserAdmin• dbAdmin• ReadWrite• Read

Password hashes

BI DB• UserAdmi

n• dbAdmin• ReadWrit

e• Read

Securing your MongoDB Implementation, Mark Hillick

I can do anything but I won’t be required to do

much

DB Admin: UserAdmin DB Admin: ClusterAdmin

I can add and remove shards

DB Accnts: userAdmin

I can create new users but I can’t

grant them privileges to other DB’s

DB App: userAdmin DB App: dbAdmin

I can grant privileges to the App

DB only

I can create

indices, set

profiling, compact

Securing your MongoDB Implementation, Mark Hillick

Super-User

userAdmin & userAdminAnyDatabase

are

Securing your MongoDB Implementation, Mark Hillick

Only these users can view details about other users – system.users collection

In App.system.users :

{ user: “fred” , usersource: “Accnts” , roles: [ “userAdmin” ]}

{ user: “george” , usersource: “Accnts” , roles: [ “dbAdmin“ ] ,}

Each DB’s userAdmin gets to grant privileges separately

DB App: dbAdmin

I can grant privileges to the App

DB only

I can create

indices, set

profiling, compact

Credentials from Accnts

DB

Securing your MongoDB Implementation, Mark Hillick

DB App: UserAdmin

Auditing

Additional Logging

Monitor user activity:

– userID added to standard output

– Not currently a separate audit log

– Much more coming in 2.6

Validation

Validation

Objcheck

– Helps prevent DOS

– Validates input

– SERVER-7769 (default)

Securing your MongoDB Implementation, Mark Hillick

JS Engine

JS Engine

Move to V8

– Primarily performance reasons but some security benefits

– Restrictions on $where & M/R/F

– SERVER-8104 & Aaron Heckmann’s Blog

Securing your MongoDB Implementation, Mark Hillick

Outside of MongoDB

Outside of MongoDB

Firewalls

– iptables & netsh– Ports, Addresses, Times, Throttle etc

F/S

– Encrypt (Gazzang)

Best Practices

– Internal Policies (Password Reuse, Scan etc)

Securing your MongoDB Implementation, Mark Hillick

MongoDB - Gazzang

• File System Encryption

• 5% performance hit with HDD, 10-15% with SSD

File System – All contents encrypted

OS Gazzang

Gazzang Key

Mgmt

Vulnerabilities

Vulnerabilities (1)

Notify

– Let us know

How, What, Where?

– http://docs.mongodb.org/manual/administration/vulnerability-notification/

– Jira (HTTPS) & (Secure) Email

Securing your MongoDB Implementation, Mark Hillick

Vulnerabilities (2)

How do YOU know?

– MongoDB Alerts

How, What, Where?

– Vulnerability Notification– Jira (HTTPS) & (Secure) Email

Securing your MongoDB Implementation, Mark Hillick

Documentation

Documentation

Manual

– http://docs.mongodb.org/manual/security/• Security Features within MongoDB• Best Practices & Management• Strategies• Tutorials• Vulnerability Notifications• References

Securing your MongoDB Implementation, Mark Hillick

Futures

Disclaimer

Statements about future releases, availability dates, and feature content reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors.Securing your MongoDB Implementation, Mark Hillick

Futures

Auditing

– Logging to output userID associated with actionsPasswords

– Stronger HashingAuthorization

– User Defined & More GranularitySSL

– Client Cert Validation

Securing your MongoDB Implementation, Mark Hillick

Thank You