Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanSecuring Your MongoDBImplementation
Agenda1. Securing MongoDB2.22. Securing MongoDB2.43. Outside MongoDB4. Documentation &Notifications5. Conclusion6. Futures...
Securing MongoDB 2.2
Securing MongoDB 2.2Authentication– Simple user/password scheme stored in MongoDBAuthorization– Per database: no access, r...
MongoDB SSLKeyfile establishes trusthttp://docs.mongodb.org/manual/administration/ssl/ApplicationSSL encryptionfor clientc...
Securing MongoDB 2.4
Authentication
Authentication with passwordhash• Use one-way function FmongodI am “mark@10gen.com”, let me inProve it, here is a random #...
External AuthenticationUse common / standardized authenticationSASL: Simple Authentication and Security Layer– Framework f...
Authentication with KerberosKDC1. I am “mark@10gen.com”,help me prove it to mongodto UDP:88 -2. Here is a TGTMongod3. TCP:...
Starting the Databaseenv KRB5_KTNAME=/etc/kserver1b.keytabmongod –auth --setParameterauthenticationMechanisms=GSSAPI--dbpa...
Authenticating & Connecting# kinit mongouser….# klist…03/11/13 09:30:30 03/12/13 09:30:30…# mongo mongodb.10gen.com/$exter...
Authorization
AUTHORIZATION• Issues with 2.2– Only read / readWrite – Edge-case with possible privilege escalation• 2.4 introduces role...
ADMIN DB• clusterAdmin• AnyDatabaseSource:https://wellsted135.files.wordpress.com/2012/10/special.gif
Super-UseruserAdmin & userAdminAnyDatabaseareOnly these users can view details about otherusers – system.users collection
Admin DB• userAdmin• clusterAdminAccountsDB• userAdminApp1 DB• userAdmin• dbAdmin• readWrite• readApp2 DB• userAdmin• dbAd...
I can do anythingbut I won’t berequired to do muchDB Admin: userAdmin DB Admin: clusterAdminI can add andremove shardsDB A...
In App.system.users :{user: “fred” ,usersource: “Accounts” ,roles: [ “userAdmin” ]}{user: “george” ,usersource: “Accounts”...
Auditing
Additional LoggingMonitor user activity:– userID added to standardoutput– No separate audit log– Much more coming in 2.6
Validation
ValidationObjcheck– Helps prevent DOS– Validates input– SERVER-7769 (default)
JS Engine
JS EngineMove to V8– Primarily performance reasons but some security benefits– Restrictions on $where (SERVER-9124) & M/R/...
Outside MongoDB
Outside MongoDBFirewalls– iptables & netsh– Ports, Addresses, Times, Throttle etc.File system– Encrypt (Gazzang) [HIPAA, P...
MongoDB Partners withGazzang• File System Encryption• 5% performance hit with HDD, 10-15% withSSDFile System – All content...
Documentation &Notifications
DocumentationManual– http://docs.mongodb.org/manual/security/• Security Features within MongoDB• Best Practices & Strategi...
Potential Security IssuesHow do YOU know?– MongoDBAlertsHow, What, Where?– Vulnerability Notification– Jira (HTTPS) & (Sec...
Future features
DisclaimerStatements about future releases, availabilitydates, and feature content reflect plans only, and10gen is under n...
Future featuresAuditing– Logging to output userID associated with actions(SERVER-1891)Passwords– Stronger Hashing (SERVER-...
Conclusion
Conclusion• 2.2 needed improvement for security• 2.4 is much better & Enterprise-Level• Authentication & Authorization• Wi...
Thanks• Thanks to Mike Stimpson for the awesome picshttp://imgur.com/a/0XvKw
Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanQuestions?
Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanQuestions?
Upcoming SlideShare
Loading in...5
×

Webinar: MongoDB 2.4 Feature Overview and Q&A on Security

971

Published on

In version 2.4, MongoDB Enterprise includes Kerberos support for integration into existing enterprise security systems, as well as role-based privileges to provide more granular security for your cluster. This session will introduce you to the new security features available in MongoDB.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
971
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • system.users collection with hash password
  • MongoD does not even need to know the password hash!You can centralize your authentication service – SPOF & SOS
  • read: access to read documentsreadWrite: access to read and write documentsuserAdmin: manage, modify user access to a dbdbAdmin: compact, repair, validate etc.clusterAdmin: stuff with shards
  • read: access to read documentsreadWrite: access to read and write documentsuserAdmin: manage, modify user access to a dbdbAdmin: compact, repair, validate etc.clusterAdmin: stuff with shards
  • With SSD, as the time spent processing data between OS and disk gets proportionally larger since SSD's are so much faster, it means the pert hit is 15%. You still get a major upgrade in speed, but encrypting and decrypting take a larger share.
  • Webinar: MongoDB 2.4 Feature Overview and Q&A on Security

    1. 1. Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanSecuring Your MongoDBImplementation
    2. 2. Agenda1. Securing MongoDB2.22. Securing MongoDB2.43. Outside MongoDB4. Documentation &Notifications5. Conclusion6. Futures7. Questions
    3. 3. Securing MongoDB 2.2
    4. 4. Securing MongoDB 2.2Authentication– Simple user/password scheme stored in MongoDBAuthorization– Per database: no access, read, or read-writeAuditing– Very Little
    5. 5. MongoDB SSLKeyfile establishes trusthttp://docs.mongodb.org/manual/administration/ssl/ApplicationSSL encryptionfor clientconnectionSSL encryptionfor inter-servertrafficPrimary SecondaryData Files Data Files
    6. 6. Securing MongoDB 2.4
    7. 7. Authentication
    8. 8. Authentication with passwordhash• Use one-way function FmongodI am “mark@10gen.com”, let me inProve it, here is a random # NHere is F(N,hash(<mypwd>))Nobody else could knowthat, welcome back marko!Knowsonly mypassword hashHash nevertransmittedover thenetwork!
    9. 9. External AuthenticationUse common / standardized authenticationSASL: Simple Authentication and Security Layer– Framework for building authenticationKerberos– GSSAPI, drivers will be updated– Mixed system.users can work during transition
    10. 10. Authentication with KerberosKDC1. I am “mark@10gen.com”,help me prove it to mongodto UDP:88 -2. Here is a TGTMongod3. TCP:27017Here is aKerberosTGT4. Welcome,here is aServiceTicket!{user: ”mark@10gen.com",roles: ["readWrite"],userSource: "$external"}Keytab
    11. 11. Starting the Databaseenv KRB5_KTNAME=/etc/kserver1b.keytabmongod –auth --setParameterauthenticationMechanisms=GSSAPI--dbpath /data/db --fork --logpath/var/tmp/mongod_auth.log--replSet realm4 --keyFile /etc/keyfile
    12. 12. Authenticating & Connecting# kinit mongouser….# klist…03/11/13 09:30:30 03/12/13 09:30:30…# mongo mongodb.10gen.com/$external --authenticationMechanism=GSSAPI -umongouser@10GEN.COM
    13. 13. Authorization
    14. 14. AUTHORIZATION• Issues with 2.2– Only read / readWrite – Edge-case with possible privilege escalation• 2.4 introduces roles– Admin level roles• userAdmin• clusterAdmin– DB level roles• userAdmin• dbAdmin• Read• ReadWriteCorrespondingAdmin level rolesfor“AnyDatabase”
    15. 15. ADMIN DB• clusterAdmin• AnyDatabaseSource:https://wellsted135.files.wordpress.com/2012/10/special.gif
    16. 16. Super-UseruserAdmin & userAdminAnyDatabaseareOnly these users can view details about otherusers – system.users collection
    17. 17. Admin DB• userAdmin• clusterAdminAccountsDB• userAdminApp1 DB• userAdmin• dbAdmin• readWrite• readApp2 DB• userAdmin• dbAdmin• readWrite• readPasswordhashes
    18. 18. I can do anythingbut I won’t berequired to do muchDB Admin: userAdmin DB Admin: clusterAdminI can add andremove shardsDB Accounts: userAdminI can create newusers but I can’tgrant themprivileges to otherDB’sDB App: userAdmin DB App: dbAdminI can grantprivileges tothe App DBonlyI cancreateindices, setprofiling, compact
    19. 19. In App.system.users :{user: “fred” ,usersource: “Accounts” ,roles: [ “userAdmin” ]}{user: “george” ,usersource: “Accounts” ,roles: [ “dbAdmin“ ] ,}Each DB’s userAdmin gets togrant privileges separatelyDB App: dbAdminI can grantprivileges tothe App DBonlyI cancreateindices, setprofiling,compactCredentialsfrom AccountsDBDB App: userAdmin
    20. 20. Auditing
    21. 21. Additional LoggingMonitor user activity:– userID added to standardoutput– No separate audit log– Much more coming in 2.6
    22. 22. Validation
    23. 23. ValidationObjcheck– Helps prevent DOS– Validates input– SERVER-7769 (default)
    24. 24. JS Engine
    25. 25. JS EngineMove to V8– Primarily performance reasons but some security benefits– Restrictions on $where (SERVER-9124) & M/R/F– SERVER-8104 & 2.4 Release Notes
    26. 26. Outside MongoDB
    27. 27. Outside MongoDBFirewalls– iptables & netsh– Ports, Addresses, Times, Throttle etc.File system– Encrypt (Gazzang) [HIPAA, PCI, SOX]Best Practices– Internal Policies (Password Reuse, Scan etc.)
    28. 28. MongoDB Partners withGazzang• File System Encryption• 5% performance hit with HDD, 10-15% withSSDFile System – All contents encryptedOS GazzangGazzangKey Mgmt
    29. 29. Documentation &Notifications
    30. 30. DocumentationManual– http://docs.mongodb.org/manual/security/• Security Features within MongoDB• Best Practices & Strategies• Tutorials• Vulnerability Notifications
    31. 31. Potential Security IssuesHow do YOU know?– MongoDBAlertsHow, What, Where?– Vulnerability Notification– Jira (HTTPS) & (Secure) Email
    32. 32. Future features
    33. 33. DisclaimerStatements about future releases, availabilitydates, and feature content reflect plans only, and10gen is under no obligation to include, developor make available, commercially orotherwise, specific feature discussed a futureMongoDB build. Information is provided forgeneral understanding only, and is subject tochange at the sole discretion of 10gen inresponse to changing market conditions, deliveryschedules, customer requirements, and/or otherfactors.
    34. 34. Future featuresAuditing– Logging to output userID associated with actions(SERVER-1891)Passwords– Stronger Hashing (SERVER-2380)Authorization– User Defined & More GranularitySSL– Client & Security Improvements
    35. 35. Conclusion
    36. 36. Conclusion• 2.2 needed improvement for security• 2.4 is much better & Enterprise-Level• Authentication & Authorization• Within & Outside
    37. 37. Thanks• Thanks to Mike Stimpson for the awesome picshttp://imgur.com/a/0XvKw
    38. 38. Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanQuestions?
    39. 39. Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanQuestions?

    ×