Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

It's a Dangerous World: From OS Through Application, Securing Your MongoDB Infrastructure

157 views

Published on

Speaker: Steffan Mejia

In this session, we provide a practical and tactical overview of securing your MongoDB infrastructure. We will address the fundamentals of security and security philosophy. Specifically, we'll look at firewalls, managing logins, encryption, and securing backups. Some of the technologies we'll cover include AppArmor / SELinux, SSH/TLS, and LDAP. We will discuss security practices for MongoDB access control, auditing, at-rest encryption, key management, and securing backups. At the application layer, we will discuss how to avoid CSRF, and command injection.

  • Be the first to comment

It's a Dangerous World: From OS Through Application, Securing Your MongoDB Infrastructure

  1. 1. # M D B l o c a l
  2. 2. O C T O B E R 1 2 , 2 0 1 7 | B E S P O K E | S A N F R A N C I S C O # M D B l o c a l IT’S A DANGEROUS WORLD From OS Through Application Securing Your MongoDB Infrastructure
  3. 3. # M D B l o c a l Steffan Mejia Lead Consulting Engineer, MongoDB @steffan_mejia
  4. 4. # M D B l o c a l What is security?
  5. 5. # M D B l o c a l Security… Is not a sprint
  6. 6. # M D B l o c a l Security… Is not a marathon
  7. 7. # M D B l o c a l Security… Is a never-ending race
  8. 8. # M D B l o c a l security si-ˈkyu̇ r-ə-tē Merriam-Webster • the quality or state of being secure: such as • freedom from danger : safety • freedom from fear or anxiety • freedom from the prospect of being laid off * job security
  9. 9. # M D B l o c a l Being secure Freedom from danger
  10. 10. # M D B l o c a l Being secure Freedom from danger • In 2016 – 320% increase in the number of healthcare hacking attacks • Kaspersky: Corporate hacking attacks increased by 1/3 in 2016 • WSJ: Bank hacking attempts likely to increase • NY Times: Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool
  11. 11. # M D B l o c a l Being secure Freedom from fear or anxiety
  12. 12. # M D B l o c a l Being secure Freedom from fear or anxiety
  13. 13. # M D B l o c a l Being secure Freedom from fear or anxiety More and tougher regulations • EU GDPR: Starts May 2018 - legislation for the protection of all EU citizen data – major fines • FISMA: US government security standards • PCI-DSS: retail, card-holder protection • HIPAA: healthcare, patient data • SOX: corporate governance, financial data controls • Gramm-Leach-Bliley Act: financial services, customer data
  14. 14. # M D B l o c a l Being secure Increased Attack Surface Area • 40 billion TBs (40 ZBs) generated by 2020 • Over 280 types of data stores available • Researchers estimate attacks increasing by 50% year on year • Nation states, organized crime, opportunists • Less brute force, more phishing, malware & ransomware
  15. 15. # M D B l o c a l Staying safe
  16. 16. # M D B l o c a l Don’t underestimate your adversary
  17. 17. # M D B l o c a l Don’t underestimate your adversary
  18. 18. # M D B l o c a l security Through obscurity Keeping vital system details hidden • Hiding internal IP addresses • Code obfuscation • Not talking about your systems You can secure systems by keeping things secret
  19. 19. # M D B l o c a l security Through obscurity You can secure systems by keeping things secret… …But not forever
  20. 20. # M D B l o c a l OS Level
  21. 21. # M D B l o c a l OS Level (Linux) • App Armor • SELinux • iptables / netfilter • Generally sensible practices • Dedicated Users per Application • Least privilege • Setting uid/guid of directories • Don’t use chmod 777
  22. 22. # M D B l o c a l Apparmor • Mandatory Access Control (MAC) for applications • In mainline Linux Kernel since 2.6.36 • Easier to configure than SELinux • Path-based
  23. 23. # M D B l o c a l #include <tunables/global> /bin/ping flags=(complain) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> capability net_raw, capability setuid, network inet raw, /bin/ping mixr, /etc/modules.conf r, } Apparmor Sample AppArmor profile
  24. 24. # M D B l o c a l Apparmor Sample AppArmor profile #include <tunables/global> /bin/ping flags=(complain) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> capability net_raw, capability setuid, network inet raw, /bin/ping mixr, /etc/modules.conf r, }
  25. 25. # M D B l o c a l Apparmor Sample AppArmor profile #include <tunables/global> /bin/ping flags=(complain) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> capability net_raw, capability setuid, network inet raw, /bin/ping mixr, /etc/modules.conf r, }
  26. 26. # M D B l o c a l SELinux • Another MAC implementation • Default in Redhat / CentOS • Driven by loadable policy rules • Operations intercepted in the kernel
  27. 27. # M D B l o c a l SELinux The default action is deny: • If a rule does not exist to allow access, such as for a process opening a file, access is denied SELINUX=disabled
  28. 28. # M D B l o c a l SELinux Default policy in RedHat & CentOS is Targeted • Target and confine specific system processes • Processes that are targeted run in a confined domain • Processes not targeted run in unconfined domain
  29. 29. # M D B l o c a l SELinux /etc/selinux/config SELINUX=permissive SELINUXTYPE=targeted Multiple options for enforcement • disabled • permissive • enforcing Multiple options for type • targeted • MLS getenforce will show current status
  30. 30. # M D B l o c a l Iptables / Netfilter • Block unused ports • Define rules for hosts allowed to connect • Additional layer on top of existing network security
  31. 31. # M D B l o c a l Iptables / Netfilter ~:#> iptables -A INPUT -s 10.0.0.0/24 –j ACCEPT ~:#> iptables –A INPUT –s 0.0.0.0/0 –j DROP
  32. 32. # M D B l o c a l Iptables / Netfilter ~:#> iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.0.0.0/24 anywhere DROP all -- 10.0.0.0/0 anywhere
  33. 33. # M D B l o c a l Mongodb Security
  34. 34. # M D B l o c a l First… https://docs.mongodb.org/manual/administration/security-checklist Always consult MongoDB’s Security Checklist
  35. 35. # M D B l o c a l MongoDB Security • Authentication • Authorization • Encryption • Auditing • Log Redaction
  36. 36. # M D B l o c a l Authentication Who are you? • Challenge-response • x.509 • LDAP • Kerberos
  37. 37. # M D B l o c a l Client Authentication Comparisons Authentication Method Clear Text Password Identity Location Challenge/Response (SCRAM-SHA-1) No (Digest) Internal x.509 Certificate No (Digital Signature) External LDAP Yes * External Kerberos No (KDC generated session key encrypted with password) External * Can be protected via a transport-level security mechanism
  38. 38. # M D B l o c a l About SCRAM-SHA-1… Hasn’t SHA1 been broken? Yes! Isn’t SHA1 deprecated? Yes! Since 2011 Isn’t MongoDB’s use of it risky? No!
  39. 39. # M D B l o c a l About SCRAM-SHA-1… If an attacker could create a new user and password and we stored the password as a simple SHA1 hash then The attacker could conceivably generate a second password that would hash to the same value
  40. 40. # M D B l o c a l About SCRAM-SHA-1… If an attacker could create a new user and password and we stored the password as a simple SHA1 hash then The attacker could conceivably generate a second password that would hash to the same value
  41. 41. # M D B l o c a l Authentication Options: LDAP (MongoDB Enterprise Server) LDAP Integration MongoDB Versions Operating Systems External Dependencies Proxy 2. 6 + Linux Simple Authentication & Security Layer (SASL) Direct 3. 4 + Linux & Windows n/a DB Host Directory Host Directory Servermongod saslauthd proxy direct
  42. 42. # M D B l o c a l Authorization What you can do • Database / collection permissions • Role-based access control
  43. 43. # M D B l o c a l Role-based access control Built-in roles • read • readWrite • dbAdmin • clusterAdmin • root User-defined roles • Based on actions that can be defined for a resource
  44. 44. # M D B l o c a l Role-based access control Defining a custom role: Append-Only Define the role Define the user
  45. 45. # M D B l o c a l Role-based access control Defining a custom role: Append-Only Attempt insert …and find
  46. 46. # M D B l o c a l LDAP Authorization MongoDB Roles Mapped to LDAP Groups Role membership is fluid & managed dynamically in the LDAP Directory (rather than granting roles to users in MongoDB) LDAP Authorization is an optional feature, if LDAP Direct Authentication is enabled
  47. 47. # M D B l o c a l Read-Only Views + Roles DOCUMENT-level Access Control Insert data and define a View Execute a find
  48. 48. # M D B l o c a l Read-Only Views + Roles For DOCUMENT-level Access Control Lock Down User to Only the View
  49. 49. # M D B l o c a l Encryption Rendering data unreadable to others • Over-the-wire • At-rest
  50. 50. # M D B l o c a l Encryption – over the wire (TLS) • Transport Layer Security – supersedes SSL • Four increasingly strict modes • Supported on all Drivers and MongoDB Tools • Client Certificate authentication not mandated • Any client and internal authentication methods can be used • Can have authentication / authorization completely disabled
  51. 51. # M D B l o c a l Encryption – over the wire (TLS) net: ssl: mode: allowSSL PEMKeyFile: /etc/ssl/mongodb.pem TLS(SSL) modes: • disabled • allowSSL • preferSSL • requireSSL
  52. 52. # M D B l o c a l Encryption – over the wire (TLS) DriverClient Machine Unencrypted Encrypted mode: disabled
  53. 53. # M D B l o c a l Encryption – over the wire (TLS) DriverClient Machine Unencrypted Encrypted mode: allowSSL
  54. 54. # M D B l o c a l Encryption – over the wire (TLS) DriverClient Machine Unencrypted Encrypted mode: preferSSL
  55. 55. # M D B l o c a l Encryption – over the wire (TLS) DriverClient Machine Unencrypted Encrypted mode: requireSSL
  56. 56. #MDBW17 • OpenSSL “FIPS Object Module” • Certified component optionally used via OpenSSL • Ensures source code not tampered with (checks signature against original certified version) • MongoDB configurable option FIPSMode: true ENCRYPTION AT REST—TLS & FIPS 140-2 (MONGODB ENTERPRISE SERVER)
  57. 57. # M D B l o c a l • OpenSSL “FIPS Object Module” • Certified component optionally used via OpenSSL • Ensures source code not tampered with (checks signature against original certified version) • MongoDB configurable option FIPSMode: true ENCRYPTION AT REST—TLS & FIPS 140-2 (MONGODB ENTERPRISE SERVER)
  58. 58. # M D B l o c a l EncryptION At Rest (Mongodb Enterprise server) • Encrypts data at the database level • Files on disk are encrypted • Helps mitigate against system-level breach
  59. 59. # M D B l o c a l Symmetric Keys • Same key to encrypt & decrypt • AES256-CBC (256-bit AES Cipher Block Chaining • AES256-GCM (256-bit AES Galois/Counter Mode) Encryption Alternatives • Partner solution for file & OS level encryption (eg. Vormetric) • Application code performs field-level encryption HOW TO INDEX? EncryptION At Rest (Mongodb Enterprise server)
  60. 60. # M D B l o c a l EncryptION At Rest (Mongodb Enterprise server) • Native encryption inside the database • Single-digit % overhead • Based on WiredTiger • Two Key Types for easy key rotation • Master Key per replica • Internal Key per database • Options for sourcing Master Key: • Via 3rd Party Key Management Appliance • Using KMIP (Key Management Interoperability Protocol) • Using a Keyfile on local filesystem
  61. 61. # M D B l o c a l EncryptION At Rest (Mongodb Enterprise server) 3rd Party Key Management Appliance DB-a DB-b DB-c Replica 1’s Master Key Replica 2’s Master Key Replica 3’s Master Key DB-d Internal Key Manager Keystore (encrypted by Master Key) DB-a Key DB-b Key DB-c Key DB-d Key Replica 1 mongod
  62. 62. # M D B l o c a l Auditing (Mongodb Enterprise server) Audit log of actions taken against the database Configurabl e Destination Configurabl e Format
  63. 63. # M D B l o c a l Auditing (Mongodb Enterprise server) System Events CRUD Events Default (when enabled) Enabling Config Parameter auditLog - destination setParameter auditAuthorizationSuccess Event Types DDL Auth failures Users & Roles config Replication & Sharding config Server Lifecycle actions Inserts Updates Removes Finds Aggregations Auditing Event Types
  64. 64. # M D B l o c a l • Filter on attributes of captured audit documents • In config, set ‘auditFilter’ to a query expression • Filter on: Action, User, Role, Command, Database, Collection, etc • Examples: filter: '{atype: {$in: ["createCollection", "dropCollection"]}}‘ filter: ‘{roles: {role: "readWrite", db: "test“}}‘ filter: '{atype: "authCheck", "param.command": {$in: ["find", "insert"]}}‘ Auditing (Mongodb Enterprise server) Auditing Filters
  65. 65. # M D B l o c a l • Filter on attributes of captured audit documents • In config, set auditFilter to a query expression • Filter on: Action, User, Role, Command, Database, Collection, etc • Examples: filter: '{atype: {$in: ["createCollection", "dropCollection"]}}‘ filter: ‘{roles: {role: "readWrite", db: "test“}}‘ filter: '{atype: "authCheck", "param.command": {$in: ["find", "insert"]}}‘ Auditing (Mongodb Enterprise server) Auditing Filters
  66. 66. # M D B l o c a l Log Redaction (Mongodb Enterprise server) Redact sensitive data in log files
  67. 67. # M D B l o c a l MongoDB Atlas Security • SCRAM authentication enforced • TLS enforced • Pre-defined roles against each database • IP white-listing enforced • VPC Peering option with application tier • 2FA authentication for admin console • Encrypted data volumes
  68. 68. # M D B l o c a l Application Security
  69. 69. # M D B l o c a l Securing the application • CSRF • Command injection
  70. 70. # M D B l o c a l Cross-site request forgery Force end-user to execute action • Reproducible link that executes a specific action on the target page
  71. 71. # M D B l o c a l Cross-site request forgery Use proper verbs • Use PATCH, POST, PUT, and/or DELETE • Use POST instead of GET for sensitive information
  72. 72. # M D B l o c a l Cross-site request forgery Force end-user to execute action • Reproducible link that executes a specific action on the target page
  73. 73. # M D B l o c a l Cross-site request forgery GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 http://bank.com/transfer.do?acct=STEFFAN&amount=100000
  74. 74. # M D B l o c a l Cross-site request forgery <a href= "http://bank.com/transfer.do?acct=STEFFAN&amount=100000"> Cute kittens!!! Adorable!!1! </a> <img src= "http://bank.com/transfer.do?acct=STEFFAN&amount=100000" width="0" height="0" border="0">
  75. 75. # M D B l o c a l Command injection > user = "Bob" > query = "this.Username == "" + user + "" && this.active == false" > db.password.find({$where: query}) • this.Username == "Bob" || 1==1 && this.active == true • > db.password.find({$where: query}) • { "_id" : ObjectId("594975c76c97f709bfdf128c"), "Username" : "Steffan", "Secure" : "Secret stuff", "active" : true } • { "_id" : ObjectId("594976176c97f709bfdf128d"), "Username" : "Bob", "Secure" : "Secret stuff", "active" : false }
  76. 76. # M D B l o c a l Command injection this.Username == "Bob" || 1==1 && this.active == true > db.password.find({$where: query}) { "_id" : ObjectId("594975c76c97f709bfdf128c"), "Username" : "Steffan", "Secure" : "Secret stuff", "active" : true } { "_id" : ObjectId("594976176c97f709bfdf128d"), "Username" : "Bob", "Secure" : "Secret stuff", "active" : false }
  77. 77. # M D B l o c a l Remember…
  78. 78. # M D B l o c a l Remember… • Secure your OS –restrict access, lock down ports • Secure your Database – restrict access, lock down roles • Secure your application – Structure your APIs, sanitize inputs • Security is a never-ending race
  79. 79. # M D B l o c a l Attacks will happen Prevention • Physical security • Access control • Monitoring • Auditing Mitigation • Encryption • Response plan • Follow-up
  80. 80. # M D B l o c a l Stay safe! It’s a dangerous world
  81. 81. # M D B l o c a l Q&A
  82. 82. # M D B l o c a l We can help MongoDB Global Consulting Services This is what we do • Save Time • Get to production faster • Build and transform your teams
  83. 83. # M D B l o c a l YOU can help Ready to be incredible? • New York • Austin • San Francisco • Portland / Seattle • Anywhere* *near a major airport

×