Security is more critical than ever with new computing environments in the cloud and expanding access to the internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. Dave Erickson will walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments. Rob Moore will then go into depth on the specific topic of setting up and running MongoDB with TLS/SSL and x.509 authentication covering how it works and common errors he's encountered in the field.
1. Securing your MongoDB
Deployment
Rob Moore
President, Allanbank Consulting
Dave Erickson
Senior Solutions Architect, MongoDB
MongoDB Days: Washington DC, October 14th, 2014
2. This Talk
• Database security myths
• MongoDB security features vs. threats
• Developing for least privilege
• Explaining TLS (a.k.a. SSL)
• Configuring TLS in MongoDB
• Common Pitfalls
5. Timeline
Team plans and design security as early as possible.
Design Implement Test Deploy
YES! NO!
6. Security Myth 2)
My RDBMS didn’t require
<security feature> so
neither should MongoDB
7. Security Myth 3)
• My database is on a trusted network
– Reality: there is no such thing in 2014
• My database is in a building owned by my company
– Reality: if it’s not already in the “cloud” it may be soon
• My database is only accessed by a small number of
trusted users
– Reality: this may be true ..
But what about information reuse, sharing, open data,
public access, etc. ?
9. Authentication
Who are you in MongoDB?
• Username / Password
• x.509 certs (PKI)
• Kerberos and LDAP
• All approaches still require db.createUser()
• Most apps log into database using an application level identity.
Authenticating a business user into the database is rare.
10. Authorization
What you allowed to do in MongoDB?
• Basic Role Based Access Control (DB level)
– Built in roles: read, readWrite, dbAdmin, root
• Create Custom Roles (Collection level)
– Lock down a user to specific actions on specific resources.
– Roles can inherit other roles
• Field Level Access Control (Document, Sub-Document)
– a.k.a Compartment Security, Cell Level Security
– $redact command in aggregation pipeline
– Document level and field level access control
11. Auditing
• Most audit trails can be made by the application
– No stored procedures
• DB Auditable Events
– Schema (DDL)
• DB, Collection, Indexes
– Authentication and Authorization
• Including user changes
– General Operations
• Replica Set Config Changes
• Sharding Changes
• Server Shutdowns, Etc
– Data Changes?
• OpLog
12. Encryption
• Over the Network
– Between DB and Clients – SSL, x.509 certs
– Intra-cluster – SSL, with keyfiles / certs
• At Rest
– File System Level
– Process Level
• Field-by-field
– Typically done by application
– Restricts in database analytics, search, etc.
• 3:10 PM … Understanding Database Encryption & Protecting Against the
Insider Threat with MongoDB
13. Develop for “Least Privilege”
• Create read and
read/write roles for all
collections
• Maintain a matrix of
which threads in your
app need access to
which of collection
– Your auditors will love
you.
• Group threads into users
and assign roles.
20. MongoDB Trust
• Cluster membership
– Single CA
– At least one of: O, OU, DC, and DN
– O, OU, and DC components match.
– Recommendation:
• Add an OU for you cluster member certificates.
• Client (x.509) Authorization
– Must explicitly request via the driver
22. MongoDB Client Authentication
• Read your Drivers Documentation!
– Java:
• http://www.allanbank.com/mongodb-async-driver/userguide/tls.html
• http://docs.mongodb.org/manual/tutorial/configure-ssl-clients/#java
– C#:
• http://docs.mongodb.org/manual/tutorial/configure-ssl-clients/#net
– Python:
• http://api.mongodb.org/python/current/examples/authentication.html#mongodb-x509
• Leverage the built-in TLS library.
– Remember this will most likely not do hostname
verification
23. Wrong DN
• Symptom
– Reported to the client.
• Error: 18 Username "C=US, ST=DC, L=Washington,
O=Allanbank Consulting, Inc., CN=client1" does not match
the provided client certificate user "CN=client1,O=Allanbank
Consulting, Inc.,L=Washington,ST=DC,C=US"
• Problem / Fix
– Use the right DN string
– Order and spacing matter and must match the
addUser() name.
24. Client Validation Error
• Symptom
– Server Log
• ERROR: SSL peer certificate validation failed:self signed
certificate
– Client
• Connection error: exception: connect failed
• Problem / Fix
– Add the issuer for the client's certificate to the CAFile.
• You can simply concatenate the certificate entries (-----BEGIN
CERTIFICATE----- to -----END CERTIFICATE-----).
25. No TLS Client Certificate
• Symptom
– On server startup via <stdout> - not log.
• warning: No SSL certificate validation can be performed since no
CA file has been provided; please specify an sslCAFile parameter
– Client sees
• Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 }
– Server Log:
• Failed to authenticate <DN>@$external with mechanism
MONGODB-X509: AuthenticationFailed There is no x.509 client
certificate matching the user.
• Problem / Fix
– Make sure you supply a CAFile parameter
26. Client Key Missing
• Symptom
– Server Log
• warning: no SSL certificate provided by peer
• Problem / Fix
– Make sure the client’s TLS configuration is correct.
– Make sure weakCertificateValidation is set to
false.
• Setting “weakCertificateValidation: true” provides
“want” vs. “must” semantics.
27. Authenticate as Cluster Member
• Symptom
– You can do things you should not be able to.
– Authentication log record look just like a user’s.
• Problem / Fix
– Add or change the OU to the cluster member
certificates.
– User a different CA for the cluster member
certificates.
Call to action is about thinking where there is opportunity and what are you anchoring your data hub around?
Reality:
Some of your old policies make no sense in this new environment
Engineer for security based upon the real needs of your system
Engineering for Accreditation and Compliance is changing quickly, so old assumptions may no longer work