Securing your MongoDB Deployment Rob Moore President, Allanbank Consulting Dave Erickson Senior Solutions Architect, MongoDB MongoDB Days: Washington DC, October 14 th , 2014
Securing Your MongoDB Deployment
Nov 27, 2014
Security is more critical than ever with new computing environments in the cloud and expanding access to the internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. Dave Erickson will walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments. Rob Moore will then go into depth on the specific topic of setting up and running MongoDB with TLS/SSL and x.509 authentication covering how it works and common errors he's encountered in the field.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Securing your MongoDB Deployment
Rob MoorePresident, Allanbank Consulting
Dave EricksonSenior Solutions Architect, MongoDB
MongoDB Days: Washington DC, October 14th, 2014
This Talk
• Database security myths• MongoDB security features vs. threats• Developing for least privilege
• Explaining TLS (a.k.a. SSL)• Configuring TLS in MongoDB• Common Pitfalls
Useful Links
The Manualhttp://docs.mongodb.org/manual/security/
Security Checklisthttp://docs.mongodb.org/manual/administration/security-checklist/
Security Technical Implementation Guide (STIG)http://www.mongodb.com/lp/contact/stig-requests
Security Myth 1)
I can defer thinking about security until later
TimelineTeam plans and design security as early as possible.
ImplementDesign Test Deploy
YES! NO!
Security Myth 2)
My RDBMS didn’t require <security feature> so
neither should MongoDB
Security Myth 3)
• My database is on a trusted network– Reality: there is no such thing in 2014
• My database is in a building owned by my company– Reality: if it’s not already in the “cloud” it may be soon
• My database is only accessed by a small number of trusted users– Reality: this may be true ..
But what about information reuse, sharing, open data, public access, etc. ?
Security Features
Authentication Authorization
Auditing Encryption
AuthenticationWho are you in MongoDB?
• Username / Password• x.509 certs (PKI)• Kerberos and LDAP
• All approaches still require db.createUser()• Most apps log into database using an application level identity.
Authenticating a business user into the database is rare.
Authorization What you allowed to do in MongoDB?
• Basic Role Based Access Control (DB level)– Built in roles: read, readWrite, dbAdmin, root
• Create Custom Roles (Collection level)– Lock down a user to specific actions on specific resources.– Roles can inherit other roles
• Field Level Access Control (Document, Sub-Document)– a.k.a Compartment Security, Cell Level Security– $redact command in aggregation pipeline– Document level and field level access control
Auditing
• Most audit trails can be made by the application – No stored procedures
• DB Auditable Events– Schema (DDL)
• DB, Collection, Indexes– Authentication and Authorization
• Including user changes– General Operations
• Replica Set Config Changes• Sharding Changes• Server Shutdowns, Etc
– Data Changes?• OpLog
Encryption
• Over the Network– Between DB and Clients – SSL, x.509 certs– Intra-cluster – SSL, with keyfiles / certs
• At Rest– File System Level– Process Level
• Field-by-field– Typically done by application– Restricts in database analytics, search, etc.
• 3:10 PM … Understanding Database Encryption & Protecting Against the Insider Threat with MongoDB
Develop for “Least Privilege”
• Create read and read/write roles for all collections
• Maintain a matrix of which threads in your app need access to which of collection– Your auditors will love you.
• Group threads into users and assign roles.
TLS (a.k.a. SSL)
https:// ≠ mongodbs://
TLS Handshake - https://Client Hello
Client Change Cipher SpecK (Client Finish)
Server Hello
Server Hello Done
Client Key Exchange
ServerClient
Server Change Cipher Spec
K (Server Finish)
Server Certificate
TLS Handshake - Client AuthenticationClient Hello
Client Certificate
Client Change Cipher SpecK (Client Finish)
Server Hello
Server Certificate
Server Certificate Request
Server Hello Done
Client Key ExchangeClient Certificate Verify
ServerClient
Server Change Cipher Spec
K (Server Finish)
Trust
knowAlice Bob
CACACA
Alice Bob
trust trust
Alice Bob
Alice Bob
Cody David
Web of Trust
No Trust
Cryptographic Identity
• Browsers avoid via Hostname Verification
Eve
CA
Alice BobEve Eve
MongoDB Trust
• Cluster membership– Single CA– At least one of: O, OU, DC, and DN– O, OU, and DC components match.– Recommendation: • Add an OU for you cluster member certificates.
• Client (x.509) Authorization– Must explicitly request via the driver
MongoDB Server Configurationnet: ssl: mode: requireSSL PEMKeyFile: ./ca/server.pem PEMKeyPassword: supersecret clusterFile: ./ca/server.pem clusterPassword:supersecret CAFile: ./ca/trust.crt # CRLFile: weakCertificateValidation: false allowInvalidCertificates: false # Enterprise Only # FIPSMode: truesecurity: authorization: enabled clusterAuthMode: x509
storage: dbPath : ./datasystemLog: destination: file path: ./mongodb.log logAppend: true
MongoDB Client Authentication
• Read your Drivers Documentation!– Java:
• http://www.allanbank.com/mongodb-async-driver/userguide/tls.html• http://docs.mongodb.org/manual/tutorial/configure-ssl-clients/#java
– C#:• http://docs.mongodb.org/manual/tutorial/configure-ssl-clients/#net
– Python:• http://api.mongodb.org/python/current/examples/authentication.html#mongodb-x509
• Leverage the built-in TLS library.– Remember this will most likely not do hostname
verification
Wrong DN
• Symptom– Reported to the client.
• Error: 18 Username "C=US, ST=DC, L=Washington, O=Allanbank Consulting, Inc., CN=client1" does not match the provided client certificate user "CN=client1,O=Allanbank Consulting\, Inc.,L=Washington,ST=DC,C=US"
• Problem / Fix– Use the right DN string– Order and spacing matter and must match the
addUser() name.
Client Validation Error
• Symptom– Server Log
• ERROR: SSL peer certificate validation failed:self signed certificate
– Client• Connection error: exception: connect failed
• Problem / Fix– Add the issuer for the client's certificate to the CAFile.
• You can simply concatenate the certificate entries (-----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----).
No TLS Client Certificate
• Symptom– On server startup via <stdout> - not log.
• warning: No SSL certificate validation can be performed since no CA file has been provided; please specify an sslCAFile parameter
– Client sees• Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 }
– Server Log: • Failed to authenticate <DN>@$external with mechanism
MONGODB-X509: AuthenticationFailed There is no x.509 client certificate matching the user.
• Problem / Fix– Make sure you supply a CAFile parameter
Client Key Missing
• Symptom– Server Log• warning: no SSL certificate provided by peer
• Problem / Fix– Make sure the client’s TLS configuration is correct.– Make sure weakCertificateValidation is set to false.• Setting “weakCertificateValidation: true” provides
“want” vs. “must” semantics.
Authenticate as Cluster Member
• Symptom– You can do things you should not be able to.– Authentication log record look just like a user’s.
• Problem / Fix– Add or change the OU to the cluster member
certificates.– User a different CA for the cluster member
certificates.
THANK YOU!!!
Questions?
Related Documents
