Securing Redis with Sedona Will Urbanski #lascon2013 About Me • Security Researcher • Outdoor Enthusiast • Tweet @willurbanski • Blog/tools available @shakingrock.com #lascon2013 Today’s Talk • Security in • What you can do about it #lascon2013 • Open-source data-structure server • Key-value store – Lists – Hashes – Sorted sets • Lightweight, fast & free • http://redis.io #lascon2013 Redis Security Model “Redis is not designed for maximum security but rather maximum performance and simplicity” “Redis is designed to be accessed by trusted clients inside trusted environments” • http://redis.io/topics/security #lascon2013 Commands • Command-oriented, not query-oriented • Not all commands are created equal #lascon2013 Safe Commands • Read-only • Single key usage • Not resource intensive GET EXISTS LLEN TTL #lascon2013 Commands with Consequences • Read or Write • Single Key SET DEL LPOP EXPIRES #lascon2013 Dangerous Commands • Affect multiple keys or entire service • Impact availability if misused EVAL CLIENT KILL SAVE CONFIG SET #lascon2013 Commands That Will Ruin Your Weekend™ • Impacts entire service • Devastating if misused FLUSH FLUSHALL SHUTDOWN #lascon2013 #lascon2013 Problem #1 There is no data control language All clients can access all commands #lascon2013 Command Renaming • Rename dangerous commands! – SHUTDOWN can become cc23772aded8 • Reduces Usability • Ideally only authorized users should be able to run SHUTDOWN #lascon2013 #lascon2013 Problem #2 Redis doesn’t really support authentication* #lascon2013 Redis Authentication • AUTH command • No multiuser support • No ACLs (see problem #1) #lascon2013 #lascon2013 Problem #3 Even if you could authenticate, you wouldn’t want to. Redis lacks encryption support #lascon2013 This is Okay • Redis’ design focuses on performance and simplicity • The Redis security model is transparent #lascon2013 Compensating Controls Authorization/Authentication • Rename dangerous commands? Confidentiality • SSL Proxy (In Transit)? • Wrap Redis libs (At Rest)? • AUTH command? • Local-only w/ SSH? #lascon2013 An ideal solution would… • Encrypt • Authorize – Support SSL/TLS natively – Support key-value encryption – Not require command renaming (security-throughobscurity) – Implement SQL’s DCL in a keyvalue domain • Authenticate – Support user accounts – Support modular authentication – Log access – Support rate-limiting • Flexible command access • Flexible key access • Be Practical – Not impose unnecessary burdens • Performance • Administration – Be compatible with native clients #lascon2013 Sedona • PoC application firewall for Redis • Implements authentication, authorization and encryption enhancements • Requires no changes to Redis core • Python 2.7 w/ Twisted #lascon2013 Authentication • Adds user parameter to AUTH command – AUTH <user> <password> • Supports modular authentication • Preserves native AUTH functionality – AUTH <password> still works #lascon2013 Authorization • Adds per-user access control lists • Command- and key-based ACLs • ACCEPT, and REJECT • Returns native Redis err/success for compatibility #lascon2013 ACLs "rules": [ {"command": "set", "key": "test\\-*", "action”:"accept"}, {"command": "get", "key": "test\\-*", "action”:"accept"}, {"command": "ping", "action": "accept"}, {"command": "echo", "action": "accept"}, {"action": "reject"} ] #lascon2013 Encryption • Adds SSL support • CLI tool for using SSL #lascon2013 Use Cases • Dev/Ops command segregation – Ops may require ‘SHUTDOWN’, ‘SAVE’, ‘CONFIG SET’ – Dev may require ‘SET’,’GET’, ‘LPOP’, … • Key Enforcement • Command blacklisting w/o renaming – SHUTDOWN, FLUSH, FLUSHALL #lascon2013 Deployment Strategies Inline • Intercepts all traffic to server Edge of Trusted Environment • Only intercept untrusted traffic • More secure • Less secure (you decide what’s trusted) • More performance impacting • Less performance impacting #lascon2013 Performance + + + = Parsing Authorizing Tracking State performance penalty #lascon2013 Sedona Request Transit Times 100 90 80 70 SET Time (ms) 60 GET LPUSH 50 LPOP Linear (SET) 40 Linear (GET) Linear (LPUSH) 30 Linear (LPOP) 20 10 0 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% Percent of Requests (%) #lascon2013 70.00% 80.00% 90.00% 100.00% Demos • Configuration Files • Authentication • Authorization #lascon2013 Wrapping Up • Sedona is a tool that adds additional security to Redis installations • If you find the tool useful, please contribute! #lascon2013 Q&A Fork Sedona @ Github Follow me on Twitter #lascon2013