Securing your MongoDB Deployment Rob Moore President, Allanbank Consulting Dave Erickson Senior Solutions Architect, MongoDB MongoDB Days: Washington DC, October 14th, 2014 This Talk • Database security myths • MongoDB security features vs. threats • Developing for least privilege • Explaining TLS (a.k.a. SSL) • Configuring TLS in MongoDB • Common Pitfalls Useful Links The Manual http://docs.mongodb.org/manual/security/ Security Checklist http://docs.mongodb.org/manual/administration/s ecurity-checklist/ Security Technical Implementation Guide (STIG) http://www.mongodb.com/lp/contact/stig-requests Security Myth 1) I can defer thinking about security until later Timeline Team plans and design security as early as possible. Design YES! Implement Test Deploy NO! Security Myth 2) My RDBMS didn’t require <security feature> so neither should MongoDB Security Myth 3) • My database is on a trusted network – Reality: there is no such thing in 2014 • My database is in a building owned by my company – Reality: if it’s not already in the “cloud” it may be soon • My database is only accessed by a small number of trusted users – Reality: this may be true .. But what about information reuse, sharing, open data, public access, etc. ? Security Features Authentication Authorization Auditing Encryption Authentication Who are you in MongoDB? • Username / Password • x.509 certs (PKI) • Kerberos and LDAP • All approaches still require db.createUser() • Most apps log into database using an application level identity. Authenticating a business user into the database is rare. Authorization What you allowed to do in MongoDB? • Basic Role Based Access Control (DB level) – Built in roles: read, readWrite, dbAdmin, root • Create Custom Roles (Collection level) – Lock down a user to specific actions on specific resources. – Roles can inherit other roles • Field Level Access Control (Document, Sub-Document) – a.k.a Compartment Security, Cell Level Security – $redact command in aggregation pipeline – Document level and field level access control Auditing • Most audit trails can be made by the application – No stored procedures • DB Auditable Events – Schema (DDL) • DB, Collection, Indexes – Authentication and Authorization • Including user changes – General Operations • Replica Set Config Changes • Sharding Changes • Server Shutdowns, Etc – Data Changes? • OpLog Encryption • Over the Network – Between DB and Clients – SSL, x.509 certs – Intra-cluster – SSL, with keyfiles / certs • At Rest – File System Level – Process Level • Field-by-field – Typically done by application – Restricts in database analytics, search, etc. • http://www.mongodb.com/presentations/understanding-databaseencryption-protecting-against-insider-threat-mongodb Develop for “Least Privilege” • Create read and read/write roles for all collections • Maintain a matrix of which threads in your app need access to which of collection – Your auditors will love you. • Group threads into users and assign roles. TLS (a.k.a. SSL) https:// ≠ mongodbs:// TLS Handshake - https:// Client Server TLS Handshake - Client Authentication Client Server Trust Web of Trust Cody David know Alice Bob Alice Bob CA CA CA trust trust No Trust Alice Alice Bob Bob Cryptographic Identity CA Alice Eve Eve Eve Bob • Browsers avoid via Hostname Verification MongoDB Trust • Cluster membership – Single CA – At least one of: O, OU, DC, and DN – O, OU, and DC components match. – Recommendation: • Add an OU for you cluster member certificates. • Client (x.509) Authorization – Must explicitly request via the driver MongoDB Server Configuration net: ssl: mode: requireSSL PEMKeyFile: ./ca/server.pem PEMKeyPassword: supersecret clusterFile: ./ca/server.pem clusterPassword:supersecret CAFile: ./ca/trust.crt # CRLFile: weakCertificateValidation: false allowInvalidCertificates: false # Enterprise Only # FIPSMode: true security: authorization: enabled clusterAuthMode: x509 storage: dbPath : systemLog: destination: path: logAppend: ./data file ./mongodb.log true MongoDB Client Authentication • Read your Drivers Documentation! – Java: • http://www.allanbank.com/mongodb-async-driver/userguide/tls.html • http://docs.mongodb.org/manual/tutorial/configure-ssl-clients/#java – C#: • http://docs.mongodb.org/manual/tutorial/configure-ssl-clients/#net – Python: • http://api.mongodb.org/python/current/examples/authentication.html#mongodb-x509 • Leverage the built-in TLS library. – Remember this will most likely not do hostname verification Wrong DN • Symptom – Reported to the client. • Error: 18 Username "C=US, ST=DC, L=Washington, O=Allanbank Consulting, Inc., CN=client1" does not match the provided client certificate user "CN=client1,O=Allanbank Consulting\, Inc.,L=Washington,ST=DC,C=US" • Problem / Fix – Use the right DN string – Order and spacing matter and must match the addUser() name. Client Validation Error • Symptom – Server Log • ERROR: SSL peer certificate validation failed:self signed certificate – Client • Connection error: exception: connect failed • Problem / Fix – Add the issuer for the client's certificate to the CAFile. • You can simply concatenate the certificate entries (-----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----). No TLS Client Certificate • Symptom – On server startup via <stdout> - not log. • warning: No SSL certificate validation can be performed since no CA file has been provided; please specify an sslCAFile parameter – Client sees • Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 } – Server Log: • Failed to authenticate <DN>@$external with mechanism MONGODB-X509: AuthenticationFailed There is no x.509 client certificate matching the user. • Problem / Fix – Make sure you supply a CAFile parameter Client Key Missing • Symptom – Server Log • warning: no SSL certificate provided by peer • Problem / Fix – Make sure the client’s TLS configuration is correct. – Make sure weakCertificateValidation is set to false. • Setting “weakCertificateValidation: true” provides “want” vs. “must” semantics. Authenticate as Cluster Member • Symptom – You can do things you should not be able to. – Authentication log record look just like a user’s. • Problem / Fix – Add or change the OU to the cluster member certificates. – User a different CA for the cluster member certificates. THANK YOU!!! Robert.J.Moore@allanbank.com Questions?