Securing your MongoDB Deployment
advertisement
Securing your MongoDB
Deployment
Rob Moore
President, Allanbank Consulting
Dave Erickson
Senior Solutions Architect, MongoDB
MongoDB Days: Washington DC, October 14th, 2014
This Talk
• Database security myths
• MongoDB security features vs. threats
• Developing for least privilege
• Explaining TLS (a.k.a. SSL)
• Configuring TLS in MongoDB
• Common Pitfalls
Useful Links
The Manual
http://docs.mongodb.org/manual/security/
Security Checklist
http://docs.mongodb.org/manual/administration/s
ecurity-checklist/
Security Technical Implementation Guide (STIG)
http://www.mongodb.com/lp/contact/stig-requests
Security Myth 1)
I can defer thinking about
security until later
Timeline
Team plans and design security as early as possible.
Design
YES!
Implement
Test
Deploy
NO!
Security Myth 2)
My RDBMS didn’t require
<security feature> so
neither should MongoDB
Security Myth 3)
• My database is on a trusted network
– Reality: there is no such thing in 2014
• My database is in a building owned by my company
– Reality: if it’s not already in the “cloud” it may be soon
• My database is only accessed by a small number of
trusted users
– Reality: this may be true ..
But what about information reuse, sharing, open data,
public access, etc. ?
Security Features
Authentication
Authorization
Auditing
Encryption
Authentication
Who are you in MongoDB?
• Username / Password
• x.509 certs (PKI)
• Kerberos and LDAP
• All approaches still require db.createUser()
• Most apps log into database using an application level identity.
Authenticating a business user into the database is rare.
Authorization
What you allowed to do in MongoDB?
• Basic Role Based Access Control (DB level)
– Built in roles: read, readWrite, dbAdmin, root
• Create Custom Roles (Collection level)
– Lock down a user to specific actions on specific resources.
– Roles can inherit other roles
• Field Level Access Control (Document, Sub-Document)
– a.k.a Compartment Security, Cell Level Security
– $redact command in aggregation pipeline
– Document level and field level access control
Auditing
• Most audit trails can be made by the application
– No stored procedures
• DB Auditable Events
– Schema (DDL)
• DB, Collection, Indexes
– Authentication and Authorization
• Including user changes
– General Operations
• Replica Set Config Changes
• Sharding Changes
• Server Shutdowns, Etc
– Data Changes?
• OpLog
Encryption
• Over the Network
– Between DB and Clients – SSL, x.509 certs
– Intra-cluster – SSL, with keyfiles / certs
• At Rest
– File System Level
– Process Level
• Field-by-field
– Typically done by application
– Restricts in database analytics, search, etc.
• http://www.mongodb.com/presentations/understanding-databaseencryption-protecting-against-insider-threat-mongodb
Develop for “Least Privilege”
• Create read and
read/write roles for all
collections
• Maintain a matrix of
which threads in your
app need access to
which of collection
– Your auditors will love
you.
• Group threads into users
and assign roles.
TLS (a.k.a. SSL)
https:// ≠ mongodbs://
TLS Handshake - https://
Client
Server
TLS Handshake - Client Authentication
Client
Server
Trust
Web of Trust
Cody
David
know
Alice
Bob
Alice
Bob
CA
CA
CA
trust
trust
No Trust
Alice
Alice
Bob
Bob
Cryptographic Identity
CA
Alice
Eve
Eve
Eve
Bob
• Browsers avoid via Hostname Verification
MongoDB Trust
• Cluster membership
– Single CA
– At least one of: O, OU, DC, and DN
– O, OU, and DC components match.
– Recommendation:
• Add an OU for you cluster member certificates.
• Client (x.509) Authorization
– Must explicitly request via the driver
MongoDB Server Configuration
net:
ssl:
mode:
requireSSL
PEMKeyFile:
./ca/server.pem
PEMKeyPassword: supersecret
clusterFile:
./ca/server.pem
clusterPassword:supersecret
CAFile:
./ca/trust.crt
# CRLFile:
weakCertificateValidation: false
allowInvalidCertificates: false
# Enterprise Only
# FIPSMode:
true
security:
authorization:
enabled
clusterAuthMode: x509
storage:
dbPath :
systemLog:
destination:
path:
logAppend:
./data
file
./mongodb.log
true
MongoDB Client Authentication
• Read your Drivers Documentation!
– Java:
• http://www.allanbank.com/mongodb-async-driver/userguide/tls.html
• http://docs.mongodb.org/manual/tutorial/configure-ssl-clients/#java
– C#:
• http://docs.mongodb.org/manual/tutorial/configure-ssl-clients/#net
– Python:
• http://api.mongodb.org/python/current/examples/authentication.html#mongodb-x509
• Leverage the built-in TLS library.
– Remember this will most likely not do hostname
verification
Wrong DN
• Symptom
– Reported to the client.
• Error: 18 Username "C=US, ST=DC, L=Washington,
O=Allanbank Consulting, Inc., CN=client1" does not match
the provided client certificate user "CN=client1,O=Allanbank
Consulting\, Inc.,L=Washington,ST=DC,C=US"
• Problem / Fix
– Use the right DN string
– Order and spacing matter and must match the
addUser() name.
Client Validation Error
• Symptom
– Server Log
• ERROR: SSL peer certificate validation failed:self signed
certificate
– Client
• Connection error: exception: connect failed
• Problem / Fix
– Add the issuer for the client's certificate to the CAFile.
• You can simply concatenate the certificate entries (-----BEGIN
CERTIFICATE----- to -----END CERTIFICATE-----).
No TLS Client Certificate
• Symptom
– On server startup via <stdout> - not log.
• warning: No SSL certificate validation can be performed since no
CA file has been provided; please specify an sslCAFile parameter
– Client sees
• Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 }
– Server Log:
• Failed to authenticate <DN>@$external with mechanism
MONGODB-X509: AuthenticationFailed There is no x.509 client
certificate matching the user.
• Problem / Fix
– Make sure you supply a CAFile parameter
Client Key Missing
• Symptom
– Server Log
• warning: no SSL certificate provided by peer
• Problem / Fix
– Make sure the client’s TLS configuration is correct.
– Make sure weakCertificateValidation is set to
false.
• Setting “weakCertificateValidation: true” provides
“want” vs. “must” semantics.
Authenticate as Cluster Member
• Symptom
– You can do things you should not be able to.
– Authentication log record look just like a user’s.
• Problem / Fix
– Add or change the OU to the cluster member
certificates.
– User a different CA for the cluster member
certificates.
THANK YOU!!!
Robert.J.Moore@allanbank.com
Questions?
