Low Hanging Fruit: Securing Your Basic MongoDB Installation

Transcription

1 Low Hanging Fruit: Securing Your Basic MongoDB Installation

2 About: Tom Spitzer, VP, Engineering, EC Wise EC Wise builds/enables Complex Secure Solutions Software Products / Service Delivery Platforms / Cyber Security Key Practices: Security, Secure Software Development, Intelligent Systems, Data Mature, International Offices and customers: North and South America, Asia ~ 60 employees, senior experienced teams Founded 1998 Prior to EC Wise I developed ecommerce and ERP systems

3 Learning Objectives 1. Describe how attackers are able to compromise other people s data 2. Configure MongoDB instances securely 3. Manage users, roles, and privileges, so that when a user logs in, that user has access to a set of role based privileges 4. Encrypt data in transit 5. Know how to use Read Only Views to improve security 6. Have an intelligent conversations with your organization about locking down your MongoDB instances

4 Top Risks / Common attacks Ransomware ,000 MongoDB servers in January, WannaCry in May Of course, affected MongoDB servers did not have authentication enabled! DDOS, Steganography, SQL/NoSQL Injection, system hijacking Political destabilization / infrastructure compromise Massive data theft via Advanced Persistent Threats : Experian, Yahoo, Target

5 Common Weaknesses / Mitigations - Access Weaknesses Authentication weak or not enabled Overly permissive, inappropriate, and unused privileges Abuse & lax management of privileged and service accounts e.g. do DBAs really require always-on access to application data? Mitigations Least privilege Strong authentication Multiple MongoDB options Access restrictions Role Based Access Control Account monitoring, especially for servers Slide 5

6 Common Weaknesses / Mitigations Surface Area Weaknesses Mitigations Lack of Control of Info Assets Storage media not secured Too much info generally available Inventory what, where, how Reduce surface area Dispose of data that is no longer needed; (archive / delete) Devalue data through encryption, tokenization, masking Pay attention to key management Slide 6

7 Common Weaknesses / Mitigations Practices Weaknesses Failure to apply patches Risky DB features enabled Weak application security Lack of visibility into DB and network activity Mitigations Create patch friendly environment Disable risky DB features -- noscripting Take advantage of OWASP tools, strategies Move controls closer to the data itself Log sensitive operations Enterprise: Consider DLP or SIEM Slide 7

8 I. Secure connectivity to and between servers Secure Connectivity reduces Surface Area MongoDB TLS (SSL successor) hierarchy Walk through enabling TLS Configuration options Code examples

9 PKI is acronym laden! MongoDB TLS Hierarchy

10 Driver MongoDB TLS protected communications DB Server 1 Server Key & Certificate PEM File CA Certificates File Client Machine DB Server 2 Server Key & Certificate PEM File CA Certificates File Server Key & Certificate PEM File CA Certificates File CRUD API calls over TLS Internal Traffic over TLS DB Server 3 CA Certificates File

11 SSL/TLS configuration Create server.pem files # Initialize CA by creating PK for it $ openssl genrsa -out CAKey.key -aes256 # Create CA certificate $ openssl req -x509 -new -extensions v3_ca -key CAKey.key -out CA-cert.crt # create key file and Certificate Signing Request for each server # will prompt for information used to create Distinguished Name or DN # Country, State/Province; Locality; Organization Name; Org Unit; Common Name; $ openssl req -new -nodes -newkey rsa:2048 -keyout serverx.key -out serverx.csr # have CA "sign" each server's CSR and generate server's public Cert $openssl x509 -CA./CA/CA-cert.crt -CAkey./CA./CA/CAkey.key -CAcreateserial -req -in./csr/serverx.csr - out./certs/serverx.crt # create.pem file for each server $ cat serverx.key serverx.crt > serverx.pem # copy.pem and host CERT file to config directory $ cp serverx.pem CA-cert.crt /mongodb/config/ Note:.pem is a container file format Note: example creates self-signed certificate, not recommended for production. For production, have a CA create a cert; to do so run the openssl command to create a CSR, and send it to your CA. This process is more fully explained at OpenSSL Essentials #update MongDB Config file with SSL info net: port:27017 bindip: ssl: mode: requiressl OR preferssl PEMKeyFile: /mongodb/config/serverx.pem CAFile: /mongodb/config/ca-cert.crt

12 SSL/TLS configuration Create Client.pem file # generate client key and CSR, again it will prompt for DN components # note that DN has to be different from server DN, can use different Org Unit $ openssl req -new -nodes -newkey rsa:2048 -keyout rootuser.key -out rootuser.csr # submit client CSR to CA for signing and Cert generation $ openssl x509 - CA./CA/CA-cert.crt -CAKey./CA/CAKey -CAcreateserial -req -in./csr/rootuser.csr -out./certs/rootuser.crt # concatenate client.pem $ cat mongokey/rootuser.key ssl/certs/rootuser.crt > mongokey/rootuser.pem # get client Cert subject details $ openssl x509 -in mongokey/rootuser.pem -inform PEM -subject -nameopt RFC2253 [subject= address=tspitzer@ecwise.com,cn=root,ou=ecwiseclients,o=ecwise,l=sr,st=ca,c=us] Note: be sure that client and server certs have different DNs, i.e. that at least one DN component, or RDN differs Note: consider secure repository for key storage, e.g. keystore service in Java or third party key manager; also Protect.pem file directories

13 SSL/TLS configuration restart with SSL Restart mongod ~]$ mongod -f /etc/mongod.conf Provide CERT to client, and connect with SSL ~]$ mongo --ssl --host server1 sslpemkeyfile./mongokey/rootuser.pem --sslcafile=cacert.crt

14 Mini Clinic Python SSL connection self._role_mapping = {'AUTHORIZE': self.get_authorize_db, 'SCHEDULER': self.get_scheduler_db, 'PRACTITIONER': self.get_practitioner_db, 'PHARMACIST': self.get_pharmacist_db, 'AUDITOR': self.get_auditor_db} def _get_database(self, type): username = config[type]['username'] password = config[type]['password'] cert_path = config['security']['cert_path'] uri = "mongodb://%s:%s@%s:%s" % ( quote_plus(username), quote_plus(password), self._host, self._port) return MongoClient(uri, ssl=true, ssl_ca_cert=cert_path)[self._db_name] def get_database_by_role(self, role): return self._role_mapping.get(role, None)() def get_authorize_db(self): if self._authorize_db is None: self._authorize_db = self._get_database('mongo_authorize') return self._authorize_db

15 II. Authentication: Available Strategies, Details Follow Username / Password Certificate 1. Challenge/Response (SCRAM-SHA-1) based on RFC5802) 2. x.509 Certificate (requires CA) Local CA Certificates File Authentication Strategy Comparisons Authentication Method Clear Text Password Identity Location Challenge/Response (SCRAM-SHA-1) No (Digest) Internal x.509 Certificate No (Digital Signature) External Addresses Weak Authentication vulnerability

16 SCRAM-SHA-1: Enable authentication, create accounts Start MongoDB without access control Connect in instance Create user administrator Restart instance with access control $ mongod -f /etc/mongod.conf Connect and authenticate as user administrator mongo --ssl --host mongod_host --sslcafile=/etc/ssl/mongodb.pem -uuseradmin -ppassword abc123 Create additional users use admin db.createuser( { user: "UserAdmin", pwd: "abc123", roles: [ { role: "useradminanydatabase", db: "admin" } ] } ) in /etc/mongod.conf security.authorization: enabled

17 Authentication using x.509 Certs Note Client vs. Member authentication capabilities Slide 17

18 x.509 authentication: Create,assign, enable Certs Create local certification authority or use third party Generate and sign certificates for client and servers in replica set Server and client certs must differ in organization part of DNs RS member O, OU, and DC components must match Start MongoDB replica set instances without access control Initialize replica set Update config.json Restart replica set in x.509 mode mongod --replset set509 --port $mport --dbpath./db/$host \ --sslmode requiressl --clusterauthmode x509 --sslcafile root-ca.pem \ --sslallowinvalidhostnames --fork --logpath./db/${host}.log \ --sslpemkeyfile ${host}.pem --sslclusterfile ${cluster}.pem

19 Client Authentication Examples SCRAM-SHA-1 $ mongo... > db.getsiblingdb("admin").auth( { mechanism: "SCRAM-SHA-1", user: "dbmaster", pwd: "adminpasswd123", digestpassword: true } ); x.509 Certificate $mongo... > db.getsiblingdb("$external").auth( { mechanism: "MONGODB-X509", user: "CN=client1,OU=MyClients,O=EC Wise, L=Chengdu,ST=GD,C=CN" } ); Client names must > db.test.find() match DN in cert FQDN

20 III. User & Role Management in MongoDB Addresses Overly permissive, inappropriate, and unused privileges vulnerability Enable Access Control for authentication Set up users and roles, applicable to both humans and services Enforce the Least Privilege strategy we discussed earlier Bind users and roles to machines or (sub)networks with Authentication Restriction

21 Use Roles to Manage Privilege Assignments Privilege allows an action on a resource. MongoDB defines a bunch of privileged operations. Roles are defined pairings of resources and actions that you can assign users Sixteen built-in roles, you have probably read about them class Authorization Model User Role Permission Resource Action read, readwrite, dbadmin, clusteradmin, backup, restore, etc.. Create custom roles, assign users to roles per the scripts on following slides

22 User & Role Examples based on Mini-Clinic app* Obviously, a medical clinic needs to be secure Roles Scheduler, Practitioner, Pharmacist, Auditor Objects Patient, Encounter, Observation, Prescription Operations Schedule Encounter, Make Diagnosis, Prescribe Medication Mini-Clinic Website Mini-Clinic Restful Services MongoDB *based on HL7 Fast Healthcare Interoperability Resources

23 Mini Clinic Role Mapping Role \ Data Scheduler Practitioner Patient Encounters Observation Medication Order Medication CUD R CUD R CUD R CUD R CUD R (only name) (no national ID) Pharmacist Auditor CUD = Create/Update/Delete R = Read

24 User and Role Management Examples db = db.getsiblingdb('admin'); //create scheduler db.createrole( { "role": "scheduler", "privileges": [ { "resource": {"db": "mini_clinic", "collection": "scheduler_patient"}, "actions": ["find"] }, { "resource": {"db": "mini_clinic", "collection": "encounter"}, "actions": ["find","insert","update"] } ], "roles": [] authenticationrestrictions : [{ clientsource : [ , ], serveraddress : [ /24, ] }] } ); //create scheduler user db.dropuser("user_scheduler"); db.createuser( { "user": "user_scheduler", "pwd": "ecwise.c1m", "roles": [ { "role": "scheduler", "db": "admin authenticationrestrictions : [{ clientsource : [ , ], serveraddress : [ /24, ] }] } ] } ); Slide 24

25 IV. Network/OS considerations Mongo DB Cluster Internal Network behind firewall DBs on separate subnet, not accessible to internet Internal Authentication between nodes of cluster With Key File (or X.509 certification) Shard + Replication set Amazon VLAN/VPCs Authentication with account & password Application Dedicated OS users for DB and App Services Router Single Public Access Configure Server Replication Set Shard + Replication set Localhost Default (3.6) VPN Authentication Maintenance Admin user Use BindIP to tell MongoDB any other adapter and sockets to listen to VPN Access Shard + Replication set IP Whitelisting (3.6) (enhances authentication) You re mainly addressing Surface Area risks, i.e. limiting areas of exposure

26 V. MongoDB Atlas has Security Baked In TLS/SSL enabled by default with mongodb+srv connection string Authentication, and authorization via SCRAM Network isolation and VPC Peering on AWS IP whitelists using Authentication Restriction Encrypted storage volumes Roles not definable: create users through Atlas UI and assign them to predefined roles

27 VI. Read Only Views Addresses both Surface area reduction and weak authorization risks Enable administrators to define a query that is materialized at runtime db.createview(<name>, <collection>, <pipeline>, <options>) where pipeline is an array that consists of the aggregation pipeline stage Admins can define permissions on who can access the views Use these Views in your applications to provide another level of security

28 Read only views db = db.getsiblingdb('admin'); /* create View */ db.createview( "scheduler_patient", "patient", { $project: { "firstname": 1, "lastname": 1 } } ); db.createview( "practitioner_patient", "patient", { $project: { "nationalid": 0 } } ); set13:primary> db.patient.findone({lastname : Maddin }) { "_id" : ObjectId(" c8e a5172"), "nationalid" : " ", "firstname" : "Joe", "dob" : " ", "lastname" : "Maddin", "phone" : " ", "gender" : "MALE" } set13:primary> db.scheduler_patient.findone({lastname : Maddin }) { "_id" : ObjectId(" c8e a5172"), "firstname" : "Joe", "lastname" : "Maddin" } set13:primary> db.practitioner_patient.findone({lastname : Maddin }) { "_id" : ObjectId(" c8e a5172"), "firstname" : "Joe", "dob" : " ", "lastname" : "Maddin", "phone" : " ", "gender" : "MALE" } // everything BUT national ID

29 VII. Architecting a secure system Consider the whole application from the UI/service initiation down to the DB A layered security strategy will be most effective Break down organizational barriers work across teams Always encrypt network traffic Decide on authentication model: standing alone vs. integrated with corporate Think carefully about Roles

30 Thank You Closing comments/questions? For follow up: Tom Slide 30

31 Appendix Examples and References Some additional code examples and web references are provided

32 MongoDB x.509 authentication settings { } "db" : "mongodb://localhost:27001/db-name?ssl=true", "dbopts": { "user": " address=john.doe@example.com,cn=xyz,ou=xyz-client,o=xyz,l=xyz,st=xyz,c=xyz", "auth": { "authmechanism": "MONGODB-X509" }, "server": { "sslvalidate": false, "sslkey": {"filepath": "/absolute/path/to/db-user.pem"}, "sslcert": {"filepath": "/absolute/path/to/db-user.crt"} } }

33 Cyber-Security References CyberCriminals and their APT and AVT Techniques InfoSec Institute: Anatomy of an APT Attack: Step by Step Approach Forrester Wave: Data Loss Prevention Suites Q4, 2016 Data Guardian s Definitive Guide to Data Loss Prevention How to Avoid Ransomware attacks against MongoDB InfoWorld Guide to MongoDB Security MongoDB Security Checklist (product documentation) Download link for MongoDB Security Reference Architecture