SlideShare a Scribd company logo

Securing Your MongoDB Implementation

Download as PPTX, PDF
MongoDB, profile picture
MongoDB

The document provides an overview of securing MongoDB implementations, highlighting changes in authentication and authorization from versions 2.2 to 2.4, including the introduction of roles for better access control. It discusses SSL encryption for secure data transmission, auditing capabilities, and the importance of logging user activity. Additionally, it touches on vulnerabilities, best practices for security, and outlines future developments in MongoDB security features.

TechnologyEducation
1 of 38
Downloaded 71 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#MongoDBLondon Securing your MongoDB Implementation Mark Hillick - @markofu Engineer, 10gen
Agenda 1. Securing MongoDB 2.2 2. Securing MongoDB 2.4 3. Outside of MongoDB 4. Vulnerabilities 5. Documentation 6. Futures 7. Q & A Securing your MongoDB Implementation, Mark Hillick
Securing MongoDB 2.2
Securing MongoDB 2.2 Authentication – Simple user/password scheme stored in MongoDB Authorization – Per database: no access, read, or read-write Auditing – Authentication requests logged – Some actions / changes captured in log Securing your MongoDB Implementation, Mark Hillick
MongoDB SSL SSL encryption SSL encryption for client for inter-server connection traffic Primary Secondary Application Data Files Data Files Keyfile establishes trust http://docs.mongodb.org/manual/administration/ssl/ Securing your MongoDB Implementation, Mark Hillick
Securing MongoDB 2.4
Authentication
External Authentication Use common / standardized authentication SASL: Simple Authentication and Security Layer – Framework for building authentication Kerberos – GSSAPI, drivers will be updated – Mixed system.users can work during transition Securing your MongoDB Implementation, Mark Hillick
Authentication with only pwd hash • Use one-way function F I am “marko@10gen.com”, let me in Knows Mongod only my Prove it, here is a random # N passwor d hash Here is F(N, hash(<mypwd>)) Nobody else could know Hash never that, welcome back marko! transmitted over the network! Securing your MongoDB Implementation, Mark Hillick
Authentication with Kerberos (2.4) I am “mark@10gen.com”, help me prove it to mongod KDC UDP:88 - Here is a TGT TCP:27017 Welcome, he Here is a re is a Kerberos Service TGT Ticket! UDP:8 8 Mongod { user: ”mark@10gen.com", roles: ["readWrite"], userSource: "$external" } Securing your MongoDB Implementation, Mark Hillick
Authenticating & Connecting # kinit mongouser …. # klist … 03/11/13 09:30:30 03/12/13 09:30:30 … # mongo mongodb.10gen.com/$external - -authenticationMechanism=GSSAPI -u mongouser@10GEN.COM Securing your MongoDB Implementation, Mark Hillick
Starting the Database env KRB5_KTNAME=/etc/kserver1b.keytab /usr/local/bin/mongodb/bin/mongod --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log --replSet realm4 --keyFile /etc/keyfile Securing your MongoDB Implementation, Mark Hillick
Authorization
AUTHORIZATION • Issues with 2.2 • 2.4 introduces roles – Admin level roles • UserAdmin – DB level roles • ClusterAdmin • User Admin • DB Admin • Read • ReadWrite
AUTHORIZATION Corresponding • Issues with 2.2 Admin level roles for AllDatabases – Only Read / ReadWrite  – Edge-case with possible privilege escalation • 2.4 introduces roles – Admin level roles – DB level roles • UserAdmin • User Admin • ClusterAdmin • DB Admin • Read • ReadWrite Securing your MongoDB Implementation, Mark Hillick
ADMIN DB • ClusterAdmin • AllDatabases Source:https://wellsted135.files.wordpress.com/2012/10/special.gif Securing your MongoDB Implementation, Mark Hillick
Password Admin DB Accnts DB hashes • UserAdmin • UserAdmin • ClusterAdmin App DB Product • UserAdmi DB n • UserAdmin • dbAdmin • dbAdmin Customer • ReadWrite BI DB • • Read ReadWrite DB • UserAdmi • Read • UserAdmin n • dbAdmin • dbAdmin • ReadWrite • ReadWrite • Read • Read Securing your MongoDB Implementation, Mark Hillick
I can do anything but I won’t be I can add and required to do much remove shards DB Admin: UserAdmin DB Admin: ClusterAdmin I can I can grant I can create new create privileges to users but I can’t indices, set the App DB grant them profiling, co only privileges to other mpact DB’s DB Accnts: userAdmin DB App: userAdmin DB App: dbAdmin Securing your MongoDB Implementation, Mark Hillick
Super-User userAdmin & userAdminAnyDatabase are Only these users can view details about other users – system.users collection Securing your MongoDB Implementation, Mark Hillick
I can Each DB’s userAdmin gets to I can grant create grant privileges separately privileges to indices, set the App DB profiling, co only mpact DB App: UserAdmin DB App: dbAdmin In App.system.users : { { user: “fred” , user: “george” , usersource: “Accnts” , usersource: “Accnts” , roles: [ “userAdmin” ] roles: [ “dbAdmin“ ] , } Credentials from Accnts DB } Securing your MongoDB Implementation, Mark Hillick
Auditing
Additional Logging Monitor user activity: – userID added to standard output – Not currently a separate audit log – Much more coming in 2.6
Validation
Validation Objcheck – Helps prevent DOS – Validates input – SERVER-7769 (default) Securing your MongoDB Implementation, Mark Hillick
JS Engine
JS Engine Move to V8 – Primarily performance reasons but some security benefits – Restrictions on $where & M/R/F – SERVER-8104 & Aaron Heckmann’s Blog Securing your MongoDB Implementation, Mark Hillick
Outside of MongoDB
Outside of MongoDB Firewalls – iptables & netsh – Ports, Addresses, Times, Throttle etc F/S – Encrypt (Gazzang) Best Practices – Internal Policies (Password Reuse, Scan etc)
MongoDB - Gazzang • File System Encryption • 5% performance hit with HDD, 10-15% with SSD Gazzang Key Mgmt OS Gazzang File System – All contents encrypted Securing your MongoDB Implementation, Mark Hillick
Vulnerabilities
Vulnerabilities (1) Notify – Let us know How, What, Where? – http://docs.mongodb.org/manual/administration/vulnerabili ty-notification/ – Jira (HTTPS) & (Secure) Email Securing your MongoDB Implementation, Mark Hillick
Vulnerabilities (2) How do YOU know? – MongoDB Alerts How, What, Where? – Vulnerability Notification – Jira (HTTPS) & (Secure) Email Securing your MongoDB Implementation, Mark Hillick
Documentation
Documentation Manual – http://docs.mongodb.org/manual/security/ • Security Features within MongoDB • Best Practices & Management • Strategies • Tutorials • Vulnerability Notifications • References Securing your MongoDB Implementation, Mark Hillick
Futures
Disclaimer Statements about future releases, availability dates, and feature content reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors. Securing your MongoDB Implementation, Mark Hillick
Futures Auditing – Logging to output userID associated with actions Passwords – Stronger Hashing Authorization – User Defined & More Granularity SSL – Client Cert Validation Securing your MongoDB Implementation, Mark Hillick
Thank You

More Related Content

PPTX
Securing Your MongoDB Deployment
MongoDB
 
PDF
Mdb dn 2016_11_ops_mgr
Daniel M. Farrell
 
PPTX
MongoDB 2.4 Security Features
MongoDB
 
PPTX
Webinar: MongoDB 2.6 New Security Features
MongoDB
 
PPTX
Security Features in MongoDB 2.4
MongoDB
 
PPTX
Beyond the Basics 4: How to secure your MongoDB database
MongoDB
 
PPTX
Securing Your MongoDB Deployment
MongoDB
 
PPTX
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
MongoDB
 
Securing Your MongoDB Deployment
MongoDB
 
Mdb dn 2016_11_ops_mgr
Daniel M. Farrell
 
MongoDB 2.4 Security Features
MongoDB
 
Webinar: MongoDB 2.6 New Security Features
MongoDB
 
Security Features in MongoDB 2.4
MongoDB
 
Beyond the Basics 4: How to secure your MongoDB database
MongoDB
 
Securing Your MongoDB Deployment
MongoDB
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
MongoDB
 

What's hot (20)

PDF
Engineering an Encrypted Storage Engine
MongoDB
 
PPTX
MongoDB Security Introduction - Presentation
HabileLabs
 
PPTX
Beyond the Basics 4 MongoDB Security and Authentication
MongoDB
 
PDF
MongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB
 
PPTX
NoSQL - No Security? - The BSides Edition
Gavin Holt
 
PDF
NoSQL, no security?
wurbanski
 
PPTX
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON
 
PPTX
Introducing Stitch
MongoDB
 
PDF
Distributed Virtual Transaction Directory Server
LDAPCon
 
PDF
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PDF
A Backend to tie them all?
LDAPCon
 
PDF
Containerizing MongoDB with kubernetes
Brian McNamara
 
PPTX
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
PDF
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
PPTX
MongoDB 3.4: Deep Dive on Views, Zones, and MongoDB Compass
MongoDB
 
PPTX
Exploiting NoSQL Like Never Before
Francis Alexander
 
PDF
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
PPTX
Fluent 2012 v2
Shalendra Chhabra
 
PPTX
MongoDB World 2015 - A Technical Introduction to WiredTiger
WiredTiger
 
PPT
Hadoop Security Preview
Hadoop User Group
 
Engineering an Encrypted Storage Engine
MongoDB
 
MongoDB Security Introduction - Presentation
HabileLabs
 
Beyond the Basics 4 MongoDB Security and Authentication
MongoDB
 
MongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB
 
NoSQL - No Security? - The BSides Edition
Gavin Holt
 
NoSQL, no security?
wurbanski
 
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON
 
Introducing Stitch
MongoDB
 
Distributed Virtual Transaction Directory Server
LDAPCon
 
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
A Backend to tie them all?
LDAPCon
 
Containerizing MongoDB with kubernetes
Brian McNamara
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
MongoDB 3.4: Deep Dive on Views, Zones, and MongoDB Compass
MongoDB
 
Exploiting NoSQL Like Never Before
Francis Alexander
 
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
Fluent 2012 v2
Shalendra Chhabra
 
MongoDB World 2015 - A Technical Introduction to WiredTiger
WiredTiger
 
Hadoop Security Preview
Hadoop User Group
 
Ad

Viewers also liked (17)

PPTX
Webinar: Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
PDF
Mongo db security guide
Deysi Gmarra
 
PDF
MongoDB Administration 101
MongoDB
 
PPTX
Automating a Secure MongoDB Deployment with Opscode and Gazzang
MongoDB
 
PPTX
Indexing In MongoDB
Kishor Parkhe
 
PPTX
SSecuring Your MongoDB Deployment
MongoDB
 
PPTX
Ops Jumpstart: MongoDB Administration 101
MongoDB
 
PPTX
Replication and Replica Sets
MongoDB
 
PPTX
MongoDB in a Mainframe World
MongoDB
 
PPT
Mongo Performance Optimization Using Indexing
Chinmay Naik
 
PDF
Phplx mongodb
JoaquimSerafim
 
PPTX
Back to Basics, webinar 5: Introduzione ad Aggregation Framework
MongoDB
 
PDF
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB
 
PPTX
Webinar: Performance Tuning + Optimization
MongoDB
 
PPTX
Back to Basics Webinar 4: Advanced Indexing, Text and Geospatial Indexes
MongoDB
 
PPTX
Back to Basics Webinar 5: Introduction to the Aggregation Framework
MongoDB
 
PDF
Webinar: 10-Step Guide to Creating a Single View of your Business
MongoDB
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
Mongo db security guide
Deysi Gmarra
 
MongoDB Administration 101
MongoDB
 
Automating a Secure MongoDB Deployment with Opscode and Gazzang
MongoDB
 
Indexing In MongoDB
Kishor Parkhe
 
SSecuring Your MongoDB Deployment
MongoDB
 
Ops Jumpstart: MongoDB Administration 101
MongoDB
 
Replication and Replica Sets
MongoDB
 
MongoDB in a Mainframe World
MongoDB
 
Mongo Performance Optimization Using Indexing
Chinmay Naik
 
Phplx mongodb
JoaquimSerafim
 
Back to Basics, webinar 5: Introduzione ad Aggregation Framework
MongoDB
 
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB
 
Webinar: Performance Tuning + Optimization
MongoDB
 
Back to Basics Webinar 4: Advanced Indexing, Text and Geospatial Indexes
MongoDB
 
Back to Basics Webinar 5: Introduction to the Aggregation Framework
MongoDB
 
Webinar: 10-Step Guide to Creating a Single View of your Business
MongoDB
 
Ad

Similar to Securing Your MongoDB Implementation (20)

PPTX
Securing Data in MongoDB with Gazzang and Chef
MongoDB
 
PDF
MongoDB World 2019: Tutorial: A Journey to Magical Security Creatures’ Land
MongoDB
 
PPT
Getting Started with MongoDB at Oracle Open World 2012
MongoDB
 
PDF
A Brief Introduction: MongoDB
DATAVERSITY
 
PDF
Mongodb Introduction
Jeremy Taylor
 
PPTX
Securing Your Enterprise Web Apps with MongoDB Enterprise
MongoDB
 
PPTX
Big data security
Joey Echeverria
 
PDF
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB
 
PDF
NoSQL - No Security?
Gavin Holt
 
PDF
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB
 
PPTX
Branf final bringing mongodb into your organization - mongo db-boston2012
MongoDB
 
PDF
No sql but even less security
iammutex
 
PPTX
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
PDF
10gen telco white_paper
El Taller Web
 
KEY
Mongo db admin_20110329
radiocats
 
ZIP
Designing a Secure Cocoa App
Graham Lee
 
PDF
Mongo db 2.6_security_architecture
Mat Keep
 
PPTX
An Introduction to Big Data, NoSQL and MongoDB
William LaForest
 
PPTX
OVERVIEW OF MONGODB | CREATING USER IN MONGODB & ASSIGNING ROLES
IQ Online Training
 
PDF
Creating Secure Social Applications
Tyler Browning
 
Securing Data in MongoDB with Gazzang and Chef
MongoDB
 
MongoDB World 2019: Tutorial: A Journey to Magical Security Creatures’ Land
MongoDB
 
Getting Started with MongoDB at Oracle Open World 2012
MongoDB
 
A Brief Introduction: MongoDB
DATAVERSITY
 
Mongodb Introduction
Jeremy Taylor
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
MongoDB
 
Big data security
Joey Echeverria
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB
 
NoSQL - No Security?
Gavin Holt
 
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB
 
Branf final bringing mongodb into your organization - mongo db-boston2012
MongoDB
 
No sql but even less security
iammutex
 
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
10gen telco white_paper
El Taller Web
 
Mongo db admin_20110329
radiocats
 
Designing a Secure Cocoa App
Graham Lee
 
Mongo db 2.6_security_architecture
Mat Keep
 
An Introduction to Big Data, NoSQL and MongoDB
William LaForest
 
OVERVIEW OF MONGODB | CREATING USER IN MONGODB & ASSIGNING ROLES
IQ Online Training
 
Creating Secure Social Applications
Tyler Browning
 

More from MongoDB (20)

PDF
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB
 
PDF
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
PDF
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB
 
PDF
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB
 
PDF
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB
 
PDF
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB
 
PDF
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
PDF
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB
 
PDF
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB
 
PDF
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB
 
PDF
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB
 
PDF
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB
 
PDF
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB
 
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB
 
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB
 
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB
 
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB
 
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB
 
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB
 
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB
 
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB
 
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB
 
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB
 
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB
 
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB
 
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB
 
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB
 
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB
 
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB
 

Recently uploaded (20)

PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Cloud computing and distributed systems.
kkkkkhan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Encapsulation theory and applications.pdf
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
KodekX | Application Modernization Development
KodekX
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 

Securing Your MongoDB Implementation

  • 1. #MongoDBLondon Securing your MongoDB Implementation Mark Hillick - @markofu Engineer, 10gen
  • 2. Agenda 1. Securing MongoDB 2.2 2. Securing MongoDB 2.4 3. Outside of MongoDB 4. Vulnerabilities 5. Documentation 6. Futures 7. Q & A Securing your MongoDB Implementation, Mark Hillick
  • 4. Securing MongoDB 2.2 Authentication – Simple user/password scheme stored in MongoDB Authorization – Per database: no access, read, or read-write Auditing – Authentication requests logged – Some actions / changes captured in log Securing your MongoDB Implementation, Mark Hillick
  • 5. MongoDB SSL SSL encryption SSL encryption for client for inter-server connection traffic Primary Secondary Application Data Files Data Files Keyfile establishes trust http://docs.mongodb.org/manual/administration/ssl/ Securing your MongoDB Implementation, Mark Hillick
  • 8. External Authentication Use common / standardized authentication SASL: Simple Authentication and Security Layer – Framework for building authentication Kerberos – GSSAPI, drivers will be updated – Mixed system.users can work during transition Securing your MongoDB Implementation, Mark Hillick
  • 9. Authentication with only pwd hash • Use one-way function F I am “marko@10gen.com”, let me in Knows Mongod only my Prove it, here is a random # N passwor d hash Here is F(N, hash(<mypwd>)) Nobody else could know Hash never that, welcome back marko! transmitted over the network! Securing your MongoDB Implementation, Mark Hillick
  • 10. Authentication with Kerberos (2.4) I am “mark@10gen.com”, help me prove it to mongod KDC UDP:88 - Here is a TGT TCP:27017 Welcome, he Here is a re is a Kerberos Service TGT Ticket! UDP:8 8 Mongod { user: ”mark@10gen.com", roles: ["readWrite"], userSource: "$external" } Securing your MongoDB Implementation, Mark Hillick
  • 11. Authenticating & Connecting # kinit mongouser …. # klist … 03/11/13 09:30:30 03/12/13 09:30:30 … # mongo mongodb.10gen.com/$external - -authenticationMechanism=GSSAPI -u mongouser@10GEN.COM Securing your MongoDB Implementation, Mark Hillick
  • 12. Starting the Database env KRB5_KTNAME=/etc/kserver1b.keytab /usr/local/bin/mongodb/bin/mongod --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log --replSet realm4 --keyFile /etc/keyfile Securing your MongoDB Implementation, Mark Hillick
  • 14. AUTHORIZATION • Issues with 2.2 • 2.4 introduces roles – Admin level roles • UserAdmin – DB level roles • ClusterAdmin • User Admin • DB Admin • Read • ReadWrite
  • 15. AUTHORIZATION Corresponding • Issues with 2.2 Admin level roles for AllDatabases – Only Read / ReadWrite  – Edge-case with possible privilege escalation • 2.4 introduces roles – Admin level roles – DB level roles • UserAdmin • User Admin • ClusterAdmin • DB Admin • Read • ReadWrite Securing your MongoDB Implementation, Mark Hillick
  • 16. ADMIN DB • ClusterAdmin • AllDatabases Source:https://wellsted135.files.wordpress.com/2012/10/special.gif Securing your MongoDB Implementation, Mark Hillick
  • 17. Password Admin DB Accnts DB hashes • UserAdmin • UserAdmin • ClusterAdmin App DB Product • UserAdmi DB n • UserAdmin • dbAdmin • dbAdmin Customer • ReadWrite BI DB • • Read ReadWrite DB • UserAdmi • Read • UserAdmin n • dbAdmin • dbAdmin • ReadWrite • ReadWrite • Read • Read Securing your MongoDB Implementation, Mark Hillick
  • 18. I can do anything but I won’t be I can add and required to do much remove shards DB Admin: UserAdmin DB Admin: ClusterAdmin I can I can grant I can create new create privileges to users but I can’t indices, set the App DB grant them profiling, co only privileges to other mpact DB’s DB Accnts: userAdmin DB App: userAdmin DB App: dbAdmin Securing your MongoDB Implementation, Mark Hillick
  • 19. Super-User userAdmin & userAdminAnyDatabase are Only these users can view details about other users – system.users collection Securing your MongoDB Implementation, Mark Hillick
  • 20. I can Each DB’s userAdmin gets to I can grant create grant privileges separately privileges to indices, set the App DB profiling, co only mpact DB App: UserAdmin DB App: dbAdmin In App.system.users : { { user: “fred” , user: “george” , usersource: “Accnts” , usersource: “Accnts” , roles: [ “userAdmin” ] roles: [ “dbAdmin“ ] , } Credentials from Accnts DB } Securing your MongoDB Implementation, Mark Hillick
  • 22. Additional Logging Monitor user activity: – userID added to standard output – Not currently a separate audit log – Much more coming in 2.6
  • 24. Validation Objcheck – Helps prevent DOS – Validates input – SERVER-7769 (default) Securing your MongoDB Implementation, Mark Hillick
  • 26. JS Engine Move to V8 – Primarily performance reasons but some security benefits – Restrictions on $where & M/R/F – SERVER-8104 & Aaron Heckmann’s Blog Securing your MongoDB Implementation, Mark Hillick
  • 28. Outside of MongoDB Firewalls – iptables & netsh – Ports, Addresses, Times, Throttle etc F/S – Encrypt (Gazzang) Best Practices – Internal Policies (Password Reuse, Scan etc)
  • 29. MongoDB - Gazzang • File System Encryption • 5% performance hit with HDD, 10-15% with SSD Gazzang Key Mgmt OS Gazzang File System – All contents encrypted Securing your MongoDB Implementation, Mark Hillick
  • 31. Vulnerabilities (1) Notify – Let us know How, What, Where? – http://docs.mongodb.org/manual/administration/vulnerabili ty-notification/ – Jira (HTTPS) & (Secure) Email Securing your MongoDB Implementation, Mark Hillick
  • 32. Vulnerabilities (2) How do YOU know? – MongoDB Alerts How, What, Where? – Vulnerability Notification – Jira (HTTPS) & (Secure) Email Securing your MongoDB Implementation, Mark Hillick
  • 34. Documentation Manual – http://docs.mongodb.org/manual/security/ • Security Features within MongoDB • Best Practices & Management • Strategies • Tutorials • Vulnerability Notifications • References Securing your MongoDB Implementation, Mark Hillick
  • 36. Disclaimer Statements about future releases, availability dates, and feature content reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors. Securing your MongoDB Implementation, Mark Hillick
  • 37. Futures Auditing – Logging to output userID associated with actions Passwords – Stronger Hashing Authorization – User Defined & More Granularity SSL – Client Cert Validation Securing your MongoDB Implementation, Mark Hillick

Editor's Notes

  • #2: Ok, so here are the presenters notes. Your first job is to add you name and other useful stuff so that your students can contact you afterwards.This is a good time to- introduce yourself- create a seating chart, get each student to say their name, company and what they want to learn... and write it on your seating chart
  • #5: system.users collection with hash password
  • #11: MongoD does not even need to know the password hash!You can centralize your authentication service – SPOF &amp; SOS
  • #16: read: access to read documentsreadWrite: access to read and write documentsuserAdmin: manage, modify user access to a dbdbAdmin: compact, repair, validate etc.clusterAdmin: stuff with shards
  • #17: read: access to read documentsreadWrite: access to read and write documentsuserAdmin: manage, modify user access to a dbdbAdmin: compact, repair, validate etc.clusterAdmin: stuff with shards
  • #30: With SSD, as the time spent processing data between OS and disk gets proportionally larger since SSD&apos;s are so much faster, it means the pert hit is 15%. You still get a major upgrade in speed, but encrypting and decrypting take a larger share.