SlideShare a Scribd company logo

Securing Your MongoDB Implementation

Download as PPTX, PDF
MongoDB
MongoDB

The document provides an overview of securing MongoDB implementations, highlighting changes in authentication and authorization from versions 2.2 to 2.4, including the introduction of roles for better access control. It discusses SSL encryption for secure data transmission, auditing capabilities, and the importance of logging user activity. Additionally, it touches on vulnerabilities, best practices for security, and outlines future developments in MongoDB security features.

TechnologyEducation
1 of 38
Downloaded 71 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#MongoDBLondon Securing your MongoDB Implementation Mark Hillick - @markofu Engineer, 10gen
Agenda 1. Securing MongoDB 2.2 2. Securing MongoDB 2.4 3. Outside of MongoDB 4. Vulnerabilities 5. Documentation 6. Futures 7. Q & A Securing your MongoDB Implementation, Mark Hillick
Securing MongoDB 2.2
Securing MongoDB 2.2 Authentication – Simple user/password scheme stored in MongoDB Authorization – Per database: no access, read, or read-write Auditing – Authentication requests logged – Some actions / changes captured in log Securing your MongoDB Implementation, Mark Hillick
MongoDB SSL SSL encryption SSL encryption for client for inter-server connection traffic Primary Secondary Application Data Files Data Files Keyfile establishes trust http://docs.mongodb.org/manual/administration/ssl/ Securing your MongoDB Implementation, Mark Hillick
Securing MongoDB 2.4
Authentication
External Authentication Use common / standardized authentication SASL: Simple Authentication and Security Layer – Framework for building authentication Kerberos – GSSAPI, drivers will be updated – Mixed system.users can work during transition Securing your MongoDB Implementation, Mark Hillick
Authentication with only pwd hash • Use one-way function F I am “marko@10gen.com”, let me in Knows Mongod only my Prove it, here is a random # N passwor d hash Here is F(N, hash(<mypwd>)) Nobody else could know Hash never that, welcome back marko! transmitted over the network! Securing your MongoDB Implementation, Mark Hillick
Authentication with Kerberos (2.4) I am “mark@10gen.com”, help me prove it to mongod KDC UDP:88 - Here is a TGT TCP:27017 Welcome, he Here is a re is a Kerberos Service TGT Ticket! UDP:8 8 Mongod { user: ”mark@10gen.com", roles: ["readWrite"], userSource: "$external" } Securing your MongoDB Implementation, Mark Hillick
Authenticating & Connecting # kinit mongouser …. # klist … 03/11/13 09:30:30 03/12/13 09:30:30 … # mongo mongodb.10gen.com/$external - -authenticationMechanism=GSSAPI -u mongouser@10GEN.COM Securing your MongoDB Implementation, Mark Hillick
Starting the Database env KRB5_KTNAME=/etc/kserver1b.keytab /usr/local/bin/mongodb/bin/mongod --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log --replSet realm4 --keyFile /etc/keyfile Securing your MongoDB Implementation, Mark Hillick
Authorization
AUTHORIZATION • Issues with 2.2 • 2.4 introduces roles – Admin level roles • UserAdmin – DB level roles • ClusterAdmin • User Admin • DB Admin • Read • ReadWrite
AUTHORIZATION Corresponding • Issues with 2.2 Admin level roles for AllDatabases – Only Read / ReadWrite  – Edge-case with possible privilege escalation • 2.4 introduces roles – Admin level roles – DB level roles • UserAdmin • User Admin • ClusterAdmin • DB Admin • Read • ReadWrite Securing your MongoDB Implementation, Mark Hillick
ADMIN DB • ClusterAdmin • AllDatabases Source:https://wellsted135.files.wordpress.com/2012/10/special.gif Securing your MongoDB Implementation, Mark Hillick
Password Admin DB Accnts DB hashes • UserAdmin • UserAdmin • ClusterAdmin App DB Product • UserAdmi DB n • UserAdmin • dbAdmin • dbAdmin Customer • ReadWrite BI DB • • Read ReadWrite DB • UserAdmi • Read • UserAdmin n • dbAdmin • dbAdmin • ReadWrite • ReadWrite • Read • Read Securing your MongoDB Implementation, Mark Hillick
I can do anything but I won’t be I can add and required to do much remove shards DB Admin: UserAdmin DB Admin: ClusterAdmin I can I can grant I can create new create privileges to users but I can’t indices, set the App DB grant them profiling, co only privileges to other mpact DB’s DB Accnts: userAdmin DB App: userAdmin DB App: dbAdmin Securing your MongoDB Implementation, Mark Hillick
Super-User userAdmin & userAdminAnyDatabase are Only these users can view details about other users – system.users collection Securing your MongoDB Implementation, Mark Hillick
I can Each DB’s userAdmin gets to I can grant create grant privileges separately privileges to indices, set the App DB profiling, co only mpact DB App: UserAdmin DB App: dbAdmin In App.system.users : { { user: “fred” , user: “george” , usersource: “Accnts” , usersource: “Accnts” , roles: [ “userAdmin” ] roles: [ “dbAdmin“ ] , } Credentials from Accnts DB } Securing your MongoDB Implementation, Mark Hillick
Auditing
Additional Logging Monitor user activity: – userID added to standard output – Not currently a separate audit log – Much more coming in 2.6
Validation
Validation Objcheck – Helps prevent DOS – Validates input – SERVER-7769 (default) Securing your MongoDB Implementation, Mark Hillick
JS Engine
JS Engine Move to V8 – Primarily performance reasons but some security benefits – Restrictions on $where & M/R/F – SERVER-8104 & Aaron Heckmann’s Blog Securing your MongoDB Implementation, Mark Hillick
Outside of MongoDB
Outside of MongoDB Firewalls – iptables & netsh – Ports, Addresses, Times, Throttle etc F/S – Encrypt (Gazzang) Best Practices – Internal Policies (Password Reuse, Scan etc)
MongoDB - Gazzang • File System Encryption • 5% performance hit with HDD, 10-15% with SSD Gazzang Key Mgmt OS Gazzang File System – All contents encrypted Securing your MongoDB Implementation, Mark Hillick
Vulnerabilities
Vulnerabilities (1) Notify – Let us know How, What, Where? – http://docs.mongodb.org/manual/administration/vulnerabili ty-notification/ – Jira (HTTPS) & (Secure) Email Securing your MongoDB Implementation, Mark Hillick
Vulnerabilities (2) How do YOU know? – MongoDB Alerts How, What, Where? – Vulnerability Notification – Jira (HTTPS) & (Secure) Email Securing your MongoDB Implementation, Mark Hillick
Documentation
Documentation Manual – http://docs.mongodb.org/manual/security/ • Security Features within MongoDB • Best Practices & Management • Strategies • Tutorials • Vulnerability Notifications • References Securing your MongoDB Implementation, Mark Hillick
Futures
Disclaimer Statements about future releases, availability dates, and feature content reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors. Securing your MongoDB Implementation, Mark Hillick
Futures Auditing – Logging to output userID associated with actions Passwords – Stronger Hashing Authorization – User Defined & More Granularity SSL – Client Cert Validation Securing your MongoDB Implementation, Mark Hillick
Thank You

More Related Content

What's hot (20)

PDF
Engineering an Encrypted Storage Engine
MongoDB
 
PPTX
MongoDB Security Introduction - Presentation
HabileLabs
 
PPTX
Beyond the Basics 4 MongoDB Security and Authentication
MongoDB
 
PDF
MongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB
 
PPTX
NoSQL - No Security? - The BSides Edition
Gavin Holt
 
PDF
NoSQL, no security?
wurbanski
 
PPTX
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON
 
PPTX
Introducing Stitch
MongoDB
 
PDF
Distributed Virtual Transaction Directory Server
LDAPCon
 
PDF
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PDF
A Backend to tie them all?
LDAPCon
 
PDF
Containerizing MongoDB with kubernetes
Brian McNamara
 
PPTX
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
PDF
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
PPTX
MongoDB 3.4: Deep Dive on Views, Zones, and MongoDB Compass
MongoDB
 
PPTX
Exploiting NoSQL Like Never Before
Francis Alexander
 
PDF
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
PPTX
Fluent 2012 v2
Shalendra Chhabra
 
PPTX
MongoDB World 2015 - A Technical Introduction to WiredTiger
WiredTiger
 
PPT
Hadoop Security Preview
Hadoop User Group
 
Engineering an Encrypted Storage Engine
MongoDB
 
MongoDB Security Introduction - Presentation
HabileLabs
 
Beyond the Basics 4 MongoDB Security and Authentication
MongoDB
 
MongoDB Launchpad 2016: Moving Cybersecurity to the Cloud
MongoDB
 
NoSQL - No Security? - The BSides Edition
Gavin Holt
 
NoSQL, no security?
wurbanski
 
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON
 
Introducing Stitch
MongoDB
 
Distributed Virtual Transaction Directory Server
LDAPCon
 
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
A Backend to tie them all?
LDAPCon
 
Containerizing MongoDB with kubernetes
Brian McNamara
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
MongoDB 3.4: Deep Dive on Views, Zones, and MongoDB Compass
MongoDB
 
Exploiting NoSQL Like Never Before
Francis Alexander
 
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
Fluent 2012 v2
Shalendra Chhabra
 
MongoDB World 2015 - A Technical Introduction to WiredTiger
WiredTiger
 
Hadoop Security Preview
Hadoop User Group
 

Viewers also liked (17)

PPTX
Webinar: Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
PDF
Mongo db security guide
Deysi Gmarra
 
PDF
MongoDB Administration 101
MongoDB
 
PPTX
Automating a Secure MongoDB Deployment with Opscode and Gazzang
MongoDB
 
PPTX
Indexing In MongoDB
Kishor Parkhe
 
PPTX
SSecuring Your MongoDB Deployment
MongoDB
 
PPTX
Ops Jumpstart: MongoDB Administration 101
MongoDB
 
PPTX
Replication and Replica Sets
MongoDB
 
PPTX
MongoDB in a Mainframe World
MongoDB
 
PPT
Mongo Performance Optimization Using Indexing
Chinmay Naik
 
PDF
Phplx mongodb
JoaquimSerafim
 
PPTX
Back to Basics, webinar 5: Introduzione ad Aggregation Framework
MongoDB
 
PDF
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB
 
PPTX
Webinar: Performance Tuning + Optimization
MongoDB
 
PPTX
Back to Basics Webinar 4: Advanced Indexing, Text and Geospatial Indexes
MongoDB
 
PPTX
Back to Basics Webinar 5: Introduction to the Aggregation Framework
MongoDB
 
PDF
Webinar: 10-Step Guide to Creating a Single View of your Business
MongoDB
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
Mongo db security guide
Deysi Gmarra
 
MongoDB Administration 101
MongoDB
 
Automating a Secure MongoDB Deployment with Opscode and Gazzang
MongoDB
 
Indexing In MongoDB
Kishor Parkhe
 
SSecuring Your MongoDB Deployment
MongoDB
 
Ops Jumpstart: MongoDB Administration 101
MongoDB
 
Replication and Replica Sets
MongoDB
 
MongoDB in a Mainframe World
MongoDB
 
Mongo Performance Optimization Using Indexing
Chinmay Naik
 
Phplx mongodb
JoaquimSerafim
 
Back to Basics, webinar 5: Introduzione ad Aggregation Framework
MongoDB
 
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB
 
Webinar: Performance Tuning + Optimization
MongoDB
 
Back to Basics Webinar 4: Advanced Indexing, Text and Geospatial Indexes
MongoDB
 
Back to Basics Webinar 5: Introduction to the Aggregation Framework
MongoDB
 
Webinar: 10-Step Guide to Creating a Single View of your Business
MongoDB
 
Ad

Similar to Securing Your MongoDB Implementation (20)

KEY
Discover MongoDB - Israel
Michael Fiedler
 
PDF
Using Spring with NoSQL databases (SpringOne China 2012)
Chris Richardson
 
PPTX
A flexible plugin like data layer - decouple your -_application logic from yo...
MongoDB
 
PDF
MongoDB in FS
MongoDB
 
KEY
MongoDB
Steven Francia
 
KEY
20120306 dublin js
Richard Rodger
 
PPTX
Azure doc db (slideshare)
David Green
 
PDF
Getting started with MariaDB with Docker
MariaDB plc
 
PDF
Practical solutions for connections administrators lite
Sharon James
 
PDF
MongoDB Europe 2016 - Powering Microservices with Docker, Kubernetes, and Kafka
MongoDB
 
PPT
Introduction to MongoDB
Ravi Teja
 
PDF
Achieving Infrastructure Portability with Chef
Matt Ray
 
PDF
Developing polyglot persistence applications #javaone 2012
Chris Richardson
 
PDF
BDD approaches for web development at Agile Testing Days 2009
Thomas Lundström
 
PDF
Ruby on-rails-101-presentation-slides-for-a-five-day-introductory-course-1194...
Nilesh Panchal
 
PPTX
Docker Introduction
Hao Fan
 
PDF
Developing polyglot persistence applications (SpringOne China 2012)
Chris Richardson
 
KEY
Hybrid MongoDB and RDBMS Applications
Steven Francia
 
PDF
MariaDB Server Compatibility with MySQL
Colin Charles
 
PPTX
MediaGlu and Mongo DB
Sundar Nathikudi
 
Discover MongoDB - Israel
Michael Fiedler
 
Using Spring with NoSQL databases (SpringOne China 2012)
Chris Richardson
 
A flexible plugin like data layer - decouple your -_application logic from yo...
MongoDB
 
MongoDB in FS
MongoDB
 
MongoDB
Steven Francia
 
20120306 dublin js
Richard Rodger
 
Azure doc db (slideshare)
David Green
 
Getting started with MariaDB with Docker
MariaDB plc
 
Practical solutions for connections administrators lite
Sharon James
 
MongoDB Europe 2016 - Powering Microservices with Docker, Kubernetes, and Kafka
MongoDB
 
Introduction to MongoDB
Ravi Teja
 
Achieving Infrastructure Portability with Chef
Matt Ray
 
Developing polyglot persistence applications #javaone 2012
Chris Richardson
 
BDD approaches for web development at Agile Testing Days 2009
Thomas Lundström
 
Ruby on-rails-101-presentation-slides-for-a-five-day-introductory-course-1194...
Nilesh Panchal
 
Docker Introduction
Hao Fan
 
Developing polyglot persistence applications (SpringOne China 2012)
Chris Richardson
 
Hybrid MongoDB and RDBMS Applications
Steven Francia
 
MariaDB Server Compatibility with MySQL
Colin Charles
 
MediaGlu and Mongo DB
Sundar Nathikudi
 
Ad

More from MongoDB (20)

PDF
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB
 
PDF
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
PDF
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB
 
PDF
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB
 
PDF
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB
 
PDF
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB
 
PDF
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
PDF
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB
 
PDF
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB
 
PDF
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB
 
PDF
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB
 
PDF
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB
 
PDF
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB
 
PDF
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB
 
MongoDB SoCal 2020: Migrate Anything* to MongoDB Atlas
MongoDB
 
MongoDB SoCal 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
MongoDB SoCal 2020: Using MongoDB Services in Kubernetes: Any Platform, Devel...
MongoDB
 
MongoDB SoCal 2020: A Complete Methodology of Data Modeling for MongoDB
MongoDB
 
MongoDB SoCal 2020: From Pharmacist to Analyst: Leveraging MongoDB for Real-T...
MongoDB
 
MongoDB SoCal 2020: Best Practices for Working with IoT and Time-series Data
MongoDB
 
MongoDB SoCal 2020: MongoDB Atlas Jump Start
MongoDB
 
MongoDB .local San Francisco 2020: Powering the new age data demands [Infosys]
MongoDB
 
MongoDB .local San Francisco 2020: Using Client Side Encryption in MongoDB 4.2
MongoDB
 
MongoDB .local San Francisco 2020: Using MongoDB Services in Kubernetes: any ...
MongoDB
 
MongoDB .local San Francisco 2020: Go on a Data Safari with MongoDB Charts!
MongoDB
 
MongoDB .local San Francisco 2020: From SQL to NoSQL -- Changing Your Mindset
MongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Jumpstart
MongoDB
 
MongoDB .local San Francisco 2020: Tips and Tricks++ for Querying and Indexin...
MongoDB
 
MongoDB .local San Francisco 2020: Aggregation Pipeline Power++
MongoDB
 
MongoDB .local San Francisco 2020: A Complete Methodology of Data Modeling fo...
MongoDB
 
MongoDB .local San Francisco 2020: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB
 
MongoDB .local San Francisco 2020: Developing Alexa Skills with MongoDB & Golang
MongoDB
 
MongoDB .local Paris 2020: Realm : l'ingrédient secret pour de meilleures app...
MongoDB
 
MongoDB .local Paris 2020: Upply @MongoDB : Upply : Quand le Machine Learning...
MongoDB
 

Recently uploaded (20)

PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
July Patch Tuesday
Ivanti
 
PPTX
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PPT
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
July Patch Tuesday
Ivanti
 
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 

Securing Your MongoDB Implementation

  • 1. #MongoDBLondon Securing your MongoDB Implementation Mark Hillick - @markofu Engineer, 10gen
  • 2. Agenda 1. Securing MongoDB 2.2 2. Securing MongoDB 2.4 3. Outside of MongoDB 4. Vulnerabilities 5. Documentation 6. Futures 7. Q & A Securing your MongoDB Implementation, Mark Hillick
  • 4. Securing MongoDB 2.2 Authentication – Simple user/password scheme stored in MongoDB Authorization – Per database: no access, read, or read-write Auditing – Authentication requests logged – Some actions / changes captured in log Securing your MongoDB Implementation, Mark Hillick
  • 5. MongoDB SSL SSL encryption SSL encryption for client for inter-server connection traffic Primary Secondary Application Data Files Data Files Keyfile establishes trust http://docs.mongodb.org/manual/administration/ssl/ Securing your MongoDB Implementation, Mark Hillick
  • 8. External Authentication Use common / standardized authentication SASL: Simple Authentication and Security Layer – Framework for building authentication Kerberos – GSSAPI, drivers will be updated – Mixed system.users can work during transition Securing your MongoDB Implementation, Mark Hillick
  • 9. Authentication with only pwd hash • Use one-way function F I am “[email protected]”, let me in Knows Mongod only my Prove it, here is a random # N passwor d hash Here is F(N, hash(<mypwd>)) Nobody else could know Hash never that, welcome back marko! transmitted over the network! Securing your MongoDB Implementation, Mark Hillick
  • 10. Authentication with Kerberos (2.4) I am “[email protected]”, help me prove it to mongod KDC UDP:88 - Here is a TGT TCP:27017 Welcome, he Here is a re is a Kerberos Service TGT Ticket! UDP:8 8 Mongod { user: ”[email protected]", roles: ["readWrite"], userSource: "$external" } Securing your MongoDB Implementation, Mark Hillick
  • 11. Authenticating & Connecting # kinit mongouser …. # klist … 03/11/13 09:30:30 03/12/13 09:30:30 … # mongo mongodb.10gen.com/$external - -authenticationMechanism=GSSAPI -u [email protected] Securing your MongoDB Implementation, Mark Hillick
  • 12. Starting the Database env KRB5_KTNAME=/etc/kserver1b.keytab /usr/local/bin/mongodb/bin/mongod --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log --replSet realm4 --keyFile /etc/keyfile Securing your MongoDB Implementation, Mark Hillick
  • 14. AUTHORIZATION • Issues with 2.2 • 2.4 introduces roles – Admin level roles • UserAdmin – DB level roles • ClusterAdmin • User Admin • DB Admin • Read • ReadWrite
  • 15. AUTHORIZATION Corresponding • Issues with 2.2 Admin level roles for AllDatabases – Only Read / ReadWrite  – Edge-case with possible privilege escalation • 2.4 introduces roles – Admin level roles – DB level roles • UserAdmin • User Admin • ClusterAdmin • DB Admin • Read • ReadWrite Securing your MongoDB Implementation, Mark Hillick
  • 16. ADMIN DB • ClusterAdmin • AllDatabases Source:https://wellsted135.files.wordpress.com/2012/10/special.gif Securing your MongoDB Implementation, Mark Hillick
  • 17. Password Admin DB Accnts DB hashes • UserAdmin • UserAdmin • ClusterAdmin App DB Product • UserAdmi DB n • UserAdmin • dbAdmin • dbAdmin Customer • ReadWrite BI DB • • Read ReadWrite DB • UserAdmi • Read • UserAdmin n • dbAdmin • dbAdmin • ReadWrite • ReadWrite • Read • Read Securing your MongoDB Implementation, Mark Hillick
  • 18. I can do anything but I won’t be I can add and required to do much remove shards DB Admin: UserAdmin DB Admin: ClusterAdmin I can I can grant I can create new create privileges to users but I can’t indices, set the App DB grant them profiling, co only privileges to other mpact DB’s DB Accnts: userAdmin DB App: userAdmin DB App: dbAdmin Securing your MongoDB Implementation, Mark Hillick
  • 19. Super-User userAdmin & userAdminAnyDatabase are Only these users can view details about other users – system.users collection Securing your MongoDB Implementation, Mark Hillick
  • 20. I can Each DB’s userAdmin gets to I can grant create grant privileges separately privileges to indices, set the App DB profiling, co only mpact DB App: UserAdmin DB App: dbAdmin In App.system.users : { { user: “fred” , user: “george” , usersource: “Accnts” , usersource: “Accnts” , roles: [ “userAdmin” ] roles: [ “dbAdmin“ ] , } Credentials from Accnts DB } Securing your MongoDB Implementation, Mark Hillick
  • 22. Additional Logging Monitor user activity: – userID added to standard output – Not currently a separate audit log – Much more coming in 2.6
  • 24. Validation Objcheck – Helps prevent DOS – Validates input – SERVER-7769 (default) Securing your MongoDB Implementation, Mark Hillick
  • 26. JS Engine Move to V8 – Primarily performance reasons but some security benefits – Restrictions on $where & M/R/F – SERVER-8104 & Aaron Heckmann’s Blog Securing your MongoDB Implementation, Mark Hillick
  • 28. Outside of MongoDB Firewalls – iptables & netsh – Ports, Addresses, Times, Throttle etc F/S – Encrypt (Gazzang) Best Practices – Internal Policies (Password Reuse, Scan etc)
  • 29. MongoDB - Gazzang • File System Encryption • 5% performance hit with HDD, 10-15% with SSD Gazzang Key Mgmt OS Gazzang File System – All contents encrypted Securing your MongoDB Implementation, Mark Hillick
  • 31. Vulnerabilities (1) Notify – Let us know How, What, Where? – http://docs.mongodb.org/manual/administration/vulnerabili ty-notification/ – Jira (HTTPS) & (Secure) Email Securing your MongoDB Implementation, Mark Hillick
  • 32. Vulnerabilities (2) How do YOU know? – MongoDB Alerts How, What, Where? – Vulnerability Notification – Jira (HTTPS) & (Secure) Email Securing your MongoDB Implementation, Mark Hillick
  • 34. Documentation Manual – http://docs.mongodb.org/manual/security/ • Security Features within MongoDB • Best Practices & Management • Strategies • Tutorials • Vulnerability Notifications • References Securing your MongoDB Implementation, Mark Hillick
  • 36. Disclaimer Statements about future releases, availability dates, and feature content reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors. Securing your MongoDB Implementation, Mark Hillick
  • 37. Futures Auditing – Logging to output userID associated with actions Passwords – Stronger Hashing Authorization – User Defined & More Granularity SSL – Client Cert Validation Securing your MongoDB Implementation, Mark Hillick

Editor's Notes

  • #2: Ok, so here are the presenters notes. Your first job is to add you name and other useful stuff so that your students can contact you afterwards.This is a good time to- introduce yourself- create a seating chart, get each student to say their name, company and what they want to learn... and write it on your seating chart
  • #5: system.users collection with hash password
  • #11: MongoD does not even need to know the password hash!You can centralize your authentication service – SPOF &amp; SOS
  • #16: read: access to read documentsreadWrite: access to read and write documentsuserAdmin: manage, modify user access to a dbdbAdmin: compact, repair, validate etc.clusterAdmin: stuff with shards
  • #17: read: access to read documentsreadWrite: access to read and write documentsuserAdmin: manage, modify user access to a dbdbAdmin: compact, repair, validate etc.clusterAdmin: stuff with shards
  • #30: With SSD, as the time spent processing data between OS and disk gets proportionally larger since SSD&apos;s are so much faster, it means the pert hit is 15%. You still get a major upgrade in speed, but encrypting and decrypting take a larger share.