Enhancing the default MongoDB Security

May-30-2019
Enhancing the Default MongoDB Security

{"name": "Igor Donchovski",
"live_in": "Skopje",
"email": "donchovski@pythian.com",
"current_role": "Lead database consultant",
"education": [{"type": "College", "name": "FEIT", "graduated": "2008", "university": "UKIM"},
{"type": "Master", "name": "FINKI", "graduated": "2013", "university": "UKIM"}],
"work": [{"role": "Web developer", "start": "2007", "end": "2012", "company": "Gord Systems"},
{"role": "DBA", "start": "2012", "end": "2014", "company": "NOVP"},
{"role": "Database consultant", "start": "2014", "end": "2016", "company": "Pythian"},
{"role": "Lead database consultant", "start": "2016", "company": "Pythian"}],
"certificates": [{"name": "C100DBA", "year": "2016", "description": "MongoDB certified DBA"}],
"social": [{"network": "LinkedIn", "url": "https://mk.linkedin.com/in/igorle"},
{"network": "Twitter", "url": "https://twitter.com/igorle"}],
"interests": ["Hiking", "Biking", "Traveling"],
"hobbies": ["Painting", "Photography", "Cooking"],
"proud_of": ["Volunteering", "Helping the Community"]}
About Me
© 2019 Pythian. Confidential

Overview
• Default security
• Access control
• Authentication and Authorization
• Network hardening
• Encryption in Transit
• Encryption at REST
• Auditing
• QA

Security Incidents
● Data breach is a security incident in which sensitive, protected or confidential data is
copied, transmitted, viewed, stolen or used by an individual unauthorized to do so
● Industry analysts predict cybercrime will cost the global economy $6 trillion annually
by 2021

Defaults

• sudo yum install -y mongodb-org
• sudo apt-get install -y mongodb-org
• sudo zypper -n install mongodb-org
sudo service mongod start
• sudo tar -zxvf mongodb-linux-*-4.0.9.tgz
sudo mongod --dbpath /data/db --logpath /log/mongod.log
• mongo (shell to interact with the database)
> use test
> db.foo.find()
Default Security

• before MongoDB 3.6
net.bindIP: 0.0.0.0 (if MongoDB installed from binaries)
net.bindIP: 127.0.0.1 (if MongoDB installed from package after 2.6)
Default Security
1. db.foo.findOne()
2. { "_id" : ... }

• after MongoDB 3.6
net.bindIP: 127.0.0.1
Default security
1. db.foo.findOne()
2. Error: couldn't
connect to server

• Users allowed to ssh to DB server
net.bindIP: 127.0.0.1
Default Security
1. db.foo.findOne()
2. { "_id" : ... }
1. db.foo.findOne()
2. Error: couldn't
connect to server

• Application and Database don’t usually run on same host
• DBA need to change bindIP
net.bindIP: 0.0.0.0
Default Security
1. db.foo.findOne()
2. { "_id" : ... }

Access Control

• security:authorization: enabled
use admin
db.createUser(
{
user: "UserAdmin",
pwd: "123456",
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
Access Control
2. Who are you?
1. db.foo.findOne()

mongo --port 27017 -u "UserAdmin" --authenticationDatabase "admin" -p
db.createUser(
{
user: "tester",
pwd: "qwerty",
roles: [ { role: "readWrite", db: "test" },
{ role: "read", db: "reporting" } ]
}
)
Access Control
2. true
1. db.auth()

• SCRAM (default)
• x.509 Certificate Authentication
• LDAP
• Kerberos
Authentication
2. true
1. db.auth()

• Keyfile
--keyFile
• x.509
--clusterAuthMode
--sslClusterFile
• Enabling internal authentication
also enables client authorization.
Internal Authentication

createUser
Drop
Drop
Drop
findAndModify
dropUser
isMaster
createUser
Insert
Find
Authorization
Update
Delete
Drop

Drop
createUser
createUser
isMaster
Insert
Find
createUser
Find
Authorization
Delete
Drop
DropUpdate
Reporting
Application
DBA

Authorization
● Role Based Access Control
○ Role - grants privileges to perform the specified actions on resource
○ Resource - database, collection, set of collections, or the cluster
○ Privilege - consists of a specified resource and the actions permitted
on the resource
○ Action specifies the operation allowed on the resource
● Built-In roles and User-Defined roles
● Limit data access with custom views

• Database servers exposed to the internet
• No Firewall, VPN or VPC
Network Hardening

• No need for DB server to be exposed to the internet
• Add Firewall rules, VPN or VPC
Network Hardening
VPC

Access Control Summary
VPC
VPNApplication
2. true
1. db.auth()

Encryption

● Attacker can access data by monitoring traffic between the application
and the database or by reading files directly
Why Encryption?
Attacker
2. true
1. db.auth()
Attacker

● Protect Personally Identifiable Information (PII)
○ PCI DSS for managing cardholder information
○ HIPAA standards for managing healthcare information
○ GDPR for the protection of EU citizen data privacy (May 2018)
○ FISMA to ensure the security of data in the federal government
○ FERPA to protect the privacy of student education records
○ The Asia Pacific Cross-border Privacy Enforcement Arrangement (CPEA)
○ Others
Why Encryption?

Encryption with MongoDB
● Transport encryption
○ MongoDB network traffic is only readable by the intended client
● Encryption at REST
○ Application Level Encryption and Storage Encryption
○ Native encryption option for the WiredTiger storage engine*
* Available in MongoDB Enterprise only

Transport Encryption

● TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of
MongoDB’s network traffic
● Certificate Authorities - valid certificates generated and signed by a single
certificate authority
○ PEMKeyfile with the name of the .pem file that contains the signed
TLS/SSL certificate and key
○ CAFile with the name of the .pem file that contains the root certificate
chain from the Certificate Authority

Configuration notes: Deploying a 3 node replica set
MongoDB config file
# /etc/mongod.conf
systemLog:
..................
path: /mongodb/logs/mongod.log
storage:
dbPath: /mongodb/data
..................
net:
port: 27017
ssl:
mode: <disabled|allowSSL|preferSSL|requireSSL>
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/ca.pem
..................
replication:
replSetName: production

net.ssl.mode
Value Description
disabled The server does not use TLS/SSL
allowSSL
Connections between servers do not use TLS/SSL
For incoming connections, the server accepts both TLS/SSL and
non-TLS/non-SSL
preferSSL
Connections between servers use TLS/SSL
For incoming connections, the server accepts both TLS/SSL and
non-TLS/non-SSL
requireSSL The server uses and accepts only TLS/SSL encrypted connections

1. Install MongoDB on each node*
2. Start each server with config file options for
net.ssl.mode <allowSSL|preferSSL|requireSSL>
3. Initiate the replica set on the Primary node
4. Add the rest of the nodes by using FQDN
* confirm your MongoDB legacy supports TLS/SSL
Heartbeat

Upgrade running Replica to Use TLS/SSL
• Restart the processes with ssl.Mode allowSSL
net:
ssl:
mode: allowSSL
• Switch the clients to use TLS/SSL

net:
ssl:
mode: allowSSL
• Upgrade to preferSSL by issuing the command on each node
db.adminCommand( { setParameter: 1, sslMode: "preferSSL" } )

net:
ssl:
mode: allowSSL
• Upgrade to preferSSL by issuing the command on each node
db.adminCommand( { setParameter: 1, sslMode: "preferSSL" } )
• Upgrade to requireSSL by issuing the command on each node
db.adminCommand( { setParameter: 1, sslMode: "requireSSL" } )
• Update the config file to persist the settings
net:
ssl:
mode: requireSSL

Encryption at REST

Application Level Encryption
● Encryption on a per-field or per-document basis within the application
layer
● Custom encryption and decryption routines to encrypt
○ Document
○ Field level data

Storage Engine Encryption
• Native encryption option for the WiredTiger storage engine only
• AES256-CBC (or 256-bit Advanced Encryption Standard in Cipher Block
Chaining mode) via OpenSSL
• AES-256 uses a symmetric key; i.e. the same key to encrypt and decrypt
text

Encryption at REST
● Use of local key management via a keyfile
○ Create the base64 encoded keyfile with the 16 or 32 character string
openssl rand -base64 32 > mongodb-keyfile
○ Assign permissions 600
chmod 600 mongodb-keyfile
○ Start mongod with the encryption options
/usr/bin/mongod --enableEncryption --encryptionKeyFile mongodb-keyfile
# /etc/mongod.conf
security:
enableEncryption: true
encryptionKeyFile: /etc/mongodb_keyfile

Encryption at REST
● Integration with a third party key management appliance via the Key
Management Interoperability Protocol (KMIP)
○ Key manager must support the KMIP communication protocol
○ Must have a valid certificate issued by the key management
appliance
/usr/bin/mongod --enableEncryption --kmipServerName <KMIP Server HostName> --kmipPort <KMIP
server port> --kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem

Encryption with KMIP
• Generating a master key
• Generating keys for each database
• Encrypting data with the database
keys
• Encrypting the database keys with
the master key
• Master key and database keys are
not replicated

Disk Level Encryption
• Amazon EBS encryption
• Azure disk encryption
• Google Compute Engine encrypts all data at rest (by default)
• Linux hard disk encryption with LUKS
• BitLocker encryption for Windows server

Auditing
Track System Activity
● schema (DDL)
● replica set and sharded cluster
● authentication and authorization
● CRUD operations
auditLog:
destination: <syslog>, <console>, <file>
format: <JSON>, <BSON>
path: data/db/auditLog.<json>,<bson>
filter: '{ atype: { $in: ["dropCollection"]}}'
* Available in MongoDB Enterprise only
> bsondump auditLog.bson
{"atype":"authenticate","ts":{"$date":"2019-02-14T14:11:29.97
5+0100"},"local":{"ip":"127.0.1.1","port":27017},"remote":{"i
p":"127.0.0.1","port":42634},"users":[],"roles":[],"param":{"
user":"root","db":"admin","mechanism":"SCRAM-SHA-1"},"result"
:18}
{"atype":"authCheck","ts":{"$date":"2019-02-14T14:15:49.161+0
100"},"local":{"ip":"127.0.1.1","port":27017},"remote":{"ip":
"127.0.0.1","port":42636},"users":[{"user":"test","db":"admin
"}],"roles":[{"role":"read","db":"admin"}],"param":{"command"
:"insert","ns":"test.orders","args":{"insert":"orders","docum
ents":[{"_id":{"$oid":"58a3030507bd5e3486b1220d"},"id":1.0,"i
tem":"paper clips"}],"ordered":true}},"result":13}

Security Features Comparison
MongoDB
Community
MongoDB
Enterprise
Percona server for
MongoDB
LDAP Authentication
LDAP Authorization
Kerberos
Storage engine encryption
Auditing
Log redaction

Summary
• Security incidents and data breaches grow exponentially over the last 5
years
• Enable access control by turning on authentication
• Limit resources access by authorization and roles
• Harden your database by limiting network exposure
• Protect data in transit by using encryption with TLS/SSL
• Protect data at rest by using encrypted storage engine
• Track System activity with Auditing
• Keep your database version up to date

Questions?

We’re Hiring!
https://www.pythian.com/careers/

Enhancing the default MongoDB Security

Recommended

More Related Content

What's hot (20)

Similar to Enhancing the default MongoDB Security (20)

Recently uploaded (20)

Enhancing the default MongoDB Security