Speaker: Jay Runkel, Principal Solution Architect, MongoDB
Level: 200 (Intermediate)
Track: Operations
When architecting a MongoDB application, one of the most difficult questions to answer is how much hardware (number of shards, number of replicas, and server specifications) am I going to need for an application. Similarly, when deploying in the cloud, how do you estimate your monthly AWS, Azure, or GCP costs given a description of a new application? While there isn’t a precise formula for mapping application features (e.g., document structure, schema, query volumes) into servers, there are various strategies you can use to estimate the MongoDB cluster sizing. This presentation will cover the questions you need to ask and describe how to use this information to estimate the required cluster size or cloud deployment cost.
What You Will Learn:
- How to architect a sharded cluster that provides the required computing resources while minimizing hardware or cloud computing costs
- How to use this information to estimate the overall cluster requirements for IOPS, RAM, cores, disk space, etc.
- What you need to know about the application to estimate a cluster size
2. About: Tom Spitzer,
VP, Engineering, EC Wise
EC Wise builds/enables Complex Secure Solutions
Software Products / Service Delivery Platforms / Cyber Security
Key Practices: Security, Secure Software Development, Intelligent Systems, Data
Mature, International
Offices and customers: North and South America, Asia
~ 100 employees, senior experienced teams
Founded 1998
Prior to EC Wise I developed eCommerce and ERP systems
3. Challenges We Are Trying to Address
We need ways to identify when attacks may be occurring
When compromised, precise and efficient data restoration is essential
MongoDB stores data in a form that could be compromised
Within the Enterprise space, single sign on has been shown to be a better
solution for identity management than doling out user accounts on multiple
systems; it also enables centralized permission management
We need tools for forensics and regulatory compliance
We want to develop solutions for U.S. government agencies
4. Learning Objectives; you will learn how to
1. How to use MongoDB Enterprise Ops Manager to make your MongoDB
databases more secure
2. How to use the Encrypted Storage engine
3. The differences between Kerberos and LDAP authentication and how to set
them up
4. How to enable and manage auditing to support your security efforts
5. How to create a secure cluster configuration
6. What’s involved in setting up MongoDB in compliance with FIPS
5. OpsManager: Management and monitoring features
Interactively set deployment-wide authentication model
Monitor/set thresholds for resource usage
Unusual resource usage may indicate unusual activities
Continuous Backup and Backup encryption (v 3.4)
Automate version upgrades (and downgrades, if necessary)
Important since upgrades often include security enhancements
Log consolidation and management
11. Ops Manager Backup Features
Continuous back-up vs. interval based backup provided by MongoDump and
file system copies; Minimizes downtime, conserves resources
Enables fast recovery in event of compromise
Works with replica sets and sharded clusters
can convert standalone mongod to single member replica set
Enables restore to specified point between snapshots
Supports encrypted backup storage
12. Performs initial sync
to back up current
data.
•Includes each
shard and the
config servers.
Takes snapshots of
the data directory
based on specified
snapshot schedule
•then transfers the
snapshots to a
storage system
Monitors the oplog
constantly and adds
new database
operations to the
latest backup
•Ops Manager
maintains up to
date copy of
database.
The backup process:
Sharded Clusters also can
enable “checkpoints” to
permit restores at moments
between snapshots.
Maintains one
“head database”
per replica set
13.
14. Set KMIP Server Configuration (req for encryption)
Navigate to the Backup
configuration tab.
1.Click Admin.
2.Click General.
3.Click Ops Manager Config.
4.Click Backup tab.
17. MongoDB Storage Engine Encryption
Native encryption in Wired Tiger storage engine; single digit % overhead
Uses AES256 with choice of “mode of operation”
CBC: Cipher Block Chaining – tried and true (and MongoDB default)
G/CM: Galois Counter Mode – widely used for data packets
Key management – only master key is external to the server
two strategies for key rotation
Master Key per replica
Internal Key per database
18. Master key management
Only master key is external to the server
Two strategies for key rotation
Master Key per replica
Internal Key per database
Use third party key management appliance via the Key Management Interoperability
Protocol (KMIP). Recommended & typically required to meet regulatory reqs
e.g. Alliance Key Manager for MongoDB, Vormetric, Gemalto,
Open Source Python KMIP server
Local key management via a keyfile (generate with SSL)
openssl rand -base64 32 > mongodb-keyfile
19. Data at Rest Encryption with KMIP
3rd Party Key
Management
Appliance
Replica1 Host OS
DB 1 DB 2 DB 3
Replica1’s Master Key
Replica2’s Master Key
Replica3’s Master Key
CA Certificates File
DB 4
Internal Key Manager Keystore
(encrypted by Master Key)
DB 1 Key
DB 2 Key
DB 3 Key
DB 4 Key
Encrypts & Decrypts
Replica1 mongodReplica1 Key &
Certificate PEM
File
20. Enable encryption with new KMIP key
mongod --enableEncryption --kmipServerName <KMIP Server HostName>
--kmipPort <KMIP server port> --kmipServerCAFile <path to ca.pem>
--kmipClientCertificateFile <path to client.pem>
Enable encryption with keyfile
mongod --enableEncryption --kmipServerName <KMIP Server HostName>
--kmipPort <KMIP server port> --kmipServerCAFile <path to ca.pem>
--kmipClientCertificateFile <path to client.pem> --kmipKeyIdentifier <UID>
Enable encryption with existing key
// create key file, e.g. using OpenSSL
mongod –enableEncryption --encryptionKeyFile mongodb-keyfile
21. Key rotation (annual recommended)
KMIP – rotate master key
With the new master key, the internal keystore will be re-encrypted but the database keys will be
otherwise left unchanged. This obviates the need to re-encrypt the entire data set.
Rotate the master key for the secondary members of the replica set one at a time.
mongod --enableEncryption --kmipRotateMasterKey
--kmipServerName <KMIP Server HostName>
--kmipServerCAFile ca.pem --kmipClientCertificateFile client.pem
Step down master to replica and rotate master key on it last
If using key file, recommendation is to replace and retire encypted replicas
22. Log Redaction (3.4 Enterprise)
Redacts Client Data Shown in System Log Files
• All potentially sensitive user data omitted from logs
Trade-off:
• Harder to diagnose system & performance issues
• If you don’t use, manage logs “carefully”
Vs
24. Client Authentication Comparisons
Authentication Method Clear Text Password Identity Location
LDAP Yes * External
Kerberos
No (KDC generated session
key encrypted with
password)
External
* Can be protected via a transport-level security
mechanism
25. Using Kerberos with MongoDB
“Kerberos” a “tried and true” industry standard authentication protocol for large
client/server systems.
For organizations with in-place Kerberos infrastructure - Enterprise MongoDB and
applications use existing Kerberos authentication infrastructure and processes
Mutual authentication model mediated by Key Distribution Center
Must add Kerberos user and service principals to MongoDB $external database
User principals can represent actual users or applications
Service principals represent your MongoDB servers (use FQDNs)
26. Setting up LDAP between MongoDB and AD
• Set up Users and Groups in Active Directory
• Map AD Users to Mongo DB Groups
• Ensure AD Server has TLS/SSL enabled
• Work with your IT Dept
• Generate Certs and install on MongoDB Server
• Create LDAP configuration file on MongoDB Server
• See next slide
• Use LDAP query during login to determine user’s AD group
• Map to local role based on group membership
Usually
Domain
ControllerCommon
Scenario, and its
Fairly Complex,
so we posted
documentation
29. Enabling and using Auditing
Track schema operations
Track replica set reconfiguration events
Track authentication and authorization activities
How to filter
How to specify destinations
31. Filter on attributes of captured audit documents
In config, set ‘auditFilter’ to a query expression
Filter on: Action, User, Role, Command, Database, Collection, etc
Examples:
filter: '{atype: {$in: ["createCollection", "dropCollection"]}}‘
filter: ‘{roles: {role: "readWrite", db: "test“}}‘
filter: '{atype: "authCheck", "param.command": {$in: ["find", "insert"]}}‘
Auditing - Filters Are Key
32. FIPS and MongoDB Overview
Requirements and standards for cryptographic modules used by departments and
agencies of the U.S. government
Addresses both hardware and software components
Four Levels, addressing security in eleven areas
MongoDB’s FIPS support covers the way that MongoDB uses OpenSSL for
network encryption, SCRAM-SHA-1 authentication, and x.509 authentication
If you use Kerberos or LDAP authentication, its on you to ensure that you are
using FIPS-compliant libraries
33. MongoDB FIPS Support
OpenSSL “FIPS Object Module”
Certified component optionally used via OpenSSL (must have certified version)
Ensures source code not tampered with
(checks signature against original certified version)
MongoDB configurable option
FIPSMode: true
Also applies to Encryption-at-Rest
34. Securing a Cluster
Router
Single Public Access
Shard + Replication set
Shard + Replication set
Shard + Replication set
Configure Server
Replication Set
Application
Mongo DB Cluster
Internal Network behind firewall
Authentication with account & password
Internal Authentication between nodes of cluster
With Key File (or X.509 certification)
VPN Access
Maintenance
Admin user
VPN Authentication
35. Cluster: Access via router; databases behind firewall
Cluster should be invisible to public users, router the only access point.
For System Admin user, setup a specific maintenance entrance or VPN access
for entry into the cluster network.
Each mongo instance in cluster should use the key file as the Internal
Authentication (or X.509 certification)
key file configuration easier than x.509, sufficient for many scenarios, but x.509 worth
exploring when managing sensitive data in production
36. Security configuration for Shard
Similar to simple configuration, start with mongod running without AUTH
bin/mongo --port 10000 (10001,10002,10003) – shard ports
db.createUser(
{
user: "<super user name>",
pwd: "<super user password>",
roles:[
"clusterAdmin",
"userAdminAnyDatabase",
"dbAdminAnyDatabase",
"readWriteAnyDatabase" ]
37. With the super user account,
Configure server root account
We can use this account to manage the accounts of users who would visit
this Mongo DB cluster to read | write data.
With the Server Root Account,
Create users and roles assign users to roles
Shard Server root account
This is the Shard Local Administrative User, who would do database
maintenance or other admin tasks.
We can’t use this account for the regular visit from router
40. Generate
key file
• openssl rand -base64 500 > mongodb.key
• copy this into all servers of cluster
• chmod 600 mongodb.key
Add the security
settings into
each property file
• Configure server
• Shard replications
• Router
Update property
files in all servers
and restart each
instance
Internal Authentication among instances of cluster
41. Securing Your Enterprise
Stay current with MongoDB, and get the Enterprise version!
Encrypt data at rest as well as in transit
Integrate with Enterprise identity/authentication/authorization systems
Consider how to secure log files
Use auditing wisely, and in conjunction with OS and device auditing
You should be able to secure clusters
Notes de l'éditeur
The learning objectives are the guiding points to everything you include in your session, so it makes sense to use them as your starting point. LOs should be focused, discrete and oriented toward the attendee. They should also be active, stating what attendees should be able to do with the information in the talk. (Learning objectives that state an attendee should "understand" something are NOT active. :-) ). As an example of a good learning objective, for a session on MongoDB, Kubernetes and Docker containers a learning objective could be “Following this talk attendees should be able to define a highly available MongoDB deployment using Kubernetes services, replica sets and config maps”. The learning objectives should be presented to the audience as the first slide following the title and should be one of the few slides with text. We recommend three to five LOs.
One of the best way to describe solving a problem is describe how you solved it, and you have probably tried 2-3 ways of solving it before you figured out the right answer. Describe that process here. It often helps to illustrate with code and/or architectural diagrams
It often helps to illustrate with code and/or architectural diagrams
For Kerberos, when running kinit to get the initial ticket from the KDCs Ticket Granting Service, the password is never sent over the wire - instead, the TGS uses it's knowledge of the client's password to encrypt the TGS's new sesion key. On the client side, it's prompted password it used to decrypt the TGS session key. As a result, the password is not sent over the wire.
In 3.4, for x.509 Certificate authentication passing the ‘user’ field to auth() is not necessary as it is implied by the subject name in the client certificate file.