Best Practices Securing a Couchbase Server Deployment

Don Pinto | Product Manager, Couchbase

@NoSQLDon

©2014 Couchbase, Inc. 2

Why NoSQL Security ?

Breaches, costs and reputation

Security questions from the field

Securing the stack

Security features in Couchbase

Security outside Couchbase

On the cloud

What’s next?

Q&A

Agenda

Why NoSQL security ?

Big data not only means..

Volume Velocity Variety

But also

Value

NoSQL is a popular solution for big data apps.90%

STRUCTURED UNSTRUCTURED

Structured information is only 10% of the story

90% of big data is unstructured and is made up of information like emails, videos, tweets, facebook posts, web clicks, and so on..

Because your information is valuable

10%

©2014 Couchbase, Inc. 4

Where do breaches come from?

40% related to server

incidents

* Verizon 2014 Data Breach Investigations Report

95 Countries, 50+ Organizations, 1300+ breaches

©2014 Couchbase, Inc. 5

Data breaches – costs and reputation

Average total data breach cost per organization ~ $5.85M

* 2014 cost of data breach study in United States

Average lost business ~ $3.32M

©2014 Couchbase, Inc. 6

Regulatory Compliance PCI HIPAA EU Directive ISO 27002 and more..

Organizational Security Requirements Network access protection Identity management Intrusion detection Patch management and others..

Data consolidation and global outsourcing

Key business drivers

Patch

ManagementMany

others..

©2014 Couchbase, Inc.

7

Pro

d

De

v, Q

A,

Test

StorageStorage

Backup Server

Sensitive

hAck3rs

Which ports are

open through

the firewall?

What if an operator steals a disk?

Is sensitive data encrypted?

Is there admin access and data

access separation? Is your data encrypted in the cloud?

Common security questions

Are backups encrypted ?

XDCR to remote Cluster

Is XDCR Secure?

What Vulnerabilities?

Need data to be protected in depth

©2014 Couchbase, Inc.

Defense in depth – Best Practice

8

Layered security approach

Network

Storage

Servers

VMs

OS

Couchbase

App

Dat

abas

e an

d a

pp

p

rote

ctio

n

Pro

tect

th

e

infr

astr

uct

ure

Review best practices to secure your Couchbase Infrastructure

Learn about security features in Couchbase

Security Best Practices

Outside Couchbase Server

©2014 Couchbase, Inc. 10

Securing the perimeter – Best PracticeO

uts

ide

Net

wo

rk

WEB AND MOBILE APPS

Load Balancer

Allow Couchbase ingress and outgress ports

Allow Couchbase node-to-node ports on local internal networkCOUCHBASE CLUSTER

Inte

rnal

N

etw

ork

Per

imet

er

Net

wo

rk

End users & hack3rs

Web Server

External Firewall

Internal Firewall

Allow webserver ingress and outgress ports

Packet FilteringBlocking malicious IPs

IT Admins& App Developers

IT Admin & DBA

©2014 Couchbase, Inc. 11

Securing the network – Best Practice

Configuring Linux IPTables /etc/sysconfig/iptables

Important Couchbase ports 8091, 8092, 11207,11210,

11211,11214, 11215, 18091, 18092

Use IPSec for added security

©2014 Couchbase, Inc. 12

Couchbase executing as “couchbase” user on linux

Protect important files Encrypt on-disk data and index file paths

/opt/couchbase/var/lib/couchbase/data (default data path on Linux) Encrypt on-disk password files

/opt/couchbase/var/lib/couchbase/isasl.pw /opt/couchbase/var/lib/config/

ACL tools path /opt/couchbase/bin/

Restrict admin access: Disable web console access to Couchbase on ports 8091, 18091 Only allow access from specific machines

Securing the host machine – Best Practice

©2014 Couchbase, Inc. 13

Restrict access to Couchbase only through certain machines

Turn on OS auditing on these machines

Restricting and logging admin access – Best Practice

Couchbase Server – Seattle

File system Storage

DBA

User Directory

Jump box with OS Logging

Seattle – Datacenter

©2014 Couchbase, Inc. 14

Data-at-rest encryption – Best Practice

Transparent encryption for data-at-rest using Vormetric

Transparent deployment

Scales and grows with your needs

Policy based key management

Tested with Couchbase

+More info in Derek’s session on Vormetric and Couchbase

Security Best Practices and Features

Inside Couchbase Server

©2014 Couchbase, Inc. 16

Passwords should have sufficient length (~ 8 chars) – Letters (upper and lower case), digits, and special characters

Enforce password rotation based on your organizational requirements

Forgot your admin password? Oops! cbreset_password tool

Passwords in Couchbase – Best Practice

©2014 Couchbase, Inc. 17

Couchbase buckets – logical container for your documents

Buckets are protected with SASL AuthN AuthN happens place over CRAM-MD5

Delete the following buckets in production : Default bucket (No password support) Sample buckets – beer-sample, gamesim-sample (Empty passwords by default)

Couchbase bucket authentication – Added in 1.x

©2014 Couchbase, Inc. 18

Read-only access in the web console and over REST

Privileges to view without edit capabilities :

Cluster and bucket summary

Design documents and view definitions

XDCR replications

Events and settings

Read-only admin – Added in 2.2

©2014 Couchbase, Inc. 19

Access log monitors when administrators access the Couchbase cluster

Tracks REST or admin console accesses

“http_access.log” can be found at /opt/couchbase/var/lib/couchbase/logs

ASCII text-based - Common Log Format

What can you get from this log? Search client IP patterns

Search error codes - “401”

Suspicious GET URLs

Complement with OS jumpbox audit

Couchbase access log – New in 3.0 !

©2014 Couchbase, Inc. 20

Encrypts admin access to Couchbase using SSL

Remote admins connecting to Couchbase Admin Console over the internet

Accessing view data over the internet

Want to force SSL only client connections? Lock down non-SSL ports using a firewall

Encrypted admin access – New in 3.0 !

https://couchbase_server:18091/…

https://couchbase_server:18092/…

Security Best Practices

Inside the application

©2014 Couchbase, Inc. 22

Cluster config including passwords stored in client configuration cache

Many ‘short lived’ libcouchbase client processes +

Non-frequent cluster topology changes

Cache stored is stored on local client disk as named file For PHP, configured in .ini file variable - couchbase.config_cache = “<path>” Don’t make cache configuration cache path world readable / writable

Secure client configuration cache path – Best Practice

Configurationshould be

client cached

©2014 Couchbase, Inc. 23

Attacker can craft arbitrary input that

Injection of arbitrary key-value pairs

Changing user specified document type

Overriding important document fields

Strongly type your document model using Java POJOs, C#.Net POCOs

Explicitly override the field

{ “user”:“don”, “password”:“0asd21$1%”, “created”:“2014-10-04”, “password” : “password”}

{ “user”:“don”, “password”:“password”, “created”:“2014-10-04”}

Validate user input – Best Practice

Schema Injection

DEMO

SSL support in Couchbase Server 2.0 clients (Java, .NET, libCouchbase)

SSL can be enabled per bucket

Encrypted client-server communication (New feature in 3.0)

SERVER 3SERVER 1 SERVER 2Couchbase Server

SSL

©2014 Couchbase, Inc. 26

Use third-party crypto libraries to encrypt and decrypt dataOnly application has the crypto keys Only encrypt sensitive JSON fieldsThings to watch for –

Don’t store the crypto key un-encrypted in the documentIntegrate the app with a key management solution or local keyring

Don’t index encrypted data unless it is absolutely necessaryOnly encrypt necessary data fields

Don’t apply start-end key ranges to encrypted data Keep hashes of your data in the document for equality searches

Client-side field encryption – Application capability

Client-side data encryption

DEMO

Security Best Practices

On the cloud

©2014 Couchbase, Inc. 29

Host operating system Individual SSH keyed logins via bastion hosts for AWS admins All accesses logged and audited

Guest operating system Customer controlled at root level AWS admins cannot log in Customer-generated key-pairs

Firewall Mandatory inbound instance firewall, default deny mode Outbound instance firewall available in VPC VPS subnet ACLs

Signed Amazon API calls Require X.509 certificate or customer’s secret AWS key

Amazon EC2 security

• Based on content from http://aws.amazon.com/security

©2014 Couchbase, Inc. 30

Encrypts XDCR traffic between datacenters using SSL

All traffic between the source and destination datacenter is encrypted

Periodically rotate the XDCR certificates

Slight CPU load increase on the source and destination clusters

Secure cross datacenter replication – Added in 2.5

©2014 Couchbase, Inc. 31

Secure cross datacenter replication – Encrypted traffic

What’s Next?

Previous… In 2.2 In 2.5 In 3.0

SASL AuthN with Bucket Passwords

Admin User

Read-Only User

Easy Admin Password Reset

Non-root User Deployments

Secure Communication for

XDCR

Encrypted client server communication

Encrypted admin access

Access Log*

Data-at-rest Encryption*

Security features in couchbase

* this is not an audit log* through third-party tool

©2014 Couchbase, Inc. 35

Added preventive, detective, and administrative security controls in Couchbase

Auditing

External authentication

User, roles and permissions

Fine grained authorization

Enhanced crypto and more …

What’s next ?

©2014 Couchbase, Inc. 36

Download Couchbase Server 3.0

Download @ http://www.couchbase.com/download

Questions?don@couchbase.com

@NoSQLDon