Securing Redis with Sedona Will Urbanski #lascon2013.
-
Upload
shon-fleming -
Category
Documents
-
view
219 -
download
0
Transcript of Securing Redis with Sedona Will Urbanski #lascon2013.
#lascon2013
Securing Redis with Sedona
Will Urbanski
#lascon2013
About Me
• Security Researcher
• Outdoor Enthusiast
• Tweet @willurbanski
• Blog/tools available @shakingrock.com
#lascon2013
Today’s Talk
• Security in
• What you can do about it
#lascon2013
• Open-source data-structure server• Key-value store– Lists– Hashes– Sorted sets
• Lightweight, fast & free• http://redis.io
#lascon2013
Redis Security Model
“Redis is not designed for maximum security but rather maximum performance and simplicity”
“Redis is designed to be accessed by trusted clients inside trusted environments”
• http://redis.io/topics/security
#lascon2013
Commands
• Command-oriented, not query-oriented
• Not all commands are created equal
#lascon2013
Safe Commands
• Read-only• Single key usage• Not resource intensive
GETEXISTSLLENTTL
#lascon2013
Commands with Consequences
• Read or Write• Single Key SET
DELLPOPEXPIRES
#lascon2013
Dangerous Commands
• Affect multiple keys or entire service
• Impact availability if misused
EVALCLIENT KILLSAVECONFIG SET
#lascon2013
Commands That Will Ruin Your Weekend™
• Impacts entire service• Devastating if misused FLUSH
FLUSHALLSHUTDOWN
#lascon2013
#1
#lascon2013
Problem #1
There is no data control language
All clients can access all commands
#lascon2013
Command Renaming
• Rename dangerous commands!– SHUTDOWN can become cc23772aded8
• Reduces Usability
• Ideally only authorized users should be able to run SHUTDOWN
#lascon2013
#2
#lascon2013
Problem #2
Redis doesn’t really support authentication*
#lascon2013
Redis Authentication
• AUTH command
• No multiuser support
• No ACLs (see problem #1)
#lascon2013
#3
#lascon2013
Problem #3
Even if you could authenticate, you wouldn’t want to.
Redis lacks encryption support
#lascon2013
This is Okay
• Redis’ design focuses on performance and simplicity
• The Redis security model is transparent
#lascon2013
Compensating Controls
Authorization/Authentication• Rename dangerous
commands?
• AUTH command?
• Local-only w/ SSH?
Confidentiality• SSL Proxy (In Transit)?
• Wrap Redis libs (At Rest)?
#lascon2013
An ideal solution would…
• Encrypt– Support SSL/TLS natively– Support key-value
encryption
• Authenticate– Support user accounts– Support modular
authentication– Log access– Support rate-limiting
• Authorize– Not require command renaming
(security-through-obscurity)– Implement SQL’s DCL in a key-
value domain• Flexible command access• Flexible key access
• Be Practical– Not impose unnecessary
burdens• Performance• Administration
– Be compatible with native clients
#lascon2013
Sedona
• PoC application firewall for Redis
• Implements authentication, authorization and encryption enhancements
• Requires no changes to Redis core
• Python 2.7 w/ Twisted
#lascon2013
Authentication
• Adds user parameter to AUTH command– AUTH <user> <password>
• Supports modular authentication
• Preserves native AUTH functionality– AUTH <password> still works
#lascon2013
Authorization
• Adds per-user access control lists
• Command- and key-based ACLs
• ACCEPT, and REJECT
• Returns native Redis err/success for compatibility
#lascon2013
ACLs"rules": [
{"command": "set", "key": "test\\-*", "action”:"accept"},
{"command": "get", "key": "test\\-*", "action”:"accept"},
{"command": "ping", "action": "accept"},
{"command": "echo", "action": "accept"},
{"action": "reject"}
]
#lascon2013
Encryption
• Adds SSL support
• CLI tool for using SSL
#lascon2013
Use Cases
• Dev/Ops command segregation– Ops may require ‘SHUTDOWN’, ‘SAVE’, ‘CONFIG
SET’– Dev may require ‘SET’,’GET’, ‘LPOP’, …
• Key Enforcement
• Command blacklisting w/o renaming– SHUTDOWN, FLUSH, FLUSHALL
#lascon2013
Deployment Strategies
Inline• Intercepts all traffic to
server
• More secure
• More performance impacting
Edge of Trusted Environment• Only intercept untrusted
traffic
• Less secure (you decide what’s trusted)
• Less performance impacting
#lascon2013
Performance
+ Parsing+ Authorizing+ Tracking State= performance penalty
#lascon2013
0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00%0
10
20
30
40
50
60
70
80
90
Sedona Request Transit Times
SETLinear (SET)GETLinear (GET)LPUSHLinear (LPUSH)LPOPLinear (LPOP)
Percent of Requests (%)
Tim
e (m
s)
#lascon2013
Demos
• Configuration Files
• Authentication
• Authorization
#lascon2013
Wrapping Up
• Sedona is a tool that adds additional security to Redis installations
• If you find the tool useful, please contribute!
#lascon2013
Q&A
Fork Sedona @ Github Follow me on Twitter