Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Redis with Sedona Will Urbanski #lascon2013.

Published byShon Fleming Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing Redis with Sedona Will Urbanski #lascon2013."— Presentation transcript:

1 Securing Redis with Sedona Will Urbanski #lascon2013

2 About Me Security Researcher Outdoor Enthusiast Tweet @willurbanski Blog/tools available @shakingrock.com #lascon2013

3 Today’s Talk Security in What you can do about it #lascon2013

4 Open-source data-structure server Key-value store – Lists – Hashes – Sorted sets Lightweight, fast & free http://redis.io #lascon2013

5 Redis Security Model “Redis is not designed for maximum security but rather maximum performance and simplicity” “Redis is designed to be accessed by trusted clients inside trusted environments” http://redis.io/topics/security #lascon2013

6 Commands Command-oriented, not query-oriented Not all commands are created equal #lascon2013

7 Safe Commands Read-only Single key usage Not resource intensive GET EXISTS LLEN TTL #lascon2013

8 Commands with Consequences Read or Write Single Key SET DEL LPOP EXPIRES #lascon2013

9 Dangerous Commands Affect multiple keys or entire service Impact availability if misused EVAL CLIENT KILL SAVE CONFIG SET #lascon2013

10 Commands That Will Ruin Your Weekend™ Impacts entire service Devastating if misused FLUSH FLUSHALL SHUTDOWN #lascon2013

11 #1 #lascon2013

12 Problem #1 There is no data control language All clients can access all commands #lascon2013

13 Command Renaming Rename dangerous commands! – SHUTDOWN can become cc23772aded8 Reduces Usability Ideally only authorized users should be able to run SHUTDOWN #lascon2013

14 #2 #lascon2013

15 Problem #2 Redis doesn’t really support authentication* #lascon2013

16 Redis Authentication AUTH command No multiuser support No ACLs (see problem #1) #lascon2013

17 #3 #lascon2013

18 Problem #3 Even if you could authenticate, you wouldn’t want to. Redis lacks encryption support #lascon2013

19 This is Okay Redis’ design focuses on performance and simplicity The Redis security model is transparent #lascon2013

20 Compensating Controls Authorization/Authentication Rename dangerous commands? AUTH command? Local-only w/ SSH? Confidentiality SSL Proxy (In Transit)? Wrap Redis libs (At Rest)? #lascon2013

21 An ideal solution would… Encrypt – Support SSL/TLS natively – Support key-value encryption Authenticate – Support user accounts – Support modular authentication – Log access – Support rate-limiting Authorize – Not require command renaming (security-through- obscurity) – Implement SQL’s DCL in a key- value domain Flexible command access Flexible key access Be Practical – Not impose unnecessary burdens Performance Administration – Be compatible with native clients #lascon2013

22 Sedona PoC application firewall for Redis Implements authentication, authorization and encryption enhancements Requires no changes to Redis core Python 2.7 w/ Twisted #lascon2013

23 Authentication Adds user parameter to AUTH command – AUTH Supports modular authentication Preserves native AUTH functionality – AUTH still works #lascon2013

24 Authorization Adds per-user access control lists Command- and key-based ACLs ACCEPT, and REJECT Returns native Redis err/success for compatibility #lascon2013

25 ACLs "rules": [ {"command": "set", "key": "test\\-*", "action”:"accept"}, {"command": "get", "key": "test\\-*", "action”:"accept"}, {"command": "ping", "action": "accept"}, {"command": "echo", "action": "accept"}, {"action": "reject"} ] #lascon2013

26 Encryption Adds SSL support CLI tool for using SSL #lascon2013

27 Use Cases Dev/Ops command segregation – Ops may require ‘SHUTDOWN’, ‘SAVE’, ‘CONFIG SET’ – Dev may require ‘SET’,’GET’, ‘LPOP’, … Key Enforcement Command blacklisting w/o renaming – SHUTDOWN, FLUSH, FLUSHALL #lascon2013

28 Deployment Strategies Inline Intercepts all traffic to server More secure More performance impacting Edge of Trusted Environment Only intercept untrusted traffic Less secure (you decide what’s trusted) Less performance impacting #lascon2013

29 Performance + Parsing + Authorizing + Tracking State = performance penalty #lascon2013

30

31 Demos Configuration Files Authentication Authorization #lascon2013

32 Wrapping Up Sedona is a tool that adds additional security to Redis installations If you find the tool useful, please contribute! #lascon2013

33 Q&A Fork Sedona @ GithubFollow me on Twitter #lascon2013

Download ppt "Securing Redis with Sedona Will Urbanski #lascon2013."

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Introduction to MySQL Administration.  Server startup and shutdown ◦ How to manually start and stop it from the command line ◦ How to arrange an automated.

Introduction to MySQL Administration.  Server startup and shutdown ◦ How to manually start and stop it from the command line ◦ How to arrange an automated.
SPORC Group Collaboration using Untrusted Cloud Resources 1SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 Ariel J. Feldman,

SPORC Group Collaboration using Untrusted Cloud Resources 1SPORC: Group Collaboration using Untrusted Cloud Resources — OSDI 10/5/10 Ariel J. Feldman,
Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.

Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.
PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.

PKI 2: Protezione del traffico Web tramite SSL Fabrizio Grossi.
CVS Selim Çıracı Ahmet Kara Metin Tekkalmaz. CVS – Open Source Version Control System Outline What are Version Control Systems? And why do we need them?

CVS Selim Çıracı Ahmet Kara Metin Tekkalmaz. CVS – Open Source Version Control System Outline What are Version Control Systems? And why do we need them?
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.

Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.
Configuring Hybrid Exchange the Easy Way

Configuring Hybrid Exchange the Easy Way

Similar presentations

Ads by Google