![Page 1: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/1.jpg)
#lascon2013
Securing Redis with Sedona
Will Urbanski
![Page 2: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/2.jpg)
#lascon2013
About Me
• Security Researcher
• Outdoor Enthusiast
• Tweet @willurbanski
• Blog/tools available @shakingrock.com
![Page 3: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/3.jpg)
#lascon2013
Today’s Talk
• Security in
• What you can do about it
![Page 4: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/4.jpg)
#lascon2013
• Open-source data-structure server• Key-value store– Lists– Hashes– Sorted sets
• Lightweight, fast & free• http://redis.io
![Page 5: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/5.jpg)
#lascon2013
Redis Security Model
“Redis is not designed for maximum security but rather maximum performance and simplicity”
“Redis is designed to be accessed by trusted clients inside trusted environments”
• http://redis.io/topics/security
![Page 6: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/6.jpg)
#lascon2013
Commands
• Command-oriented, not query-oriented
• Not all commands are created equal
![Page 7: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/7.jpg)
#lascon2013
Safe Commands
• Read-only• Single key usage• Not resource intensive
GETEXISTSLLENTTL
![Page 8: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/8.jpg)
#lascon2013
Commands with Consequences
• Read or Write• Single Key SET
DELLPOPEXPIRES
![Page 9: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/9.jpg)
#lascon2013
Dangerous Commands
• Affect multiple keys or entire service
• Impact availability if misused
EVALCLIENT KILLSAVECONFIG SET
![Page 10: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/10.jpg)
#lascon2013
Commands That Will Ruin Your Weekend™
• Impacts entire service• Devastating if misused FLUSH
FLUSHALLSHUTDOWN
![Page 11: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/11.jpg)
#lascon2013
#1
![Page 12: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/12.jpg)
#lascon2013
Problem #1
There is no data control language
All clients can access all commands
![Page 13: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/13.jpg)
#lascon2013
Command Renaming
• Rename dangerous commands!– SHUTDOWN can become cc23772aded8
• Reduces Usability
• Ideally only authorized users should be able to run SHUTDOWN
![Page 14: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/14.jpg)
#lascon2013
#2
![Page 15: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/15.jpg)
#lascon2013
Problem #2
Redis doesn’t really support authentication*
![Page 16: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/16.jpg)
#lascon2013
Redis Authentication
• AUTH command
• No multiuser support
• No ACLs (see problem #1)
![Page 17: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/17.jpg)
#lascon2013
#3
![Page 18: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/18.jpg)
#lascon2013
Problem #3
Even if you could authenticate, you wouldn’t want to.
Redis lacks encryption support
![Page 19: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/19.jpg)
#lascon2013
This is Okay
• Redis’ design focuses on performance and simplicity
• The Redis security model is transparent
![Page 20: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/20.jpg)
#lascon2013
Compensating Controls
Authorization/Authentication• Rename dangerous
commands?
• AUTH command?
• Local-only w/ SSH?
Confidentiality• SSL Proxy (In Transit)?
• Wrap Redis libs (At Rest)?
![Page 21: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/21.jpg)
#lascon2013
An ideal solution would…
• Encrypt– Support SSL/TLS natively– Support key-value
encryption
• Authenticate– Support user accounts– Support modular
authentication– Log access– Support rate-limiting
• Authorize– Not require command renaming
(security-through-obscurity)– Implement SQL’s DCL in a key-
value domain• Flexible command access• Flexible key access
• Be Practical– Not impose unnecessary
burdens• Performance• Administration
– Be compatible with native clients
![Page 22: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/22.jpg)
#lascon2013
Sedona
• PoC application firewall for Redis
• Implements authentication, authorization and encryption enhancements
• Requires no changes to Redis core
• Python 2.7 w/ Twisted
![Page 23: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/23.jpg)
#lascon2013
Authentication
• Adds user parameter to AUTH command– AUTH <user> <password>
• Supports modular authentication
• Preserves native AUTH functionality– AUTH <password> still works
![Page 24: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/24.jpg)
#lascon2013
Authorization
• Adds per-user access control lists
• Command- and key-based ACLs
• ACCEPT, and REJECT
• Returns native Redis err/success for compatibility
![Page 25: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/25.jpg)
#lascon2013
ACLs"rules": [
{"command": "set", "key": "test\\-*", "action”:"accept"},
{"command": "get", "key": "test\\-*", "action”:"accept"},
{"command": "ping", "action": "accept"},
{"command": "echo", "action": "accept"},
{"action": "reject"}
]
![Page 26: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/26.jpg)
#lascon2013
Encryption
• Adds SSL support
• CLI tool for using SSL
![Page 27: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/27.jpg)
#lascon2013
Use Cases
• Dev/Ops command segregation– Ops may require ‘SHUTDOWN’, ‘SAVE’, ‘CONFIG
SET’– Dev may require ‘SET’,’GET’, ‘LPOP’, …
• Key Enforcement
• Command blacklisting w/o renaming– SHUTDOWN, FLUSH, FLUSHALL
![Page 28: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/28.jpg)
#lascon2013
Deployment Strategies
Inline• Intercepts all traffic to
server
• More secure
• More performance impacting
Edge of Trusted Environment• Only intercept untrusted
traffic
• Less secure (you decide what’s trusted)
• Less performance impacting
![Page 29: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/29.jpg)
#lascon2013
Performance
+ Parsing+ Authorizing+ Tracking State= performance penalty
![Page 30: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/30.jpg)
#lascon2013
0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00%0
10
20
30
40
50
60
70
80
90
Sedona Request Transit Times
SETLinear (SET)GETLinear (GET)LPUSHLinear (LPUSH)LPOPLinear (LPOP)
Percent of Requests (%)
Tim
e (m
s)
![Page 31: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/31.jpg)
#lascon2013
Demos
• Configuration Files
• Authentication
• Authorization
![Page 32: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/32.jpg)
#lascon2013
Wrapping Up
• Sedona is a tool that adds additional security to Redis installations
• If you find the tool useful, please contribute!
![Page 33: Securing Redis with Sedona Will Urbanski #lascon2013](https://reader036.vdocuments.us/reader036/viewer/2022062322/56649d8b5503460f94a72324/html5/thumbnails/33.jpg)
#lascon2013
Q&A
Fork Sedona @ Github Follow me on Twitter