29
Enterprise Database Security Micah Carrick Consulting Director AEROSPIKE
Enterprise Database Security
Micah CarrickConsulting Director
AEROSPIKE
SSDSSD
SSDSSD
SSDSSD
DBAsDEVELOPERS
ACTIONS
ADMINS
VISIBILITY
EVENTS
INFOSEC
JOBS
APPS
DEVELOPERS
JOBS
APPS
SSDSSD
SSDSSD
SSDSSD
DBAsDEVELOPERS
ACTIONS
ADMINS
VISIBILITY
EVENTS
INFOSEC
JOBS
APPS
SSDSSD
SSDSSD
SSDSSD
DBAsADMINS
SSDSSD
SSDSSD
SSDSSD
DBAsDEVELOPERS
ACTIONS
ADMINS
VISIBILITY
EVENTS
INFOSEC
JOBS
APPS
ACTIONS
EVENTS
INFOSEC
VISIBILITY
SSDSSD
SSDSSD
SSDSSD
DBAsDEVELOPERS
ACTIONS
ADMINS
VISIBILITY
EVENTS
INFOSEC
JOBS
APPS
SSDSSD
SSDSSD
SSDSSD
DBAsDEVELOPERS
ACTIONS
ADMINS
VISIBILITY
EVENTS
INFOSEC
JOBS
APPS
DEVELOPERS ADMINS DBAs
SSDSSD
SSDSSD
SSDSSD
DBAsDEVELOPERS
ACTIONS
ADMINS
VISIBILITY
EVENTS
INFOSEC
JOBS
APPS
SSDSSD
SSDSSD
SSDSSD
SSDSSD
SSDSSD
SSDSSD
DBAsDEVELOPERS
ACTIONS
ADMINS
VISIBILITY
EVENTS
INFOSEC
JOBS
APPS
VISIBILITY
ACTIONS
EVENTS
Network Security
Application Aerospike
1
Allow TCP on service port
1
3000
10.0.1.0/25192.168.128.0/25
192.168.128.1
192.168.128.2
10.0.1.1
10.0.1.2
Application Aerospike
1
Allow TCP on service port
1
3000
2
Allow TCP on heartbeat port
2
3001
10.0.1.0/25192.168.128.0/25
192.168.128.1
192.168.128.2
10.0.1.1
10.0.1.2
Application Aerospike
1
Allow TCP on service port
1
3000
3Allow TCP on fabric port
3
30022
Allow TCP on heartbeat port
2
3001
10.0.1.0/25192.168.128.0/25
192.168.128.1
192.168.128.2
10.0.1.1
10.0.1.2
Application Aerospike
1
Allow TCP on service port
1
3000
2
Allow TCP on heartbeat port
2
3001 3Allow TCP on fabric port
3
3002
4
Allow TCP on service port
4
XDR Destination
XDR Destination
XDR Source
XDR Source
3000
3000
10.0.1.0/25192.168.128.0/25
192.168.128.1
192.168.128.2
10.0.1.1
10.0.1.2
Destination Cluster172.16.0.0/25
Client hello. Server hello.
Application Aerospike
XDR Destination
XDR Destination
XDR Source
XDR Source
KEYKEY
KEY KEY
CERTCERT
Service● Configure server cert● Configure cipher suites● Validate client cert (optional)
Client hello. Server hello.
Application Aerospike
XDR Destination
XDR Destination
XDR Source
XDR Source
KEYKEY
KEY KEY
CERTCERT
Service● Configure server cert● Configure cipher suites● Validate client cert (optional)
CERT
CERT
Heartbeat and fabric● Configure server cert● Configure cipher suites
Client hello. Server hello.
Application Aerospike
XDR Destination
XDR Destination
XDR Source
XDR Source
KEYKEY
KEY KEY
CERTCERT
Service● Configure server cert● Configure cipher suites● Validate client cert (optional)
CERT
CERT
Heartbeat and fabric● Configure server cert● Configure cipher suites
CERTCERT
XDR● Configure server cert● Configure cipher suites● Validate client cert (optional)
Ciphering succotash
ECDHE ECDSA- - AES128 GCM SHA256 (OpenSSL notation)
(IANA notation)
Key exchange
Auth algorithm
Encryption algorithm
Message authentication
GCM_ SHA256
_WITH_ECDHETLS_ _ ECDSA AES_128
-
_ GCM SHA256
-
_
AES128/256 with GCM
✔ performance✔ security
Different standards at different organizations (RSA vs ECDSA)
Authentication & Access Control
APPS
Internal Authentication
HUMAN
Credentials Credentials
APPS
Internal Authentication
HUMAN
Credentials Credentials
External Authentication
DIRECTORY
APPSHUMAN
LDAPCredentialsCredentials
APPS
Internal Authentication
HUMAN
Credentials Credentials
Mixed Authentication
APPSHUMAN
SECRETSLDAP
Credentials
CredentialsDIRECTORY
External Authentication
DIRECTORY
APPSHUMAN
LDAPCredentialsCredentials
Slice ‘em and dice ‘em
Role Permission Scope Whitelist
Acme IAM user-admin Global 10.0.0.61/31
Acme SRE sys-admin Global 10.0.0.0/24
Acme DBA data-admin Global 10.0.0.0/24
Acme App1 read-write-udf Namespace=ns1, Set=app1 -
Acme App2 read Namespace=ns1, Set=app2 -
Acme Daily Loader write Namespace=ns1, Set=app2 -
Create custom roles for users, administrators, applications, etc.
Privilege
Data Protection
SSD 1/dev/nvme1n1
SSD 2/dev/nvme2n1
Isolation and encryption
Partition 1/dev/nvme1n1p1
Partition 2/dev/nvme1n1p2
LogicalDevices
PhysicalDevices
Partition 3/dev/nvme2n1p1
Partition 4/dev/nvme2n1p2
LogicalDevices
SSD 1/dev/nvme1n1
SSD 2/dev/nvme2n1
Namespace #1
● Encryption: AES-256● Key file: namespace-1.key● Devices: nvme1n1p1, nvme2n1p1
Namespace #2
● Encryption: AES-256● Key file: namespace-2.key● Devices: nvme1n1p2, nvme2n1p2
Logical separation of data
Isolation and encryption
Partition 1/dev/nvme1n1p1
Partition 2/dev/nvme1n1p2
LogicalDevices
PhysicalDevices
Partition 3/dev/nvme2n1p1
Partition 4/dev/nvme2n1p2
LogicalDevices
sudo make me a sandwich
● The Aerospike daemon (asd) is a privileged process
● Apply your existing OS hardening best practices
● Do not use Aerospike nodes for auxiliary functionality
● Not all asinfo and asadm operations need to be run locally
● Protect secrets...
It’s a secret to everybody.
Protect Secrets
● TLS private keys
● Encryption-at-rest keys
● Credentials to external authentication (LDAP)
● Credentials to other Aerospike clusters (XDR)
● System MetaData (SMD)(Managed by Aerospike)
SECRETS
Push
Secret
FILESYSTEM
Request
Secret
Config Management
Direct Integration
Security Events and Audit Logs
Micah showed this slide from 127.0.0.1
LOGS
ACTIONS
ANALYZE
SIEMQUEUES
OTHER SOURCES
127.0.0.1 | asmith | failed login32.56.98.2 | jdoe | dropped index127.0.0.1 | asmith | failed login67.11.1.10 | pmills | successful login10.0.0.23 | apete | user created10.0.0.21 | apete | set log level127.0.0.1 | asmith | failed login ...
Aerospike Audit Trail
syslog
syslog-ngrsyslog
...
KafkaMQ
...
SplunkArcSightQRadar
...
