Security/Reviews/esFrontline

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

esFrontLine
Target
   
     Full Query    
ID Summary Priority Status
939081 Security Review: esFrontLine -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

The given value "
   
     Full Query    
ID Summary Priority Status
939081 Security Review: esFrontLine -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

Drawing: https://bug879822.bugzilla.mozilla.org/attachment.cgi?id=8337813 Simple proxy to prevent changes to public ES cluster Overall architecture: https://bugzilla.mozilla.org/attachment.cgi?id=8337813 Code: https://github.com/klahnakoski/esFrontLine/blob/master/esFrontLine/app.py

  • python, flask, HTTP Post/Get
    • filters what is allowed and forwards along to the esCluster and then gets and gives the response back to the user
    • only allows mapping or search (mapping for schema)

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=879833 Security Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=939081

  • ElasticSearch was never meant to be exposed to the public. It was meant to simply be a cache for a greater application. esFrontline is meant to prevent changes to the cluster and prevent changes to the data in the cluster.

What solutions/approaches were considered other than the proposed solution?

No other solutions were considered

Why was this solution chosen?

It is simple. The current dashboards are client-side javascript that query ES directly.

Any security threats already considered in the design and why?

Loss of the esFrontline machine, or the public cluster to unsavory individuals is disappointing, and work to recover, but results in no loss of data, and no compromise of private data.

Threat Brainstorming

  • phsical seperation of machines for frontline, database and backend?
    • esFrontLine, Public ES Cluster & Public ETL machines are all seperate boxes
  • Is this going to use the network items we have today to protect this? (ie. Zeus)
    • yes, whatever IT needs to do they are leaving up to them
  • 'Interesting' ES queries
  • Is MVEL enabled-yes? Does esFrontline allow MVEL expressions through?
  • Can any damage be done with just GETs?
    • maybe - ES does not fail gracefully.
  • data exfiltration avenue?
  • Is this fronted by existing load balancers (i.e. inherit their blacklists, etc)-yes will be
  • ES Cluster is dangerous if rooted: IT puts IPMI on managed machines
  • Property "SecReview feature goal" (as page type) with input value "Drawing: https://bug879822.bugzilla.mozilla.org/attachment.cgi?id=8337813

    Simple proxy to prevent changes to public ES cluster Overall architecture: https://bugzilla.mozilla.org/attachment.cgi?id=8337813 Code: https://github.com/klahnakoski/esFrontLine/blob/master/esFrontLine/app.py

    • python, flask, HTTP Post/Get
      • filters what is allowed and forwards along to the esCluster and then gets and gives the response back to the user
      • only allows mapping or search (mapping for schema)

    Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=879833 Security Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=939081

    • ElasticSearch was never meant to be exposed to the public. It was meant to simply be a cache for a greater application. esFrontline is meant to prevent changes to the cluster and prevent changes to the data in the cluster." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threat brainstorming" (as page type) with input value "* phsical seperation of machines for frontline, database and backend?
      • esFrontLine, Public ES Cluster & Public ETL machines are all seperate boxes
    • Is this going to use the network items we have today to protect this? (ie. Zeus)
      • yes, whatever IT needs to do they are leaving up to them
    • 'Interesting' ES queries
    • Is MVEL enabled-yes? Does esFrontline allow MVEL expressions through?
    • Can any damage be done with just GETs?
      • maybe - ES does not fail gracefully.
    • data exfiltration avenue?
    • Is this fronted by existing load balancers (i.e. inherit their blacklists, etc)-yes will be
    • ES Cluster is dangerous if rooted: IT puts IPMI on managed machines" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
* Stefan :: test the search filtering (http://klahnakoski-es.corp.tor1.mozilla.com:9292/):: ??