Security: Difference between revisions

From MidasWiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 7: Line 7:
</div>
</div>
= Access Control to a MIDAS experiment =
= Access Control to a MIDAS experiment =
;NOTE
:<span style="color: maroon; font-weight:bold;">To restrict access to an experiment via the web to authorized users, the following strategies are recommended: </span>
* Use the latest (post May 2015) version of [[mhttpd]]  which uses OpenSSL to provide secure HTTPS connections via the [https://bitbucket.org/tmidas/midas/src/ecb9a8537448a8a43f7f9a2bfdb82e578208cde3/doc/mongoose/?at=develop Mongoose] web server. This limits access by requiring a username and password. Access can be restricted to the web server by using the [[mhttpd#Access Control List|Access Control List (ACL)]].
* Implement a '''firewall''' and/or restrictions on off-site access. This kind of security can be provided by setting up Proxy Access to [[mhttpd]] .


Historically, by default there has been no restriction for any user to connect locally or remotely to a given experiment.  This has now changed (August 2015).  The Web Server itself [[mhttpd]] has recently (May 2015) been updated to use OpenSSL to provide secure HTTPS connections via the [https://bitbucket.org/tmidas/midas/src/ecb9a8537448a8a43f7f9a2bfdb82e578208cde3/doc/mongoose/?at=develop Mongoose] web server. This limits access by requiring a username and password. Access can be restricted to the web server by using the [[mhttpd#Access Control List|Access Control List (ACL)]].
Other network security issues have also been addressed (see  [https://midas.triumf.ca/elog/Midas/1088 Note 1088]). Changes to [[mserver]] (August 2015) make the default behaviour to reject all external network connections (see [https://midas.triumf.ca/elog/Midas/1090 Note 1090])
= MIDAS programs running on localhost =
Out-of-the-box MIDAS is now secure (August 2015). By default, connections from the outside are not possible.  MIDAS RPC TCP ports are bound to the localhost interface.
This configuration is suitable for testing MIDAS on a laptop and for running a simple experiment where all programs run on one machine.
MIDAS ports (except for the mhttpd web ports) do not show up on network port scans.
The change in binding UDP ports is generally incompatible with previous versions of MIDAS, so all MIDAS programs should be rebuild and restarted. If rebuilding all MIDAS programs is
impossible see  [https://midas.triumf.ca/elog/Midas/1090 Note 1090]).
[[mserver]] will still work in this localhost-restricted configuration - one should use  "[[odbedit]] -h localhost" to connect. Multiple mserver instances on
the same machine - using different TCP ports via "-p" and ODB [[/Experiment ODB tree#midas server port|/Experiment/midas server port]] - are still supported.
= MIDAS programs on remote machines =
To run MIDAS programs on remote machines the following is now required:
# change the ODB setting [[/Experiment ODB tree#Enable non-localhost RPC|/Experiment/Security/Enable non-localhost RPC]] to "yes" and restart [[mserver]]
# add the hostnames of all remote machines that will run MIDAS programs to the MIDAS RPC access control list in ODB key [[/Experiment ODB tree#Allowed hosts|/Experiment/Security/RPC hosts/Allowed hosts]].


= Improvements to network security =
To avoid "guessing" the host names expected by MIDAS, follow the following procedure:
* On the local machine ("daq06") set ODB key "enable non-localhost rpc" to "yes" and restart the [[mserver]] (step 1 above)
* go to the remote machine ("ladd21") and try to start the MIDAS program, i.e. "[[odbedit]] -h daq06". This will bomb and there will be a message in the [[Message System#midas.log|Midas log file]] rejecting the connection from unallowed host 'ladd21.triumf.ca'.
* Add this host to <span style="color: purple; font-style:italic;">/Experiment/Security/RPC hosts/Allowed hosts</span>.
* After you add this hostname to <span style="color: purple; font-style:italic;">RPC hosts</span>, you should see messages in the [[Message System#midas.log|Midas log file]] about reloading the access control list
* try connecting again, it should work now.
;NOTE
If MIDAS clients have to connect from random hosts (i.e. dynamically assigned random DHCP addresses), one can disable the host name checks by setting ODB key [[/Experiment ODB tree#Disable RPC hosts check|/experiment/security/Disable RPC hosts check]] to "yes". This configuration is insecure and should only be done on a private network behind a firewall.


By default, there has been no restriction for any user to connect locally or remotely to a given experiment. The Web Server itself [[mhttpd]] has recently (May 2015) been updated to providing secure HTTPS connections (see above). Development is in progress to other network security issues - see  [https://midas.triumf.ca/elog/Midas/1088]). Changes to [[mserver]] will make the default behaviour to reject all external network connections. Some new ODB keys have been recently defined in the  {{Odbpath|path=/Experiment/Security}} subtree that will be used by [[mserver]] to restrict access. External connections will have to be specifically enabled by the user using new ODB keys in the  [[/Experiment ODB tree#Security subtree]]. The new keys are


* [[/Experiment ODB tree#Disable RPC hosts check|Disable RPC hosts check]]
* [[/Experiment ODB tree#Enable non-localhost RPC|Enable non-localhost RPC]]
* [[/Experiment ODB tree#RPC hosts|RPC hosts]]
* [[/Experiment ODB tree#RPC ports/<frontend-client-names>|RPC ports/<frontend-client-names>]]


= Security on Older versions of MIDAS =
Network security can be obtained by implementing a '''firewall''' and/or restrictions on off-site access. This kind of security can be provided by setting up Proxy Access to [[mhttpd]] .




= Protect from accidental/unauthorized access =
= Protect from accidental/unauthorized access =
The MIDAS system provides a means to setup access restrictions using the ODB in order to protect the experiment from accidental or unauthorized access. This will not stop malicious or determined hackers - see [[#Access Control to a MIDAS experiment]]
The MIDAS system provides a means to setup access restrictions using the ODB in order to protect the experiment from accidental or unauthorized access. This will not stop malicious or determined hackers (see [[#Access Control to a MIDAS experiment]]) but may prevent mistakes by authorized users.


There are two levels of access restriction available each of which can be enabled independently:
There are two levels of access restriction available each of which can be enabled independently:

Revision as of 14:45, 13 August 2015


Links

Access Control to a MIDAS experiment

Historically, by default there has been no restriction for any user to connect locally or remotely to a given experiment. This has now changed (August 2015). The Web Server itself mhttpd has recently (May 2015) been updated to use OpenSSL to provide secure HTTPS connections via the Mongoose web server. This limits access by requiring a username and password. Access can be restricted to the web server by using the Access Control List (ACL).

Other network security issues have also been addressed (see Note 1088). Changes to mserver (August 2015) make the default behaviour to reject all external network connections (see Note 1090)

MIDAS programs running on localhost

Out-of-the-box MIDAS is now secure (August 2015). By default, connections from the outside are not possible. MIDAS RPC TCP ports are bound to the localhost interface. This configuration is suitable for testing MIDAS on a laptop and for running a simple experiment where all programs run on one machine. MIDAS ports (except for the mhttpd web ports) do not show up on network port scans.

The change in binding UDP ports is generally incompatible with previous versions of MIDAS, so all MIDAS programs should be rebuild and restarted. If rebuilding all MIDAS programs is impossible see Note 1090).

mserver will still work in this localhost-restricted configuration - one should use "odbedit -h localhost" to connect. Multiple mserver instances on the same machine - using different TCP ports via "-p" and ODB /Experiment/midas server port - are still supported.

MIDAS programs on remote machines

To run MIDAS programs on remote machines the following is now required:

  1. change the ODB setting /Experiment/Security/Enable non-localhost RPC to "yes" and restart mserver
  2. add the hostnames of all remote machines that will run MIDAS programs to the MIDAS RPC access control list in ODB key /Experiment/Security/RPC hosts/Allowed hosts.

To avoid "guessing" the host names expected by MIDAS, follow the following procedure:

  • On the local machine ("daq06") set ODB key "enable non-localhost rpc" to "yes" and restart the mserver (step 1 above)
  • go to the remote machine ("ladd21") and try to start the MIDAS program, i.e. "odbedit -h daq06". This will bomb and there will be a message in the Midas log file rejecting the connection from unallowed host 'ladd21.triumf.ca'.
  • Add this host to /Experiment/Security/RPC hosts/Allowed hosts.
  • After you add this hostname to RPC hosts, you should see messages in the Midas log file about reloading the access control list
  • try connecting again, it should work now.
NOTE

If MIDAS clients have to connect from random hosts (i.e. dynamically assigned random DHCP addresses), one can disable the host name checks by setting ODB key /experiment/security/Disable RPC hosts check to "yes". This configuration is insecure and should only be done on a private network behind a firewall.


Security on Older versions of MIDAS

Network security can be obtained by implementing a firewall and/or restrictions on off-site access. This kind of security can be provided by setting up Proxy Access to mhttpd .


Protect from accidental/unauthorized access

The MIDAS system provides a means to setup access restrictions using the ODB in order to protect the experiment from accidental or unauthorized access. This will not stop malicious or determined hackers (see #Access Control to a MIDAS experiment) but may prevent mistakes by authorized users.

There are two levels of access restriction available each of which can be enabled independently:

  • To restrict write access via the web by requiring a password before any parameter can be changed.
  • To require a password before MIDAS clients can start running on the host.

The user can select either or both of these security features.

Note that other forms of ODB access control independent of these security features is also available:

  • Write access can be restricted while a run is in progress (see Lock when running )
  • Individual keys or subtrees in the experiment's ODB can be set "read only" with the odbedit command chmod.
  • Custom web pages can provide experimenters with access to a subset of ODB keys necessary for the experiment. By hiding the ODB Page access button, the ODB can be protected from non-expert access via the web server.

How to Setup Web Access Restrictions

NOTE: these are not proof against malicious access. See #Access Control to a MIDAS experiment.

The ODB /Experiment/Security subtree can also be used to restrict access to the experiment via the Web. This subtree is automatically created (if not already present) when the odbedit command webpasswd is issued as follows:

 C:\online>odbedit
 [local:Default:S]/>cd Experiment/
 [local]/>webpasswd
 Password:<xxxx>
 Retype password:<xxxx>

After running the odbedit command webpasswd, a new ODB key i.e. /Experiment/Security/Web Password will be present containing the encrypted web password.

If web access restriction is set up, the user will be requested to provide the "Web Password" when accessing the requested experiment in "Write Access" mode. The "Read Only Access" mode is still available to all users.

[local:bnqr:S]/Experiment>ls Security/
Web Password                    pon4@#@%SSDF2

How to Setup Client Access Restrictions

In order to restrict access to the experiment, a password mechanism needs to be defined. This is provided by the /Experiment/Security subtree in odb. This subtree is automatically created (if not already present) when the odbedit command passwd is issued as follows:

 C:\online>odbedit
 [local:Default:S]/>cd Experiment/
 [local]/>passwd
 Password:<xxxx>
 Retype password:<xxxx>

After running the odbedit command passwd, the /Experiment/Security subtree will be present.

Allowing specific hosts/clients access without password

While restricting access can make sense to deny access to outsider to a given experiment, it can be annoying for the people working directly at the back-end computer or for an automatic frontend reloading mechanism. To address this problem, specific hosts and clients can be exempt from having to supply a password before being granted full access.

Allowed hosts

Hostnames to be allowed full access to the ODB are listed in the /Experiment/Security/Allowed hosts subtree, e.g.

 [local]/>cd "/Experiment/Security/Allowed hosts"
 [local]rhosts>create int myhost.domain
 [local]rhosts>

where <myHost.domain> is to be replaced by the full IP address of the host requesting full clearance, e.g "pierre.triumf.ca".


Allowed programs

Programs (i.e. clients) to be allowed full access to the ODB (regardless of the node on which they are running) can be listed in the /Experiment/Security/Allowed programs subtree,

 [local]/>cd "/Experiment/Security/Allowed programs"
 [local]:S>create int mstat
 [local]:S>