Securing Redis with Sedona – Will Urbanski
german tts
10:00AM - 10:45AM
21CT Room (Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757)
Rugged DevOps Track
Redis is an open-source network-based key-value store. Similar to memcached, Redis allows developers to store and retrieve strings, lists, sets, and hashes rapidly and at scale. Redis helps power a number of popular open-source applications and websites including Twitter, Craigslist, Instagram and Flickr.
The Redis security model states that Redis should only be run in a trusted environment and accessed by trusted clients. As a result Redis does not include many of the native security features that developers have come to expect from network-based storage solutions. Traditional security features found in similar storage solutions, like relational databases, include the ability to authenticate and authorize clients, or provide encryption for network communications. These features are non-existent or partially implemented in Redis, making it impossible to enforce security policy or isolate access for unique applications that utilize the same datastore.
To address these issues I developed Sedona, an application firewall for Redis. Sedona functions as a context-aware firewall for Redis that gives administrators granular control over commands and provides key-level access restrictions for Redis objects. Sedona also improves upon the existing authentication support in Redis by adding support for modular authentication and per-use access control lists.
In this talk we’ll examine the Redis security model as well as security features that are available natively in Redis. Next we will introduce Sedona, an open-source application firewall that I have developed for Redis. We’ll cover use cases for Sedona, administration, configuration, and the performance implications it has on access to Redis.
Will Urbanski is a security researcher who tracks vulnerability and malware trends. He has experience in both research and security operations in enterprise and higher education environments. Will is the co-author of a patent for an IPv6 moving target defense. He has more than eight years of experience in Information Security and has written articles for numerous journals, including IEEE Security & Privacy. Will holds a Bachelor of Science in Computer Science from the University of Georgia. He is certified as a GIAC Penetration Tester, a GIAC Web Application Penetration Tester, and a GIAC Exploit Researcher and Developer.
source
Gloss