Protecting a cluster from malicious membership

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Protecting a cluster from malicious membership

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

I'm looking at the security of Tomcat's Clustering components, and I
think that the following are true. Please let me know if anything in
here is inaccurate:

1. a. Default membership uses multicast
   b. Multicast (UDP) can't be authenticated
   c. Therefore multicast membership cannot be secured on its own
   d.  ... unless you use the "domain" attribute as a kind of
"password" to get into a segment of the cluster

2. a. Static membership enumerates all members of the cluster on all nod
es
   b. Therefore, joining a malicious node to the cluster is unlikely

3. a. Adding EncryptInterceptor encrypts
     i. TcpFailureDetector traffic
    ii. All actual content traffic
   b. Therefore, adding EncryptInterceptor effectively secures the
cluster, even if the membership cannot be completely locked-down

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxgNzsACgkQHPApP6U8
pFhNbw/9HFbP+147Nz+j5ecOo0YDAmP6i+4LUrzKzsJfS8J1CsFe1RtqejJdGTAJ
mCx2lYRFyaM33UWD/9LmQ5CojUbF/Qk+AwfxcfpBii+RxXO5I8oLDc1khjL1WlDH
39a0/x2YzYHHvzqLmVZ/RzGVzsZAA4q2AMqzkZH0v+Cf2ZiDa5SBNbxoQrKnLBvf
voJEd4yf3wNNABiT01uNn7jI+B1LjxHv2gtir5so/1DuXS0IOLaO1OgKE4kEvc/k
o49wyKp0779Hblux9TH96GWPLTqLkmYKNK2r1c/Ek2VDutPVORH3WUVyq8dnEZM8
Lq3WpjSrpbalRHZejGZIy3yLDssTVcLDbKgZb3yAzFmPiHsbJQkJns2tgwY8YkLB
LAwt8JzSjb45YFOxrSS7kZliohVO7B+LiHJ/QaABNFuslQotLJNuj247XII4FvYl
EktaOhjnM+sA9Hb+Ukh/w/6MehYNfEVufQCOi/BK4T0L+LC7rrMpKUv6GB28vqVy
9lBviMNQQfYk4LHa0AmRFLHMFM6pxKW8PS+LSNSGXjt1xq1Pw4NwI4UngsNmB466
hQ5ts3uop2zgFA75267MFzHfQYZVLdWfXGFIHi4dlFIrayWOq76aKRiMJ3qdwg6K
oOZQBDP755qmzxyF8g1AKaZ4a03OmVQORpi4emGJr+3TgN5HPt0=
=1QA0
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Protecting a cluster from malicious membership

Mark Thomas-2
On 10/02/2019 14:37, Christopher Schultz wrote:

> All,
>
> I'm looking at the security of Tomcat's Clustering components, and I
> think that the following are true. Please let me know if anything in
> here is inaccurate:
>
> 1. a. Default membership uses multicast
>    b. Multicast (UDP) can't be authenticated
>    c. Therefore multicast membership cannot be secured on its own
>    d.  ... unless you use the "domain" attribute as a kind of
> "password" to get into a segment of the cluster
>
> 2. a. Static membership enumerates all members of the cluster on all nod
> es
>    b. Therefore, joining a malicious node to the cluster is unlikely
>
> 3. a. Adding EncryptInterceptor encrypts
>      i. TcpFailureDetector traffic
>     ii. All actual content traffic
>    b. Therefore, adding EncryptInterceptor effectively secures the
> cluster, even if the membership cannot be completely locked-down

Nothing jumps out at me as wrong.

Also, I'd expect to see a bunch of errors at the valid nodes when they
failed to decrypt messages from the invalid nodes. That should provide a
clear indication that something unexpected was going on.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Protecting a cluster from malicious membership

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 2/11/19 03:49, Mark Thomas wrote:

> On 10/02/2019 14:37, Christopher Schultz wrote:
>> All,
>>
>> I'm looking at the security of Tomcat's Clustering components,
>> and I think that the following are true. Please let me know if
>> anything in here is inaccurate:
>>
>> 1. a. Default membership uses multicast b. Multicast (UDP) can't
>> be authenticated c. Therefore multicast membership cannot be
>> secured on its own d.  ... unless you use the "domain" attribute
>> as a kind of "password" to get into a segment of the cluster
>>
>> 2. a. Static membership enumerates all members of the cluster on
>> all nod es b. Therefore, joining a malicious node to the cluster
>> is unlikely
>>
>> 3. a. Adding EncryptInterceptor encrypts i. TcpFailureDetector
>> traffic ii. All actual content traffic b. Therefore, adding
>> EncryptInterceptor effectively secures the cluster, even if the
>> membership cannot be completely locked-down
>
> Nothing jumps out at me as wrong.
>
> Also, I'd expect to see a bunch of errors at the valid nodes when
> they failed to decrypt messages from the invalid nodes. That should
> provide a clear indication that something unexpected was going on.

Yep, that's detection, though... not prevention.

Thanks for the review.

A follow-up to 1d above... if I try to (maliciously) join a cluster
which has been separated into domains whose identities I do not know,
I just end up in a (potentially unnamed) domain all by myself, right?
So I'm a "member" of the cluster, but I can't meaningfully interact
with any of the other legitimate members?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhpngACgkQHPApP6U8
pFgh/A/9HCmE9xBbfLKPq7gcjsPWJlvX3zd2RomvLT0Psr+XvVwja2sd4o20enNg
68+NB60AgKq2YVa4h5vQvn3/EPOaqWLSsR/j6EvHNwnko27STg8PGpNdpGCbnrE0
EcAOxVOI3BjP2m7o8dW/uALwXaFRFJK0Ijpk6IdkMORSxr6cScoEXodHzjs/x1M+
rM/laF0tQ19W58J6bGmHw92mYFZ2aho2qhQKH6J/N4WnR5lBlrb3rwuTZgpLomxO
EO2BRwPmonGsYfRG74+4jMsV9dZnlWplRrgPbbCCgOYC0nhdTNRXkXBeUfhd9m3h
BRPkG+DbpysVC+6nyTqOpMJy7iGaY/cRyEJK8T5cvnQIF5ByjbXMR92qVaLCRkzA
al+nRZA2GG56kWBc5vWhRg0++P7CXPKZmMe2IvUGYyBsuVBDCMTydymiA3Q8mvcc
1pV3n+or7yXQjfN1Ak/DdBAnPcI2ykwA1LJazuPOfAk6cyZy1ebBHYwPGAHDBFKz
hXiL/3rmjG8E3+hK3nbJ22xhTmnAh5/B2V+pkRf6gCk3TbcsPDgc5K++1yri56EQ
4t4bGwmv3hRgy6EYpfiVZfXwLl3J/eThYeXdzbmt0eY4bDVmHxcrBxUf3yanYiY2
zFh6q7CLyjgqYuaV1QLYzP17fAWdSY+xtATNANdvYquqxREQV5o=
=x0Xw
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Protecting a cluster from malicious membership

kfujino
2019年2月12日(火) 1:44 Christopher Schultz <[hidden email]>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Mark,
>
> On 2/11/19 03:49, Mark Thomas wrote:
> > On 10/02/2019 14:37, Christopher Schultz wrote:
> >> All,
> >>
> >> I'm looking at the security of Tomcat's Clustering components,
> >> and I think that the following are true. Please let me know if
> >> anything in here is inaccurate:
> >>
> >> 1. a. Default membership uses multicast b. Multicast (UDP) can't
> >> be authenticated c. Therefore multicast membership cannot be
> >> secured on its own d.  ... unless you use the "domain" attribute
> >> as a kind of "password" to get into a segment of the cluster
> >>
> >> 2. a. Static membership enumerates all members of the cluster on
> >> all nod es b. Therefore, joining a malicious node to the cluster
> >> is unlikely
> >>
> >> 3. a. Adding EncryptInterceptor encrypts i. TcpFailureDetector
> >> traffic ii. All actual content traffic b. Therefore, adding
> >> EncryptInterceptor effectively secures the cluster, even if the
> >> membership cannot be completely locked-down
> >
> > Nothing jumps out at me as wrong.
> >
> > Also, I'd expect to see a bunch of errors at the valid nodes when
> > they failed to decrypt messages from the invalid nodes. That should
> > provide a clear indication that something unexpected was going on.
>
> Yep, that's detection, though... not prevention.
>
> Thanks for the review.
>
> A follow-up to 1d above... if I try to (maliciously) join a cluster
> which has been separated into domains whose identities I do not know,
> I just end up in a (potentially unnamed) domain all by myself, right?
> So I'm a "member" of the cluster, but I can't meaningfully interact
> with any of the other legitimate members?
>
>
If DomainFilterInterceptor has been enabled in cluster,
you can't interact with any of the other legitimate members.




> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhpngACgkQHPApP6U8
> pFgh/A/9HCmE9xBbfLKPq7gcjsPWJlvX3zd2RomvLT0Psr+XvVwja2sd4o20enNg
> 68+NB60AgKq2YVa4h5vQvn3/EPOaqWLSsR/j6EvHNwnko27STg8PGpNdpGCbnrE0
> EcAOxVOI3BjP2m7o8dW/uALwXaFRFJK0Ijpk6IdkMORSxr6cScoEXodHzjs/x1M+
> rM/laF0tQ19W58J6bGmHw92mYFZ2aho2qhQKH6J/N4WnR5lBlrb3rwuTZgpLomxO
> EO2BRwPmonGsYfRG74+4jMsV9dZnlWplRrgPbbCCgOYC0nhdTNRXkXBeUfhd9m3h
> BRPkG+DbpysVC+6nyTqOpMJy7iGaY/cRyEJK8T5cvnQIF5ByjbXMR92qVaLCRkzA
> al+nRZA2GG56kWBc5vWhRg0++P7CXPKZmMe2IvUGYyBsuVBDCMTydymiA3Q8mvcc
> 1pV3n+or7yXQjfN1Ak/DdBAnPcI2ykwA1LJazuPOfAk6cyZy1ebBHYwPGAHDBFKz
> hXiL/3rmjG8E3+hK3nbJ22xhTmnAh5/B2V+pkRf6gCk3TbcsPDgc5K++1yri56EQ
> 4t4bGwmv3hRgy6EYpfiVZfXwLl3J/eThYeXdzbmt0eY4bDVmHxcrBxUf3yanYiY2
> zFh6q7CLyjgqYuaV1QLYzP17fAWdSY+xtATNANdvYquqxREQV5o=
> =x0Xw
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

--
Keiichi.Fujino