Closed Bug 844840 Opened 11 years ago Closed 10 years ago

Security Review: Monolith

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: tarek, Assigned: michalpurzynski1)

References

Details

(Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Web]) 

Initial Questions:

Project/Feature Name: Monolith
Tracking  ID:838912
Description:
Monolith pulls data from marketplace + google analytics and in the future from solitude, the Marketplace payment system to build a unified database

The database is then indexed in Elastic Search.

Elastic Search is then used to display charts in the Marketplace website, that has its own security/permissions filtering.
Additional Information:
https://monolith-aggregator.readthedocs.org
Urgency: 2-4 weeks
Key Initiative: Marketplace / Apps
Release Date: 2013-03-15
Project Status: development
Mozilla Data: Yes
New or Change: Existing
Mozilla Project: Marketplace
Mozilla Related: Solitude, Marketplace, WebPay
Separate Party: Yes
Type of Relationship: Vendor/Services
Data Access: Yes
Privacy Policy: https://www.google.com/analytics/terms/us.html
Vendor Cost: N/A

Security Review Questions:

Affects Products: No
Review Due Date: 2013-03-15
Review Invitees: :tarek, :hanno, :alexis, :clouserw
Extra Information:
The Monolith system is composed of :

- a cron that grabs data in various source to build a DB. The DB is then accessed my Marketplace.
- a server that proxies queries to an elastic search server
- a client library for Marketplace to query the server

The Monolith server itself has no protection - will be accessed through the Marketplace app, which itself
has a full security/permission system.

see the high-level overview of the system here : https://raw.github.com/mozilla/monolith-aggregator/master/docs/monolith-big-picture.png
1) Who is/are the point of contact(s) for this review?
2) Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
3) Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
4) Does this request block another bug? If so, please indicate the bug number
5) This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
6) To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list?  If so, which goal?
7) Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
7a) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
7b) Are there any portions of the project that interact with 3rd party services?
7c) Will your application/service collect user data? If so, please describe
8) If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
9) Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
Flags: needinfo?(tarek)
Keywords: sec-review-needed
Whiteboard: [triage needed]
Group: mozilla-corporation-confidential
I've filled all these info in the form already...
Flags: needinfo?(tarek)
So you have, sorry about that, force of habit
Summary: Security Review: Monolith → Vendor Security Review: Monolith
Assignee: nobody → curtisk
Whiteboard: [triage needed] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
Sorry for the delay here, been pulled by other high profile items and just getting back to this. I tried to read https://monolith-aggregator.readthedocs.org but it no longer appears accessible. 

I am also unclear as to weather this system is inside our corporate network on resides in another location.(In reply to Tarek Ziadé (:tarek) from comment #1)
> The Monolith system is composed of :
>...
> The Monolith server itself has no protection - will be accessed through the
> Marketplace app, which itself
> has a full security/permission system.
> ...
This line in comment 1 also makes me a bit nervous, does this mean I could access the machine from other than approved methods if I were on the same network as the Monolith server?

Also is this something we are building or is this software a vendor product we are acquiring?
Flags: needinfo?(tarek)
The doc was moved here: https://mozilla-monolith.readthedocs.org

> I am also unclear as to weather this system is inside our corporate network on resides in another location

It will be on AWS.

> This line in comment 1 also makes me a bit nervous, does this mean I could access the machine from other than approved methods if I were on the same network as the Monolith server?

We are planning to set up a firewall to restrict by ip - adding Jeremy for more feedback if needed since he deploys it

> Also is this something we are building or is this software a vendor product we are acquiring?

Building
Flags: needinfo?(tarek)
Summary: Vendor Security Review: Monolith → Security Review: Monolith
asking rforbes to weigh in as he did a bunch of work on marketplace already
Flags: needinfo?(rforbes)
Note by "AWS" we mean "within the Services VPC in AWS". Also note ops has not made a final call on whether it's going to make sense to run it in our production AWS VPC or on the new Marketplace servers in PHX. A big factor will be weighing realities/complexities of accessing the datasources :tarek mentions. We'd be looking to OpSec for input on that.
:joes - who from your team should be looking at this from teh OpSec side?
Flags: needinfo?(jstevensen)
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Web]
Assignee: curtisk → mpurzynski
Flags: needinfo?(jstevensen)
What kind of data is going to be stored there? It's going to determine our preferences as for the on site or in AWS hosting. Also, what's the project status now?
Flags: needinfo?(tarek)
Flags: needinfo?(mmayo)
We recently moved this from AWS to PHX1, and will leave it there for the foreseen future.

Lately, Rob Hudson has been doing the most work on this, so tagging him for a response to the first question in Comment 11.
Flags: needinfo?(mmayo) → needinfo?(robhudson.mozbugs)
(In reply to Michal Purzynski [:michal`] (use NEEDINFO) from comment #11)
> What kind of data is going to be stored there? It's going to determine our
> preferences as for the on site or in AWS hosting. Also, what's the project
> status now?

Type of data is mostly aggregate counts of things, with some attributes hanging off of it.

For example:
* Count of all public apps in the Marketplace
* Count of the number of developers
* Count of the number of visits (which we pull from Google Analytics)

We also track app installs with attributes of which region and which app. No user identifying information except for region=<country code>.

There's also aggregate gross revenue flowing in. We pull this data from Solitude, the payment backend via a log file. We need to keep that data protected and only available to the owners of the app or Marketplace admins. We do this by limiting the query on zamboni and keeping Monolith inaccessible from outside networks.

Does that help answer the question? If I missed anything or you need more info please let me know.
Flags: needinfo?(robhudson.mozbugs)
OK, so not much to be done from the OpSec side now. Thanks for a very detailed answer, that's helpful!

oremj, what's the network architecture of this project like? Which vlans and subnets does it use? I'd like to make sure that others systems in the same vlan cannot connect to it - as it's unprotected. A host based firewall will do fine here. If that's implemented, than we're good.
It's in the mktweb VLAN. We currently do not have a local firewall on those servers.
Flags: needinfo?(tarek)
I'll setup a meeting to further discuss this setup.
Status: NEW → ASSIGNED
Please send me a meeting invite if the project is still relevant. Include :ulfr.
This project exists, is still relevant and has been running and collecting stats for many months now. In comment 16 you said you'd set up a meeting to discuss. If we still need to do a security review, probably better to do it sooner rather than later.
Sorry for pushing it in the background. After re-reading the bug and thinking about it, the only OpSec recommendation besides following the System Policy and Standards are to implement a host based firewall ASAP to prevent other hosts in the same Vlan from having access to it.

The firewall should allow a standard access for admins and maintenance (your admin hosts, VPN, monitoring, etc) and queries from the "trusted" systems with a valid need to know. Not other access should be allowed. If you put the rules in the bug, I'll review it.

That leaves us with L2 attacks and possible MITM scenarios - someone might redirect traffic and sniff/modify it, as there is no application layer security. This applies for both data inbound and outbound.
Flags: needinfo?(rforbes)
Wehn do you think could we get the host based firewalls implemented?
https://bugzilla.mozilla.org/show_bug.cgi?id=1012846

Based on the above bug, I'm closing the review here. What is the timeline of this system going away?
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
The http server is already gone.
You need to log in before you can comment on or make changes to this bug.