Closed
Bug 844840
Opened 11 years ago
Closed 10 years ago
Security Review: Monolith
Categories
(mozilla.org :: Security Assurance: Review Request, task)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: tarek, Assigned: michalpurzynski1)
References
Details
(Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Web])
Initial Questions: Project/Feature Name: Monolith Tracking ID:838912 Description: Monolith pulls data from marketplace + google analytics and in the future from solitude, the Marketplace payment system to build a unified database The database is then indexed in Elastic Search. Elastic Search is then used to display charts in the Marketplace website, that has its own security/permissions filtering. Additional Information: https://monolith-aggregator.readthedocs.org Urgency: 2-4 weeks Key Initiative: Marketplace / Apps Release Date: 2013-03-15 Project Status: development Mozilla Data: Yes New or Change: Existing Mozilla Project: Marketplace Mozilla Related: Solitude, Marketplace, WebPay Separate Party: Yes Type of Relationship: Vendor/Services Data Access: Yes Privacy Policy: https://www.google.com/analytics/terms/us.html Vendor Cost: N/A Security Review Questions: Affects Products: No Review Due Date: 2013-03-15 Review Invitees: :tarek, :hanno, :alexis, :clouserw Extra Information:
Reporter | ||
Comment 1•11 years ago
|
||
The Monolith system is composed of : - a cron that grabs data in various source to build a DB. The DB is then accessed my Marketplace. - a server that proxies queries to an elastic search server - a client library for Marketplace to query the server The Monolith server itself has no protection - will be accessed through the Marketplace app, which itself has a full security/permission system. see the high-level overview of the system here : https://raw.github.com/mozilla/monolith-aggregator/master/docs/monolith-big-picture.png
1) Who is/are the point of contact(s) for this review? 2) Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): 3) Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: 4) Does this request block another bug? If so, please indicate the bug number 5) This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? 6) To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal? 7) Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) 7a) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? 7b) Are there any portions of the project that interact with 3rd party services? 7c) Will your application/service collect user data? If so, please describe 8) If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): 9) Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
Updated•11 years ago
|
Group: mozilla-corporation-confidential
Reporter | ||
Comment 3•11 years ago
|
||
I've filled all these info in the form already...
Flags: needinfo?(tarek)
Reporter | ||
Comment 4•11 years ago
|
||
see https://bugzilla.mozilla.org/show_bug.cgi?id=844840#c0 for all your answers
So you have, sorry about that, force of habit
Summary: Security Review: Monolith → Vendor Security Review: Monolith
Updated•11 years ago
|
Assignee: nobody → curtisk
Updated•11 years ago
|
Whiteboard: [triage needed] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
Sorry for the delay here, been pulled by other high profile items and just getting back to this. I tried to read https://monolith-aggregator.readthedocs.org but it no longer appears accessible. I am also unclear as to weather this system is inside our corporate network on resides in another location.(In reply to Tarek Ziadé (:tarek) from comment #1) > The Monolith system is composed of : >... > The Monolith server itself has no protection - will be accessed through the > Marketplace app, which itself > has a full security/permission system. > ... This line in comment 1 also makes me a bit nervous, does this mean I could access the machine from other than approved methods if I were on the same network as the Monolith server? Also is this something we are building or is this software a vendor product we are acquiring?
Flags: needinfo?(tarek)
Reporter | ||
Comment 7•11 years ago
|
||
The doc was moved here: https://mozilla-monolith.readthedocs.org > I am also unclear as to weather this system is inside our corporate network on resides in another location It will be on AWS. > This line in comment 1 also makes me a bit nervous, does this mean I could access the machine from other than approved methods if I were on the same network as the Monolith server? We are planning to set up a firewall to restrict by ip - adding Jeremy for more feedback if needed since he deploys it > Also is this something we are building or is this software a vendor product we are acquiring? Building
Flags: needinfo?(tarek)
Updated•11 years ago
|
Summary: Vendor Security Review: Monolith → Security Review: Monolith
asking rforbes to weigh in as he did a bunch of work on marketplace already
Flags: needinfo?(rforbes)
Comment 9•11 years ago
|
||
Note by "AWS" we mean "within the Services VPC in AWS". Also note ops has not made a final call on whether it's going to make sense to run it in our production AWS VPC or on the new Marketplace servers in PHX. A big factor will be weighing realities/complexities of accessing the datasources :tarek mentions. We'd be looking to OpSec for input on that.
:joes - who from your team should be looking at this from teh OpSec side?
Flags: needinfo?(jstevensen)
Updated•11 years ago
|
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Web]
Updated•11 years ago
|
Assignee: curtisk → mpurzynski
Updated•11 years ago
|
Flags: needinfo?(jstevensen)
Assignee | ||
Comment 11•11 years ago
|
||
What kind of data is going to be stored there? It's going to determine our preferences as for the on site or in AWS hosting. Also, what's the project status now?
Flags: needinfo?(tarek)
Flags: needinfo?(mmayo)
Comment 12•11 years ago
|
||
We recently moved this from AWS to PHX1, and will leave it there for the foreseen future. Lately, Rob Hudson has been doing the most work on this, so tagging him for a response to the first question in Comment 11.
Flags: needinfo?(mmayo) → needinfo?(robhudson.mozbugs)
Comment 13•11 years ago
|
||
(In reply to Michal Purzynski [:michal`] (use NEEDINFO) from comment #11) > What kind of data is going to be stored there? It's going to determine our > preferences as for the on site or in AWS hosting. Also, what's the project > status now? Type of data is mostly aggregate counts of things, with some attributes hanging off of it. For example: * Count of all public apps in the Marketplace * Count of the number of developers * Count of the number of visits (which we pull from Google Analytics) We also track app installs with attributes of which region and which app. No user identifying information except for region=<country code>. There's also aggregate gross revenue flowing in. We pull this data from Solitude, the payment backend via a log file. We need to keep that data protected and only available to the owners of the app or Marketplace admins. We do this by limiting the query on zamboni and keeping Monolith inaccessible from outside networks. Does that help answer the question? If I missed anything or you need more info please let me know.
Flags: needinfo?(robhudson.mozbugs)
Assignee | ||
Comment 14•11 years ago
|
||
OK, so not much to be done from the OpSec side now. Thanks for a very detailed answer, that's helpful! oremj, what's the network architecture of this project like? Which vlans and subnets does it use? I'd like to make sure that others systems in the same vlan cannot connect to it - as it's unprotected. A host based firewall will do fine here. If that's implemented, than we're good.
Comment 15•11 years ago
|
||
It's in the mktweb VLAN. We currently do not have a local firewall on those servers.
Reporter | ||
Updated•11 years ago
|
Flags: needinfo?(tarek)
Assignee | ||
Comment 16•11 years ago
|
||
I'll setup a meeting to further discuss this setup.
Status: NEW → ASSIGNED
Assignee | ||
Comment 17•10 years ago
|
||
Please send me a meeting invite if the project is still relevant. Include :ulfr.
Comment 18•10 years ago
|
||
This project exists, is still relevant and has been running and collecting stats for many months now. In comment 16 you said you'd set up a meeting to discuss. If we still need to do a security review, probably better to do it sooner rather than later.
Assignee | ||
Comment 19•10 years ago
|
||
Sorry for pushing it in the background. After re-reading the bug and thinking about it, the only OpSec recommendation besides following the System Policy and Standards are to implement a host based firewall ASAP to prevent other hosts in the same Vlan from having access to it. The firewall should allow a standard access for admins and maintenance (your admin hosts, VPN, monitoring, etc) and queries from the "trusted" systems with a valid need to know. Not other access should be allowed. If you put the rules in the bug, I'll review it. That leaves us with L2 attacks and possible MITM scenarios - someone might redirect traffic and sniff/modify it, as there is no application layer security. This applies for both data inbound and outbound.
Updated•10 years ago
|
Flags: needinfo?(rforbes)
Assignee | ||
Comment 20•10 years ago
|
||
Wehn do you think could we get the host based firewalls implemented?
Assignee | ||
Comment 21•10 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1012846 Based on the above bug, I'm closing the review here. What is the timeline of this system going away?
Assignee | ||
Updated•10 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Comment 22•10 years ago
|
||
The http server is already gone.
You need to log in
before you can comment on or make changes to this bug.
Description
•