Introduction - An Important Story
Thanks for reading my grandson's blog. But Redis, like swimming, cannot be learnt by just reading about it
Since I have the backing of his spirit, here is a disclaimer. I very much hope these posts would give some practical pointers and save you time when considering Redis in Production, but by no means this will guarantee you have fault-free Production environment. The reason is very simple: there is no "Standard" set of configurations and your project requirement is different from mine.
Security
Endpoint Protection
So set up a firewall rule to allow port 6379 - or to make it more difficult for attackers, 9736 - access only from your SDL Web Presentation Server and / or Deployer Server
Command Protection
For instance,
rename-command FLUSHALL "" (disable FLUSHALL command)
rename-command CONFIG IAMDIFFICULTTOCONFIGFORATTACKERS (rename CONFIG command)You will need to restart Redis instance once making the changes, and, if you want to call your renamed commands from any client-side libraries, make sure they provide necessary support (for instance, StackExchange.Redis has CommandMap supporting renamed commands).
Authentication
Code Security
The other consideration is that, although Redis is super fast by design, it is mostly single-threaded. This means when one command is in execution, other commands are being blocked. This in general should not be a concern due to its speed. However, there are commands (such as KEYS or HGETALL) whose computational complexity is O(N). If your code uses these commands, be extra careful with the Denial of Service attack.
For instance, imagine your code logic is the following
- Take a component id from a query string (can be cookie value, form submission, and so on.)
- If the Redis key (suppose it is the component id from the query string) exists, get its value as related components
- If the key does not exist, get related components based on this query string id, may be from an external service or data store, and store these related components in Redis
- And, in some other page, you made a mistake by using KEYS command (maybe for reporting or debugging purposes, but somehow made public)
Be Secure from Day 1
Do not expect your Redis is secure if you apply these principles only when you are ready to go live. At your design stage these factors need to be considered, set up your development environment following the security best practice, and application can then be coded accordingly. Apply your penetration testing strategy as you would do normally, and now include Redis as an additional point of vulnerability.A secure Redis, is impossible to be learnt by just reading about it.