nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopresto.apa...@gmail.com>
Subject Re: Nifi site-to-site security concerns
Date Sun, 15 Oct 2017 03:22:58 GMT
Ali,

Anyone with access to the keystore on the “compromised” NIFi instance (and the corresponding
password) will be able to authenticate to the other NiFi instance. Your hardening options
here are mostly around locking down access to the source system — OS permissions and ACLs,
2FA if you can, etc. You could always provision another secret value and use a shared secret
HMAC scheme as an internal wrapper inside the TLS MA of the S2S, but that shared secret is
also available on the compromised system. You gain negligible trust from an additional secret
value on the same hardware instance. 

If you are worried about them passing malicious data, sanitize that input and mark it as tainted
on the destination system. If you are worried about direct attacks on the confidentiality
and integrity of the destination system, don’t expose it directly, and put a proxy/relay
in a DMZ and perform some DPI there before relaying the traffic to the sensitive system (and
only allow incoming traffic there with HPKP and a very small, whitelisted truststore tied
to the relay system). 

There is no silver bullet for security. At best, you can add enough layers to make attacking
the system infeasible at a certain cost/effort point. This will depend greatly on your threat
model and attack matrix. 

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Oct 14, 2017, at 02:19, Ali Nazemian <alinazemian@gmail.com> wrote:
> 
> Hi all,
> 
> I was wondering if we use Nifi site-to-site to transfer logs from a vulnerable network
to our secure network what security concerns we need to consider to make sure we are not compromising
our Nifi cluster at the destination network. Let's suppose an attacker got access to the source
Nifi cluster at the OS level; we want to make sure that person is not able to attack destination
Nifi cluster. Is S2S safe in this scenario? Basically, as soon as an attacker has got access
Truststore and Keystore of the source Nifi, he/she is able to pass the SSL handshake of Nifi
for S2S and start transferring malicious data or for example, apply a deserialization attack
on the destination Nifi. I was wondering what additional layer is recommended to block unauthorised
access in this scenario? 
> 
> Regards,
> Ali

Mime
View raw message