In worldwide computing areas, computer security or information security, which is known as cyber security has gained more importance than ever. Gartner reported that worldwide security expenses are increased by about 9% from 2012 to 2013.
As it is crucial to secure all software systems that we have, we should secure our message brokers too. As brokers have information about many parts of the dependent components, it's almost a must to secure RabbitMQ.
In this chapter, we will talk about the general vulnerabilities of the RabbitMQ servers and how we can solve these kinds of problems. After that, we will talk about the security mechanisms in the RabbitMQ, such as access control, SASL authentication, and SSL support as the following list shows:
- An introduction to security in RabbitMQ
- Access control
- SASL authentication
- SSL support in RabbitMQ
Every server software system is allowed to access different types of software clients. Additionally, some software systems are allowed to access clients through network connections. Therefore, we should ensure the security of information behind the server software systems.
RabbitMQ has properties to configure security easily. Yet, every server application has some vulnerability. Therefore, we should use both RabbitMQ's solutions for the security issues and common solutions for server software systems.
Through this chapter, we'll dive deep into the vulnerabilities and their solutions for RabbitMQ server instances.
The vulnerabilities of RabbitMQ server instances are similar to that of any standard server system. So, it is beneficial to list the current vulnerabilities of the server systems that are related to RabbitMQ. A complete report for vulnerabilities of Cenzic is published in Cenzic's Vulnerability Report 2014: http://www.cenzic.com/downloads/Cenzic_Vulnerability_Report_2014.pdf
Information leakage is, simply put, an application that inappropriately discloses sensitive data, such as messages of the message brokers, in our perspective, RabbitMQ. So, we have to ensure the security of the message details and its integrity.
Session management is simply defined as an application that inappropriately allows attackers to interject themselves as a logged in user of the software system. Therefore, we have to control our session management systems to block invalid users.
As you probably already know, logging on to any computer with some credentials is authentication. Authorization is the process of verifying that you have access to something.
Vulnerability for authentication and authorization is simply defined as an application that does not properly ensure for unbreachable and unreplayable authentication and authorized access to data. Hence, authentication and authorization are to be properly enforced on the server side of the application. This includes enforcement of proper encrypted communication of credentials, password standards enforcement, feature and data access, ACL enforcements, and so on.
Message Brokers have authentication and authorization mechanism in their structure. Therefore, they have to ensure the security of the authentication and authorization of their own systems.
After going over related problems for the RabbitMQ, we are now ready to solve these problems using security technologies. As we know, without developing solutions for the vulnerabilities, our messages are not secure and are allowed to access from anyone who accesses our servers. Therefore, our main concern is to find solutions for the given security problems.
The solution to Information Leakage is protecting documents from unauthorized people. As message brokers are highly data-oriented software systems, we have to be careful about the information leakage. The following list describes the general principles of preventing information leakage:
- Setting passwords to protect against unauthorized people
- Erasing or encrypting the information from leaking out
- Encrypting the messages within message brokers, where encryption is the process of encoding messages
- Limiting the usage of managing the software system
These properties have to be provided to prevent information leakage from the message broker.
Session Management is important for administering the message brokers and accessing message brokers as clients. We authenticate through the message broker's session management to send and receive messages. Therefore, we should ensure that the session management cannot be hijacked. The most powerful solution to prevent the hijacking of the session management is transmitting it over an encrypted protocol. One of the well-known encrypted protocols is Secure Sockets Layer (SSL). As a result, we have to use SSL to prevent session management hijacking.