In this blog post, I will introduce three new features in Couchbase Server 7.0.2 (“Server”) to help administrators deploy Couchbase Server in a secure manner: Enforce TLS, HSTS, and Enforce IP Address Family.
When deploying a Couchbase Server cluster, a best practice is to avoid having a Server node directly connected to the Internet. We advise that customers deploy a firewall on their cluster’s network perimeter as well as a firewall on each Server node. These firewalls should be configured to block all insecure ports, ports for services that are not in use, and entire IP address families that are not in use.
This is where these three new features come into play. Administrators should deploy firewalls and only allow specific ports as needed. The new settings provide additional protections that achieve the same goal, in what some might refer to as a compensating control.
The first new feature is Enforcement of TLS network encryption. In Couchbase Server 6.5.0, we introduced Node To Node Encryption. With Node To Node Encryption enabled, we allowed for the configuration of how data is handled between Couchbase Server nodes.
Optionally, either control data is configured to be encrypted or all data between nodes is encrypted. This ensures that the inter-node cluster network traffic is secure and if administrators deploy applications to only connect to the cluster using encrypted network connections, all the database data across the network is encrypted. At this point the administrator would deploy a firewall to block the network ports which handle unencrypted or plaintext network traffic.
With the new Enforce TLS feature we’ve added a third option to the cluster encryption setting, to be strict. When this is enabled, the only network traffic allowed across the cluster is secure and encrypted. This applies to everything from the Web UI, the command line tools, the application access and the network traffic between nodes in the cluster, but it doesn’t apply to the local loopback interfaces.
Enforce TLS can easily be implemented using the CLI command:
couchbase-cli setting-security –cluster-encryption-level strict
HTTP Secure Transport Header (HSTS)
Along with the Enforce TLS setting, there is also a new setting to also optionally enable a HTTP Secure Transport Header (HSTS). The HTTP Strict Transport Security header informs a user’s web-browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. This is useful if you want all UI access to only happen over HTTPS.
When a browser knows that a domain has enabled HSTS, it does two things:
- It always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol.
- It removes the ability for users to click through warnings about invalid certificates.
One thing to remember about Couchbase Server: by default the UI’s non-TLS port is 8091 while the TLS port is 18091. With HSTS enabled, any requests to http://cluster:8091 will automatically attempt to access https://cluster:8091, not the correct 18091 port.
HSTS can be enabled with the CLI command:
couchbase-cli setting-security –hsts-max-age <seconds>
Configure the max-age setting to the amount of time, in seconds, that the browser should remember to access the Couchbase UI only using HTTPS.
You can also optionally select to enable/disable HSTS preload and includeSubDomains directives.
Enforce IP Address Family
We also advise customers to use a firewall and block all network traffic for ports and protocols that are not needed, including entire IP Address families. For example, if your organization uses IPv4 addresses only, you should block at the firewall level all access to IPv6 addresses on your Couchbase Server nodes. To add some compensating controls, we’ve added options to the IP Address Family settings.
In the previous example, if an organization only ever uses IPv4 addresses and used the CLI command:
couchbase-cli ip-family –set –ipv4
…the cluster would use IPv4 for communication between the nodes, but it would still be possible for traffic to go over IPv6 from clients unless a firewall was in place to prevent it. If the IPv4 address couldn’t bind, then the node would be automatically failed over. The new –ipv4only option will instruct the cluster to only ever attempt to bind to IPv4 interfaces, and never allow IPv6 network communications.
Alternatively there are also –ipv6 and –ipv6only options which achieve the same result but for the IPv6 address family instead of the IPv4 address family. If –ipv4 and –ipv6 are both set, both interfaces should be binded to and if either is available, the system should use it and start.
In this article, I’ve shown you Enforce TLS, HSTS and Enforce IP Address Family. All of these security features are about making a robust barrier for attackers who try to compromise your systems. If security is important to you, I recommend reading a few additional blog posts about our security features that help keep your Couchbase data protected.