Nifi site-to-site security concerns

[Ali Nazemian <al...@gmail.com>]

Hi all,

I was wondering if we use Nifi site-to-site to transfer logs from a
vulnerable network to our secure network what security concerns we need to
consider to make sure we are not compromising our Nifi cluster at the
destination network. Let's suppose an attacker got access to the source
Nifi cluster at the OS level; we want to make sure that person is not able
to attack destination Nifi cluster. Is S2S safe in this scenario?
Basically, as soon as an attacker has got access Truststore and Keystore of
the source Nifi, he/she is able to pass the SSL handshake of Nifi for S2S
and start transferring malicious data or for example, apply a
deserialization attack on the destination Nifi. I was wondering what
additional layer is recommended to block unauthorised access in this
scenario?

Regards,
Ali

Re: Nifi site-to-site security concerns

[Andy LoPresto <al...@gmail.com>]

Ali,

Anyone with access to the keystore on the “compromised” NIFi instance (and the corresponding password) will be able to authenticate to the other NiFi instance. Your hardening options here are mostly around locking down access to the source system — OS permissions and ACLs, 2FA if you can, etc. You could always provision another secret value and use a shared secret HMAC scheme as an internal wrapper inside the TLS MA of the S2S, but that shared secret is also available on the compromised system. You gain negligible trust from an additional secret value on the same hardware instance. 

If you are worried about them passing malicious data, sanitize that input and mark it as tainted on the destination system. If you are worried about direct attacks on the confidentiality and integrity of the destination system, don’t expose it directly, and put a proxy/relay in a DMZ and perform some DPI there before relaying the traffic to the sensitive system (and only allow incoming traffic there with HPKP and a very small, whitelisted truststore tied to the relay system). 

There is no silver bullet for security. At best, you can add enough layers to make attacking the system infeasible at a certain cost/effort point. This will depend greatly on your threat model and attack matrix. 

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Oct 14, 2017, at 02:19, Ali Nazemian <al...@gmail.com> wrote:
> 
> Hi all,
> 
> I was wondering if we use Nifi site-to-site to transfer logs from a vulnerable network to our secure network what security concerns we need to consider to make sure we are not compromising our Nifi cluster at the destination network. Let's suppose an attacker got access to the source Nifi cluster at the OS level; we want to make sure that person is not able to attack destination Nifi cluster. Is S2S safe in this scenario? Basically, as soon as an attacker has got access Truststore and Keystore of the source Nifi, he/she is able to pass the SSL handshake of Nifi for S2S and start transferring malicious data or for example, apply a deserialization attack on the destination Nifi. I was wondering what additional layer is recommended to block unauthorised access in this scenario? 
> 
> Regards,
> Ali