How to prevent anonymous node joining the cluster

[Lin Dwell]

what is the use of enforce_hostname_verification ? what are the consequences if it is not set ?   

What can be done to prevent an anonymous node join the cluster ? Is there something similar to IP Filtering in shield  ?

[Jochen Kressin]

A node can only join a cluster if

- the node has a TLS certificate installed

- this certificate is trusted by the other nodes (via their truststore)

Which basically means that all certificates must be signed by a common root and intermediate ca.  

A server (non-client) node also needs a special OID value set as SAN in the certificate:

https://github.com/floragunncom/search-guard-docs/blob/master/architecture.md

Additional security:

- enforce_hostname_verification: If this is set to true, a node receiving a request will validate that the hostname in the certificate matches the hostname of the caller

- resolve_hostname: If you set this to true (enforce_hostname_verification must also be true), the hostname is validated against your DNS in addition

[Sudheer Lucky]

hi Jochen, thanks for the reply.

Any idea is there anything similar to IPFiltering which is available in shield ? If no, what can we do to blacklist/whitelist certain ipaddresses using Search Guard 

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/surZWa04Cc0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f16055b7-0b8a-4dcc-816e-34724c5e4751%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jochen Kressin]

Hi,

Search Guard does not support IP filtering, because we think that a solution based on TLS certificates offers more flexibility in production. If you want to add nodes to your cluster, you just need to generate a valid certificate for the node by using your PKI, no need to reconfigure or restart your cluster. If you enable hostname verification (and resolve the hostname against the DNS for additional security), you basically get a similar functionality as IP filtering at a greater level of flexibility.

Is there a hard reason why you want to exclude IP addresses via filtering, means, can you explain your specific use case?

Thanks,

Jochen 

Am Montag, 19. Dezember 2016 15:18:32 UTC+1 schrieb Lin Dwell:

hi Jochen, thanks for the reply.

Any idea is there anything similar to IPFiltering which is available in shield ? If no, what can we do to blacklist/whitelist certain ipaddresses using Search Guard 

On Sun, Dec 18, 2016 at 1:25 AM, Jochen Kressin <jkre...@floragunn.com> wrote:

A node can only join a cluster if

- the node has a TLS certificate installed

- this certificate is trusted by the other nodes (via their truststore)

Which basically means that all certificates must be signed by a common root and intermediate ca.  

A server (non-client) node also needs a special OID value set as SAN in the certificate:

https://github.com/floragunncom/search-guard-docs/blob/master/architecture.md

Additional security:

- enforce_hostname_verification: If this is set to true, a node receiving a request will validate that the hostname in the certificate matches the hostname of the caller

- resolve_hostname: If you set this to true (enforce_hostname_verification must also be true), the hostname is validated against your DNS in addition

Am Donnerstag, 15. Dezember 2016 16:26:40 UTC+1 schrieb Lin Dwell:

what is the use of enforce_hostname_verification ? what are the consequences if it is not set ?   

What can be done to prevent an anonymous node join the cluster ? Is there something similar to IP Filtering in shield  ?

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/surZWa04Cc0/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.