tags:

views:

197

answers:

3
+3  Q: 

Multi-Application Server Environment and Memcached Security

We are looking to integrate Memcached into our infrastructure, but have a security concern before we do. We run several platforms including ASP.NET and ColdFusion and have many app developers working many little applications across the different platforms. The concern is this:

App A places item "dog" into cache.

App B reads item "dog" (or worse: App B updates item "dog")

After this happens, App A either retrieves bad information, or has already had its information viewed, aka "stolen". What we would like to do is make it so that each app can only interact with its own sandbox, and may not interfere with or read other application's data.

Is this possible? Thanks.

+1  A: 

Create multiple memcached instances on your infrastructure and give each instance a different port. In this way you isolate yourself -- however this is not the way you want to do things, you will have to split your available memory resources.

You should be able to use "convention" to your advantage -- i.e.,e use Anon's suggestion.

My advice is: anything that needs to be protected should not be in a memcached instance. Use this with anon's advice and your doing what is considered best practise.

Hassan Syed  2010-02-24 20:31:05
I had this idea as well, and thought that our server admins may hate us for it. It's good to hear similar ideas though. Thanks.
jocull  2010-02-24 20:37:17
A: 

memcached is very explictly leaving out security from its deployment (no access control lists, no cache content tampering protection, no traffic privacy etc), all in the name of performance. Access control (SASL) can optionally be compiled into memcached, but most times is left out.

If you need tampering proof of content, or privacy of items in cache you have to implement it in the app (ie. sign or encrypt the cached content before uploading it), but you'll pay the cost of signing/veryfing the signature and/or encrypting/decrypting with each cache access, and you also have a fairly complicated problem of provisioning the keys needed to do these operations.

Remus Rusanu  2010-02-24 20:33:53
A: 

The last few versions we've shipped with SASL auth to prevent unauthorized access in untrusted environments.

In development trees, we have pluggable storage engine support allowing you to do fun things like isolate caches between apps. e.g., I have a deployed instance with many users who can't see each other's data. User1 can cache dog and User2 can cache dog and they do not interfere.

Dustin  2010-02-25 01:34:16

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?