Wednesday, April 8, 2015

Splunk, SSO, Enterprise Security

Splunk is a powerful tool, therefore it is natural that the need to secure it in an enterprise is strong. With the push from upper management to secure access to privileged systems, 2-factor authentication (2FA) is the next defensive weapon to be deployed against attacks from both the outside and inside.

Looking into authentication and authorization mechanisms, especially SSO (single sign-on) in Splunk, it is amazing how much things have stayed the same since I first installed Splunk 4 back in 2011. This time, I am investigating the feasibility of using SAML 2 for Splunk to achieve both single sign-on and role-based access control (RBAC).

What I have found so far are not very encouraging and I seriously hope that someone prove me wrong.

Splunk has a number of ways for user authentication:
  • Splunk internal: User information is stored in Splunk itself. A user would have to sign on each and every time visiting a different Splunk web host.
  • LDAP: Splunk uses an LDAP server as user ID store.
  • Proxy SSO: Splunk web must run behind a proxy server, such as Apache or IIS, which actually implements the sign-on part of SSO.
  • Scripted authentication: Splunk calls a custom script to perform user ID acquisition and authentication.
 For user access authorization:
  • LDAP: Using LDAP for authentication allows Splunk to map LDAP groups to Splunk roles for access control.
  • Script: The script for authentication is also used to assign roles to the user.
Splunk does not seem to allow both SSO and RBAC simultaneously: The only mechanism for SSO is running Splunk web behind a proxy server. But in that case, it still relies on internally stored user information or LDAP group mappings to assign roles to an authenticated user, if this post in the Splunk Answers still holds true. Even if that changes, fronting every Splunk web service with a proxy creates an administrative challenge when you have many Splunk search heads running on both Linux and Windows, for example. Unless, of course, one uses something like Novel NetIQ or Citrix NetScaler. But those mechanisms introduce complexities of their own.

Scripted authentication would offer a way to implement both SSO and RBAC simultaneously if Splunk passes along HTTP request headers to the script. But that does not seem to be the case from reading their documentation.
Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)