How Insecure is Elastic Search and how to improve its security?

Elasticsearch by default is not secure, means anybody who knows your ip can access it. But there are lot of ways to secure it.

In configuration you can set the value of network.bind_host to localhost or your intranet ip so that is is accessible only from that. For more details check out the doc.

You can simply restrict the port access(default is 9200) using iptables.

You can use nginx as a proxy so that you can have all the goodness and configurability of nginx. Read about it at playing http tricks with nginx.

Elastic also has a commercial security product called shield.

There are few other security plugins available on the net also. Though elasticsearch by default is not secured it is easy to setup a security around it.

Of all I personally prefers the nginx proxy as it is very easy to setup and gives me an added advantage of logging all request to elasticsearch via nginx access logs.

Lastly, the security additions will have no/negligible performance impact.

ElasticSearch is insecure by default, however I'd really hesitate to say thats any different than any other service. You shouldn't have your database connection public facing, right? You should really consider treating it like any other services that you wouldn't want publicly accessible. Elasticsearch does provide https and basic auth. So it has the capability to be secure as long as you make it so, but the same can be said about many services you deploy.