WebSphere MQ Security

decorumgroveInternet and Web Development

Aug 7, 2012 (4 years and 10 months ago)

380 views

14 March 2013

Issue 1.0

Enterprise
-
Level WebSphere MQ
Security

14 March 2013

Issue 1.0

Candle Profile


Over 25 years in the business


One of the largest privately owned
software and services providers in the
world


Over 1200 professionals


Offices worldwide in 50+ countries


Renowned WebSphere MQ consultants


Profitable, significant R&D
investments

14 March 2013

Issue 1.0

The Program


Understanding the need for security


Best practices for protecting your
critical business information


Real life experiences

14 March 2013

Issue 1.0

The Speakers


Peter Rhys Jenkins, Candle Sr. Architect


25 years consulting to Fortune 500
planet
-
wide


IBM Certified WebSphere MQ
everything


Published author with articles in
EAI
Journal
and
WebSphere Advisor
magazines

14 March 2013

Issue 1.0

The Speakers


Lydia Heitzman, AVP Workgroup
Computing, GE Commercial Distribution
Finance


Manages a team implementing complex
messaging architectures

14 March 2013

Issue 1.0

WebSphere MQ Agenda.


Typical vulnerabilities


Infrastructure


Risks


Recommendations


Strategic and Tactical


WiFi, Web Services


SSL, CIPHERspec's, symmetric and asymmetric
key cryptography, PKI. WMQ, WMQI and
WAS


Certificates


14 March 2013

Issue 1.0

Security is a PROCESS


Prevention.


Detection.


Proactive Solutions.



Cryptographic software products alone will not,
and can not, ensure 100 % security for an IT
infrastructure.



For more information, read:


“Secrets and Lies” by Bruce Schneier.


“Crypto” by Stephen Levy.


14 March 2013

Issue 1.0

Infrastructure


Typical 3 Tier
Architecture

14 March 2013

Issue 1.0

Tier 1: Parallel Sysplex.

14 March 2013

Issue 1.0

Tier 2: WMQ Message Concentrators

14 March 2013

Issue 1.0

Tier 3: MQ Servers and Clients

Router

to Tier 2

Gateway

to Tier 2

14 March 2013

Issue 1.0

Risks.

14 March 2013

Issue 1.0

Risks.


Millions of Messages a day make WebSphere
MQ mission critical



Risk 1


See and collect significant data


Risk 2


Build your own and insert into a Queue


Risk 3


Delete messages


Risk 4


Change message content


Risk 5


Denial of service

14 March 2013

Issue 1.0

Security Issues


Physical Security


LAN Security


Wan, Pan, Lan, WiFi


Well known ports


25


1414


Default parameters


Lack of knowledge surrounding certificates


Lack of money


Difficult ROI


‘It won’t happen to me’


False Sense of Confidence

14 March 2013

Issue 1.0

So, Where Are the Weak Points ?

14 March 2013

Issue 1.0

WMQ Recommendations.

14 March 2013

Issue 1.0

WMQ 5.3 SSL

SSL

SSL

WMQ SSL supports TCP/IP

WMQ Reuses Secret Key for life of channel

WMQ is link level security

Data on Xmit Queue and local queues is in plaintext

WMQ SSL is LINK LEVEL SECURITY


good for WMQ clients

14 March 2013

Issue 1.0

Strategic Recommendations.


Distrust The Network


Build End
-
to
-
End Security (MQSecure)


Identification, Non
-
Repudiation, Integrity, Privacy;


Digital Certificates.


PKI. (LDAP).


Authorization


different problem


RACF, OAM, TAMBI,
ACL’s.


Offload Crypto Processing


Build and Deploy an Enterprise Wide Security Model


Investigate

security

tokens

to

offset

load

on

cert

services


Expand Automation to embrace WMQ on distributed platforms


Improve the Granularity of Systems Management


Explore new technologies


WiFi Sniffers, biometrics


Deploy a Message Firewall…


Test the tools yourself


know your enemy.



14 March 2013

Issue 1.0

Tactical Recommendations.



SYSTEM.ADMIN.COMMAND.QUEUE


SYSTEM.COMMAND.INPUT



SYSTEM.DEF.xxxxxx


Limit PQEdit and similar tools to Developers



Standards and Documentation


Use

Security

exits

to

validate

DNS

Names


Turn

on

WEP


Automate

DLQ

Management


Turn

on

OAM

MQ

Security


Turn

on

SAF

MQ

Security



14 March 2013

Issue 1.0

Security Miscellaneous

14 March 2013

Issue 1.0

Cryptographic Co
-
Processor


“Free” Co
-
Processor


Needs ICSF etc on z/OS


Standard PCI Card


low cost.

14 March 2013

Issue 1.0

“The National Strategy To Secure Cyberspace”


Released by US Administration mid September 2002.
www.securecyberspace.gov



Key Recommendations:


CEO’s should consider forming security councils to integrate
cyber security, privacy, physical security and operational
considerations.


Boards should consider forming committees on IT security and
should ensure that the CEO regularly reviews
recommendations of the chief information security official.


IT continuity plans should be regularly reviewed and
exercised, and should consider site and staff alternatives.
Consideration should be given to diversity in IT service
providers.


Corporations should consider active involvement in industry
wide programs to develop IT security best practices.


Companies should review mainframe security software and
procedures, and consider developing a partnership to review
and update best practices.

14 March 2013

Issue 1.0

IDENTIFI
CATION

AUTHENT
ICATION

AUTHORIZATION
ACCESS CONTROL

ADMINIS
TRATION

AUDIT

Smart
Cards

X.509
Certificates

RACF/Unix/
Windows Security

Security
Domains

Audit
Tools

Card
Readers

PKI

Firewalls

Access Control
Administration

Monitor
-
Filter

BioMetrics

Cryptography

Certificate
Authority

Network
Integrity

Tokens

Sign
-
On

Intrusion
Detection

User ID’s

RACF

Virus
Protection

Remote
Access

SERVICES

TECHNOLOGY

What should be in a Security Model

Source: State of AZ, OH, NC

14 March 2013

Issue 1.0

Wireless LAN Security


802.1X

IEEE 802.11 standard for authentication.


802.11i

IEEE Standards group “fixing” 802.1X and



WEP.


LEAP

Lightweight Extensible Authentication Protocol




Cisco proprietary extensions to 802.1X



(Aironet & secure access control server)


PEAP

Protected Extensible Authentication Protocol





Microsoft, Cisco and RSA Security.IETF




draft.


TKIP


Temporal Key Integrity Protocol, developed



by IEEE 802.11i as a WEP improvement.


TTLS


Tunneled Transport Layer Security


Funk



Software and Certicom


IETF draft




alternative to PEAP.


WEP


Wireless Equivalent Privacy


802.11




standard.

14 March 2013

Issue 1.0

Web Services Security Framework.


SAML

Security Assertion Markup Language.


XACML

Extensible Access Control Markup Language


SPML

Service Provisioning Markup Language


WS
-
Security

SOAP Extensions.


XrML

Extensible Rights Management Language


XCBF

XML Common Biometric Format


XML Digital Signature


XML Encryption


XKMS

XML Key Management Specification


Transport Layer Security/Secure Sockets Layer


SASL

Simple Authentication and Security Layer


Kerberos


BEEP

Blocks Extensible Exchange Protocol.


These are all OASIS, IETF and W3C specifications.


14 March 2013

Issue 1.0

Certificates


Windows


Makecert


only if you have W2K SDK.


OpenSSL


Need to download and compile


no GUI


iKeyMan


Only end user certificates


free download.


Mainframe


RACF


End user AND CA Certificates


Issues


PKCS#12


Keys only as strong as the password.


MQ5.3 Bug importing through GUI


use amqscert


CRL’s


LDAP


OCSP


Cipherspec


MD5 or SHA
-
1, RC2, RC4, DES, T
-
DES, RC5, RC6, AES


14 March 2013

Issue 1.0

Application Level Security


If the message does not itself contain a certificate and is
encrypted, you can NEVER be sure of it’s integrity or origin.
One “Mistake” is all it takes to undo Link level security.



Application Level Security provides this capability.


Managed at the API level


BEFORE MQPut and AFTER MQGet
or through API Crossing Exits (MQ5.3)



Crossing Exits have performance ‘baggage’.


API level means that you do NOT need WMQ…


E.g. “Mangle This”, “Unmangle This”


Means that it works with OTHER artifacts


e.g.


Tibco, SeeBeyond, WAS, WMQI, WebLogic, etc etc


Can use before “READ” and “WRITE” for files…


PathWAI Secure compliments both SSL and TAMBI

14 March 2013

Issue 1.0

Questions ?

14 March 2013

Issue 1.0

Questions & Answers


For more information, go to:
www.candle.com/websphere


For a free whitepaper, go to :
www.candle.com/websphereoffer


Candle offers security for
WebSphere MQ, the award
-
winning
MQSecure®