Configuration backups: the forgotten WMQ security control

Update: IBM has reconsidered and has announced that dmpmqcfg will be fixed as a defect! Subscribe if you would like a notification when the fix is announced. But please do read the post, especially if you are using amqoamd for anything.

Most of the time when someone says “security” they are actually thinking of intrusion detection – the parts that keep unauthorized people out of the system.  But security is so much more than that.  We need to know if our security fails.  That part is intrusion detection.  After an incident we want to be able to determine how it happened and what to fix so it doesn’t happen again.  The logging and accountability functions are what support that forensic analysis.  Of course we also need to recover from an incident.  That’s the business continuity aspect.  All of these fall under the broad security umbrella and any security assessment that I perform includes aspects of all of these.

But there is an implicit assumption that that the tools to perform these functions are available.  In particular, the ability to back up a configuration for later recovery is something so fundamental that many people consider it part of the baseline functionality of any Enterprise-class product.  But what if it’s not?  Or worse, what if you think it is but the provided tools do not actually do what you are expecting?  Would you know?

If your shop is concerned about the security of the WebSphere MQ network, then chances are you consciously and deliberately configure your queue managers to prevent administration by adjacent queue managers in the network.  If you do not routinely do this, then by default compromise of any one queue manager on the network compromises the entire network.  Such a compromise would include any FTE, Broker, Advanced Message Security or other components or applications that can be administered by sending messages to their command queues.

The only problem is, IBM does not currently provide a tool in the product that back these security settings up accurately.  There are two tools documented in the WebSphere MQ Infocenter and a Technote which are describes as providing configuration backup functionality.  Assuming you want that backup to be complete, both are broken.  IBM has officially responded in both cases that they are working as designed.

Continue reading

Posted in Fail, General, IIB, Security, WMQ, WMQ AMS, WMQ ESE, WMQ FTE, WMQ Security | Tagged , , , , , , , | Leave a comment

Webinar: Security Defenses that Withstand the Test of Time

IIB-Security-Webinar-Banner

Please join AJ Aronoff and me for a Prolifics webinar: IIB: Security Defenses that Withstand the Test of Time

For the last 7 years my security focus has mainly been intrusion prevention.  That’s all the controls you use to keep unauthorized people out of the messaging network.  I’m happy to report that things have improved on that front.  IBM has greatly improved the software and customers are enabling the security controls in record numbers.  (Not that the secured systems are yet in the majority, but it’s MUCH better than before.)

Unfortunately, intrusion prevention is only one part of the story.  A comprehensive security design also includes intrusion detection, forensic capability and incident recovery.  One reason that these are needed is that the state of the art is a moving target.  Attack technology always gets better, defensive technology moves to keep up or stay ahead.  Over time the configuration you implement today gets weaker as the state of the art continues to advance.

This webinar will focus less on the specific controls and more on how to maintain security effectiveness over time.  We will be addressing IBM Information Broker (the software formerly known as WebSphere Message Broker) but since it is built on top of WebSphere MQ the content will also be useful for WMQ admins who do not have IIB.  I hope to “see” you there!

Much thanks to my friends at Prolifics for sponsoring the webinar.

Posted in General | Leave a comment

We’re gonna need a bigger crowd

What not to crowdsource: Specialty training

What not to crowdsource: Specialty training

Crowdsourcing: Collaboration based on the idea that given a sufficiently large pool of talent, it is possible to create a specific deliverable of high quality and in a timely fashion, using donated excess capacity of the crowd.

Some things just don’t crowdsource easily.

At its core, crowdsourcing is a slight twist on that old saw about “You can have it fast, cheap or right.  Pick any two and let me know.”  The twist is that “cheap” has been stipulated as a given and replaced with “crowdsourced.”

You can have it crowdsourced.
You can have it fast.
You can have it right.
Pick any two and get back to me.

But crowdsourcing works great, right?  There’s Wikipedia, Linux, FreeDB and many other examples one can point to of high quality products built by crowds.  But what I’d invite you to do is to consider the one thing where crowdsourcing tends to fall down.

Continue reading

Posted in Security | 4 Comments

Back to consulting

Got WMQ security work?  I’m happy to report I’ll soon be available for consulting engagements!  After a couple of years in WebSphere MQ Product Management, and 6 before that in IBM Software Services, I’ve given notice to IBM and will be available for engagements as of May 13th.

My IMPACT sessions are in process of being reassigned so I’ve adjusted the schedule on the previous blog post.  I left “Meet The Experts” on the schedule, I’ll just be in the audience this time around.  I’ll also be there for the book signing and there are 100 copies printed (including the updated typos) so come by the table Tuesday at Noon.  I believe that Neil Casey will also be in attendance and at the book signing.

The new business is IoPT Consulting.  If you’ve heard of Internet of Things, the name of the business refers to Internet of People & Things.  My biggest gripe with the first wave of IoT devices is that they neglected to consider the people who would use them.  The cool factor of a light switch, door lock, web cam or other device controlled from your phone wears off pretty quick when you have to have 50 apps to control 50 categories of device and they don’t talk to one another.  Of course IoT has no appeal at all when your Internet connection goes dark and the house blue-screens.  I’d like to build an Internet of Things that values the people who own those things and, by the way, WebSphere messaging and MQTT are one of the best ways to do that.

I’ll be available as of May 13 as an independent or, for customers with preferred vendor rosters, through one of several established firms.  I can provide short- or long-term engagements for architecture design, performance tuning, outage resolution, migration, staff augmentation, and of course security.  Lots of security.  Call me for details st 704-443-TROB or see me at IMPACT.

Posted in Events, IOT, MQTT, News, WMQ | 5 Comments

Coming to an event near you!

Travel has been working out well lately.  I’ve just sort of been making my own events.  Case in point, I wanted to attend the PDCNYC meeting so I put the word out I’d be available in NYC and immediately got several requests.  And that was just working with a few the IBM account folks.  I didn’t exactly broadcast my availability.

Well, now I am.

IBM will send me pretty much get to anywhere in North America so long as I can meet with two or more customers (but not at the same time).  If I line up 4 or more customers I can visit other continents.  So if you want to meet in person to talk security…or clustering, architecture, high availability, migration, AMS, FTE, MQTT, identity, privacy, Internet of Things, whatever, let me know.  Maybe I can find a few others in your area and we can work something out.

Upcoming trips include:

  • Monday evening, April 8: PDCNYC
  • April 9 – 10: Customer visits, Jersey City/NYC area.
  • April 28 – May 3: IMPACT, Las Vegas (Book signing, Tuesday at Noon.)
  • May 6 – 9: Internet Identity Workshop #16, Mountain View, CA.
Posted in Events, IOT, MQTT, News, Security, WMQ | Leave a comment

IMPACT Schedule

It’s that time of year again!  I’ve finally received funding approval to attend IMPACT –  which is good considering how many sessions I’m participating in.  Good news – ITSO has printed 100 copies of Secure Messaging Scenarios with WebSphere MQ and arranged some time to sign them.  I will  have a gel pen to sign your Kindle if you downloaded the digital version.

TSM-2018: Meet the Experts: IBM Messaging
Session Type:  Meet the Experts
Date/Time:  Mon, 29/Apr, 04:00 PM – 05:00 PM
Room:  Venetian – San Polo 3401 (Zone D)
——————————————

Secure Messaging Scenarios with WebSphere MQ
Session Type: Book Signing
Date/Time:  Tue, 1/May, 12:00 PM – 1:00 PM
Room: Conference Book Store
——————————————

BPB-3218: Better Access Control and Security Using a Single Portal
Session Type:  Birds of a Feather
Date/Time:  Wed, 1/May, 12:00 PM – 12:45 PM
Room:  Venetian – Lando 4301B
Co-presenter(s):  Peter D’Agosta, Avada Software
——————————————

TSM-2018: Meet the Experts: IBM Messaging
Session Type:  Meet the Experts
Date/Time:  Thu, 2/May, 08:45 AM – 09:45 AM
Room:  Venetian – San Polo 3401 (Zone D)
——————————————

 

Posted in Events, Publications, Security, WMQ | Tagged , , , , , , , , | Leave a comment

It’s time for sensible password security standards in the PCI-DSS

LOCKEDPasswords are the keys to the Internet kingdom.  Sure, there are certificates that identify sites and provide the basis for TLS encryption, but it is the user ID and password that authenticate you almost everywhere you log on to something.  The implication is that the service you log on to must have a way to validate that the password you provide today matches the one you provided when you signed up or at your last password change.  But many network sites and services fail to protect those passwords properly and that significantly compounds the damage in the event of a breach.  To mitigate the potential damage, the PCI Data Security Standard (PCI-DSS) requires passwords to be encrypted.  Although this sounds good on its face, the standard fails to account for the bi-lateral nature of passwords.  As a result, assessments are more complex and expensive and the systems assessed often less secure because of it, not more.  The changes I propose would decrease the cost of compliance while improving the level of security. Continue reading

Posted in General | Leave a comment