The Deep Queue – Episode #9: Going postal about WMQ security

Posted on April 2, 2009 by T.Rob

This episode of The Deep Queue takes its inspiration from the thousandth time I was asked how to “turn on MQ security”.  Yes, that’s right, the thousandth time.  At least since I’ve been counting.  There were perhaps half a thousand instances before I started keeping track.  Unlike being the millionth customer at the local hair salon, you don’t want to be the thousandth person to ask me how to “turn on MQ security”.

“What do you mean ‘turn on’ security?” I asked.  “What is it exactly you want security to do for you?”

“Well, you know…SECURE THE QUEUE MANAGER!” came the annoyed reply.

“What I mean is, are you trying to protect from eavesdropping, denial of service, message injection or what?  And do you want prevention, detection or forensic capabilities?”

Since nobody there had thought about it in these terms, the answer back was “I don’t know, we will get back to you.”  My dilemma is that if I have a ready-made answer for “how to turn on MQ security” it is likely not to address the real requirements…but at least I get work.  If I try to drive out the real requirements, I put myself on the bench.

[display_podcast]

Links for this episode:
WMQ Security webinar for QSA’s, internal auditors, security professionals and anyone interested in knowing how to tell if your WebSphere MQ network leaks administrative access: PCIKnowledgebase.com http://is.gd/qqOX

The Black Swan by Nassim Nicholas Taleb:  http://is.gd/qqXX

Posted in DeepQueue, IBMMQ, Podcast, WMQ Security | Tagged , , , , , | Leave a comment

The Deep Queue – Episode #8: The good news and the bad news

Posted on February 27, 2009 by T.Rob

This episode of The Deep Queue contains news about the new MSoT stand-alone WMQ Explorer SupportPac, yet another payment processor data breach, updates to some items we’ve covered in the past and breaking news about a WebSphere MQ interim fix that many people will want to take a close look at.

Continue reading

Posted in DeepQueue, Errata, IBMMQ, MQMFT, Podcast, Publications, WMQ Security | Tagged , , , , , , , , | 1 Comment

MSoT: Stand-alone MQ Explorer download

Posted on February 27, 2009 by T.Rob

More good news for WMQ users!  WMQ Explorer is now available as a Category 3 SupportPac, which means it is free, can be downloaded separate from the install media and is supported for customers with a valid WebSphere MQ license.

Here’s an excerpt from the internal email announcing this:

I’m pleased to announce that SupportPac MS0T: WebSphere MQ Explorer is now available for Windows:
http://www.ibm.com/support/docview.wss?rs=171&uid=swg24021041

For the first time, MQ Explorer is now available separately, and can be installed on a machine either with or without an existing MQ install. The SupportPac is available free of charge, and is supported for customers with an MQ license.

This makes MQ Explorer readily available to more of our customers, particularly z/OS and VSE customers, and improves consumability for distributed customers as for example they can now deploy MQ Explorer without having to deploy the whole MQ Server install image. It also improves consumability by enabling new installation options for Message Broker Explorer and MQ File Transfer Edition which both extend MQ Explorer.

A note on the SupportPac page says the Linux version is due out in the first half of 2009.

Posted in IBMMQ, MQMFT, News | Tagged , , , | Leave a comment

Update to MQ Security Heats Up comment thread

Posted on February 26, 2009 by T.Rob

There’s a comment thread going on over at the “WebSphere MQ Security Heats Up” post regarding the script settings as originally published versus the updates I have posted on this site.

RKPowers writes “I am still confused about the +set option on the QMgr. I think what you are saying is that we need to use different security settings for different versions of WMQ. Thus, we should include +set for versions of WMQ prior to V7, and omit it for V7.”

The only way to explain this is with links back to the WMQ v6.0 docs and that requires a new post instead of comments.  Here goes…

Continue reading

Posted in Errata, IBMMQ, WMQ Security | Tagged , , , , , | Leave a comment

The Deep Queue – Episode #7: Reducing your attack surface

Posted on February 2, 2009 by T.Rob

This installment of The Deep Queue is about improving security by reducing the number of attack vectors that are exposed.  Given two systems with equivalent functionality the one with more exposed attack vectors is said to have a “larger attack surface”.  As I explain in the podcast, having a smaller attack surface doesn’t automatically result in a more secure system, but it sure helps.  There’s a possibility that having a smaller attack surface makes you more likely to be the victim of a hit-and-run driver but you’ll have to listen to the podcast to understand why.

This episode also contains an installment of Random MQ Stuff.  Links are below.

Subscribe:  Deep Queue RSS feed
Continue reading

Posted in DeepQueue, IBMMQ, Podcast, WMQ Security | Tagged , , , , , , , | Leave a comment

Choosing a PCI DSS Auditor? Does WMQ awareness count?

Posted on January 26, 2009 by T.Rob

James DeLuccia’s post about choosing a PCI DSS QSA auditor has some good advice.  I would add to his list a criteria one of my own: the auditor should at least know how to spell WMQ.  Or JMS.  Or “message oriented middleware”.  While I haven’t been involved in any PCI audits, many of my customers are subject to PCI DSS.  Until recently, it was hard to find a shop that had enabled SSL on their WMQ channels.  Even now that we are starting to see SSL enabled, many MQ installations still have misconfigurations that may leave them exposed.

This is unfortunate because, as was seen first with Hannaford Brothers and now with Heartland, the “trusted internal network” is the new frontier of data theft.  Enabling SSL is great for protecting messages on the wire but if administrative access is left exposed, the attackers can disable SSL or skip sniffing traffic entirely and instead just browse the messages passing through the queue.  The answer to this is not redoubling security at the perimeter.  The answer is to apply meaningful controls at the messaging layer.  An auditor familiar with your messaging technology would seem to be a valuable asset if the goal is to actually assess security and not merely to pass the audit.

Hannaford was reportedly the first breach of data in transit.  Heartland was the biggest card data breach ever.  If the bad guys are only up the H’s, what’s in store for firms in the I – Z range?  I prefer to think it’s strict auditing of the messaging layer and not massive name changes to monikers starting with A – G.  One of these two alternatives actually could make a difference.  The other is about as effective as what we have now.

To learn more about how to assess or secure WebSphere MQ, have a look at the presentations on the Links page.

Posted in General, News, WMQ Security | Tagged , , , , , | Leave a comment

Must-read article – Secure Software: 'See No Evil' is Not a Strategy

Posted on January 23, 2009 by T.Rob

Given that software currently enables or imperils most aspects of our buying, selling, and communicating, it is time that responsible people acknowledge that this is a massive problem, and stop looking in the opposite direction. “See No Evil” is not a strategy. [Read the full article on Network World.]

Nice to see this sentiment showing up in more mainstream venues, and very well said.

Posted in News | Tagged , , , , , , | Leave a comment

developerWorks live chat on WMQ

Posted on January 15, 2009 by T.Rob

developerWorks is hosting a live text chat at Noon Eastern US time on January 22nd on the topic of WMQ Best Practices.  The panel will include some folks from the WebSphere MQ online community that you may know: Chris Frank, Peter Potkay and myself.  If you have any questions about WebSphere MQ that you haven’t been able to get decent answers to, bring them to this chat and try to stump the panel.  (Sorry, no prizes awarded for stumping the panel!)  For logistics to attend the chat, click here.

Posted in Events, IBMMQ | Tagged , , , , , , , | Leave a comment

Whoops! Podcast audio restored.

Posted on January 14, 2009 by T.Rob

Hmmm…maybe I need to take Andy Piper’s advice and switch my WordPress plugins.  Sure, I’ll blame it on PodPress – as if!

Well, some of you may have noticed that Episode #6 of The Deep Queue was a PDF, depending on where you subscribed.  I recently added a transcript of the show at the request of a European listener and I didn’t realize that RSS2 or PodPress won’t allow two attachments  to the same post.  When I attached the transcript, the audio disappeared.  Of course this happened right before I took some time off for a minor surgery and when I finally get back online I find a bunch of mesages asking what’s up.  Sorry ’bout that!  Should be fixed now.

Posted in Change Log, Errata | Leave a comment

Signed C&C messages? What a novel idea!

Posted on January 8, 2009 by T.Rob

I’ve been saying for a while now that Command and Control messages to be signed.  It’s a question of authentication.  When you pass a message to perform an administrative action, what assurance do you have that the message got to the destination unchanged?  For example, if the message contains credentials such as a user ID, an LTPA token or a shared secret, how does the command processor know that the message has arrived intact and that those fields are reliable?  Remember that this is administrative functionality we are talking about so if there is no message integrity then authentication is not reliable.  Without reliable authentication, there is no accountability.

Continue reading

Posted in IBMMQ, News, WMQ Security | Tagged , , , , , , , | Leave a comment