The Deep Queue – Episode #6: The Myth of the Trusted Internal Network

Posted on January 1, 2009 by T.Rob

In this episode of The Deep Queue I explain why I believe the “trusted internal network” is a myth.  Many of the problems that I see on consulting assignments would have been prevented by the same security measures I recommend to protect against malicious attacks.  Except the incidents in question are not usually malicious, they are just human error.  In most of these cases the fact that there are no secondary firewalls around Production assets, no defense in depth and no checks and balances allows a simple mistake to blossom into a full-scale incident with serious financial, and often reputational, damage.

But if companies don’t want to implement security to protect against honest mistakes, perhaps they will if there is a credible outsider threat.  In this episode I argue that such a threat is real and to back that up I cite six US DOJ press releases from just the last two months describing malicious corporate network intrusions.  The press releases also give us some insight into the state of tools available for cybercriminals and the degree to which the tools have been weaponized.

Continue reading

Posted in DeepQueue, IBMMQ, Podcast, WMQ Security | Tagged , , , , , , , | 1 Comment

WMQ File Transfer Edition launched

Posted on December 7, 2008 by T.Rob

I’ve been haunting the Vienna MQ list server for long enough to have seen the topic of moving files over MQSeries, and later WebSphere MQ, raise it’s ugly head on many occasions.  I say “ugly” because creating a general-purpose program to transport files over a message-oriented protoocol is not trivial.  There are a great many issues to be resolved:

  • Does each file become a message?  If so that limits the file size to 100mb.
  • If the file can be comprised of multiple messages, they may arrive out of order, have chunks missing, etc.
  • Will code page conversion be supported?  How about line ends?
  • Assuming for the moment that the endpoints are on compatible filesystems, it is necessary to specify and manage all of the file metadata such as paths, directories, file name collisions, renaming, file creation and deletion, etc.
  • Then there are even greater issues moving files across unlike systems where file metadata needs to be converted somehow.
  • What provisions will be made for instrumentation such as flow control and scheduling?
  • How will the movement of files be tracked?

Continue reading

Posted in IBMMQ, MQMFT, News | Tagged , , , , | 1 Comment

Mission:Messaging: Migration, failover, and scaling in a WebSphere MQ cluster

Posted on December 2, 2008 by T.Rob

Certain aspects of service orientation are best served using an IBM® WebSphere® MQ cluster. The cluster provides the location independence, run time resolution of names, and concurrency required by SOA applications. For these reasons, adoption of SOA is driving migrations from point-to-point messaging networks to clustered environments. This article looks at how migration, failover, and the scaling of queue managers are affected in an SOA context.

Full text on developerWorks.

Posted in General, IBMMQ, Publications | Tagged , , , , | 5 Comments

The Deep Queue – Episode #5: WMQ Security news and Random WMQ Stuff

Posted on December 2, 2008 by T.Rob

The Deep Queue Episode #5 is now online.  In this episode we cover some WMQ security news and introduce a new segment called Random WMQ Stuff which is pretty much what it sounds like.  We also now have an iTunes feed.  Please let me know if you have any problems with it.  The link to the iTunes feed and all the other links are posted below.

Continue reading

Posted in DeepQueue, IBMMQ, Podcast, WMQ Security | Leave a comment

Having fun in Barcelona!

Posted on November 11, 2008 by T.Rob

Well, I made it to Barcelona on Sunday after 20 hours on various planes and in various terminals.  My luggage arrived on Tuesday having seen MUCH more of Europe than I was able to.  Unfortunately, I had the camera and the luggage was therefore unable to take any interesting photos of all the places to which it traveled.  In the interim I had to buy some clothes and discovered there’s a fortune to be made buying jeans in the US and selling them over here.  If the WMQ security thing doesn’t work out, I’m going into exports.

I’ve presented the two sessions from last year – WMQ Basic Security and WMQ High Availability – as well as the new WMQ Advanced Security.  All of them seemed to be well received although I’m told that the slides are not yet available on the conference web site.  I will follow up with the conference staff on that but in the meantime, I’ve uploaded the slides here:

As I mentioned in the sessions, the “Basic” presentation is about locking down administrative rights to the queue manager.  The premise is that if this is not done, none of the “Advanced” configurations are meaningful.  The Advanced slide deck is not so much about specific configurations as it is about patterns – architecture patterns, trust models, deployment patterns and so forth.  These patterns both constrain and inform the process of securing the messaging network in a meaningful way.

Once we understand the patterns, it is possible to devise an appropriate security model.  The presentation also points out that sometimes the appropriate model is largely implemented in the message layer rather than in the connectivity layer which is where base WMQ security functions.  As the network perimeter disappears, we are increasingly forced to protect the data itself and that means signing and possibly also encrypting messages.  I often encounter strong resistance when I suggest that channels should always be authenticated, for example with SSL or an exit.  When I present the slides on network topologies it becomes apparent that authenticating channels is just the first step and that message-level, end-to-end security is looming large on the horizon.  This is especially so with the SOA logical hub-and-spoke topologies, increased B2B connectivity and the requirement to securely move messages across transport providers.  I fully expect message-level encryption to become the standard in a few years but not without a lot of struggle and pain.  Not, perhaps, without one or more additional high-profile internal network breaches to raise the standard of due diligence.

Wednesday I present the High Availability pitch once more and the WMQ Basic Security is repeated Friday morning.  If you are at the conference in Barcelona, I invite you to attend one of my sessions or just flag me down in the halls and say hello.  I’d love to meet you and we don’t even need to talk about security or MQ.  OK, maybe just a little.

Posted in Events, IBMMQ, WMQ Security | Tagged , , , , , , | 4 Comments

The Deep Queue – Episode #4: Listener email and why you should care about message types

Posted on November 3, 2008 by T.Rob

In this installment we answer an email from a listener asking about channel authentication.  The requirement is for a channel exit pair that exchanges credentials securely then falls back to a plaintext channel.  In the second segment we talk about message types and how ignoring them opens up a vulnerability in your application.

Andy Piper suggested I get an iTunes feed and I’m planning on doing that but have not gotten around to it just yet.  Then again, I’m not sure how many folks are impacted by the lack of an iTunes presence.  Well, other than Andy, anyway.  I’ll try to have this option ready for the next episode.

Links for this episode:

Your feedback is welcome! To contact the show, post a comment or leave a voice mail at +1 704-719-2107.

Posted in DeepQueue, IBMMQ, Podcast, WMQ Security | Tagged , , , | 3 Comments

Some new info about amqiclen

Posted on October 25, 2008 by T.Rob

Long-time MQ listserver participant and colleague Peter Potkay recently posted the following info about amqiclen which he received from a PMR.  My most recent developerWorks article talked about how the culture within the WMQ community tends to perpetuate established best practices even when they become out of date.  This may be an example of that phenomenom at work.  It remains to be seen whether the advice offered is valid for most people and then if the community will embrace a change to our long-held best practices regarding IPC cleanup and WebSphere MQ.  Here then is the portion of Peter’s post that came from the PMR:

amqiclen runs as part of MQ install (the ‘i’ in the 4th character of thename). This process attempts to check that no process is currently accessing mqm owned ipc resurces, and if that is determined to be the case then it deletes those resources. The reason for amqiclen is that the layout of the control blocks in shared memory may changed from release to release and rather than each release have to understand the layout of all provious releases we explicitly delete these resources during install.

Queue manager restart takes similar action, if it detects that no active processes are accessing queue manager related IPC resources thenit deletes those resources. When queue manager restart finds that thereARE processes still accessing the IPC resources then it prints the process id of one such process in the AMQ8041 message (amqiclen is unable to do this as it can’t depend upon the layout of the control blocks in shared memory).

In rare circumstances (typically a severe user error, or an APARable condition) then MQ L3 might advise the customer to run amqiclen at a time other than install, but customers should not be choosing (or needing) to run this program themselves.

There’s a bit of historical hearsay related to manual removal of mqm owned resources. In early releases of MQ (prior to MQ 5.2) then the queue manager wasn’t 100% reliable in identifying whether IPC resources related to a previous queue manager instance were still being accessed (problems due to PID reuse) and some customers implemented ipcrm scripts to try to overcome these problems. The queue manager has now been able to reliably detect whether mqm owned IPC resources are still being accessed by an active process for a number of releases and manually removing mqm owned IPC resources is the cause of a number of instances of queue manager corruption (for no good purpose).

Posted in IBMMQ, News | Tagged , , , , , , , , , , | Leave a comment

Updated script templates

Posted on October 22, 2008 by T.Rob

The script templates for locking down admin access have been updated for WMQ v7 to include topics. I’ve also added additional comment lines, a change log and fixed a couple of typos. The new versions are an update to the original post MQ Security Heats Up.

Posted in Errata, IBMMQ, Publications, WMQ Security | Tagged , , | 4 Comments

Puzzled by WMQ vulnerability advisory

Posted on October 2, 2008 by T.Rob

Well, I knew this one was out there but never looked at the CVE for it – there is a memory corruption vulnerability in the WebSphere MQ ( CVE-2007-6044) that is network exploitable.  What I can’t figure out is why the Impact and Exploitability scores are both 10.  The CVE entry says:

NOTE: as of 20071116, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

In other words, “we don’t know what this does but it scares the bejeesus out of us”?  And then there’s this:

Access Complexity: Low
**NOTE: Access Complexity scored Low due to insufficient information

Continue reading

Posted in General, IBMMQ, WMQ Security | Tagged , , , , , , | Leave a comment

The Deep Queue – Episode #3: Ethical Administration

Posted on September 29, 2008 by T.Rob

In this episode of The Deep Queue I propose something I’m calling “ethical administration”.  Most people have heard of ethical hacking – doing what the bad guys do on behalf of and in cooperation with the good guys.  Ethical administration as I have imagined it is acting like the good guys on behalf of the good guys in spite of their failure to act or commit resources.

Continue reading

Posted in DeepQueue, Podcast, WMQ Security | Tagged , , , | 2 Comments