1 / 29

Enterprise-Level WebSphere MQ Security

Enterprise-Level WebSphere MQ Security. Candle Profile. Over 25 years in the business One of the largest privately owned software and services providers in the world Over 1200 professionals Offices worldwide in 50+ countries Renowned WebSphere MQ consultants

jane
Download Presentation

Enterprise-Level WebSphere MQ Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Enterprise-Level WebSphere MQ Security

  2. Candle Profile • Over 25 years in the business • One of the largest privately owned software and services providers in the world • Over 1200 professionals • Offices worldwide in 50+ countries • Renowned WebSphere MQ consultants • Profitable, significant R&D investments

  3. The Program • Understanding the need for security • Best practices for protecting your critical business information • Real life experiences

  4. The Speakers • Peter Rhys Jenkins, Candle Sr. Architect • 25 years consulting to Fortune 500 planet-wide • IBM Certified WebSphere MQ everything • Published author with articles in EAI Journal and WebSphere Advisor magazines

  5. The Speakers • Lydia Heitzman, AVP Workgroup Computing, GE Commercial Distribution Finance • Manages a team implementing complex messaging architectures

  6. WebSphere MQ Agenda. • Typical vulnerabilities • Infrastructure • Risks • Recommendations – Strategic and Tactical • WiFi, Web Services • SSL, CIPHERspec's, symmetric and asymmetric key cryptography, PKI. WMQ, WMQI and WAS • Certificates

  7. Security is a PROCESS • Prevention. • Detection. • Proactive Solutions. • Cryptographic software products alone will not, and can not, ensure 100 % security for an IT infrastructure. • For more information, read: • “Secrets and Lies” by Bruce Schneier. • “Crypto” by Stephen Levy.

  8. Infrastructure – Typical 3 Tier Architecture

  9. Tier 1: Parallel Sysplex.

  10. Tier 2: WMQ Message Concentrators

  11. Tier 3: MQ Servers and Clients Router to Tier 2 Gateway to Tier 2

  12. Risks.

  13. Risks. • Millions of Messages a day make WebSphere MQ mission critical • Risk 1 – See and collect significant data • Risk 2 – Build your own and insert into a Queue • Risk 3 – Delete messages • Risk 4 – Change message content • Risk 5 – Denial of service

  14. Security Issues • Physical Security • LAN Security • Wan, Pan, Lan, WiFi • Well known ports • 25 • 1414 • Default parameters • Lack of knowledge surrounding certificates • Lack of money • Difficult ROI • ‘It won’t happen to me’ • False Sense of Confidence

  15. So, Where Are the Weak Points ?

  16. WMQ Recommendations.

  17. WMQ 5.3 SSL SSL SSL WMQ SSL supports TCP/IP WMQ Reuses Secret Key for life of channel WMQ is link level security Data on Xmit Queue and local queues is in plaintext WMQ SSL is LINK LEVEL SECURITY – good for WMQ clients

  18. Strategic Recommendations. • Distrust The Network • Build End-to-End Security (MQSecure) • Identification, Non-Repudiation, Integrity, Privacy; • Digital Certificates. • PKI. (LDAP). • Authorization – different problem – RACF, OAM, TAMBI, ACL’s. • Offload Crypto Processing • Build and Deploy an Enterprise Wide Security Model • Investigate security tokens to offset load on cert services • Expand Automation to embrace WMQ on distributed platforms • Improve the Granularity of Systems Management • Explore new technologies – WiFi Sniffers, biometrics • Deploy a Message Firewall… • Test the tools yourself – know your enemy.

  19. Tactical Recommendations. • SYSTEM.ADMIN.COMMAND.QUEUE • SYSTEM.COMMAND.INPUT • SYSTEM.DEF.xxxxxx • Limit PQEdit and similar tools to Developers • Standards and Documentation • Use Security exits to validate DNS Names • Turn on WEP • Automate DLQ Management • Turn on OAM MQ Security • Turn on SAF MQ Security

  20. Security Miscellaneous

  21. Cryptographic Co-Processor • “Free” Co-Processor • Needs ICSF etc on z/OS • Standard PCI Card – low cost.

  22. “The National Strategy To Secure Cyberspace” • Released by US Administration mid September 2002. www.securecyberspace.gov • Key Recommendations: • CEO’s should consider forming security councils to integrate cyber security, privacy, physical security and operational considerations. • Boards should consider forming committees on IT security and should ensure that the CEO regularly reviews recommendations of the chief information security official. • IT continuity plans should be regularly reviewed and exercised, and should consider site and staff alternatives. Consideration should be given to diversity in IT service providers. • Corporations should consider active involvement in industry wide programs to develop IT security best practices. • Companies should review mainframe security software and procedures, and consider developing a partnership to review and update best practices.

  23. What should be in a Security Model IDENTIFICATION AUTHENTICATION ADMINISTRATION AUTHORIZATION ACCESS CONTROL SERVICES AUDIT X.509 Certificates RACF/Unix/ Windows Security Smart Cards Security Domains Audit Tools Access Control Administration Monitor -Filter Card Readers Firewalls PKI TECHNOLOGY Network Integrity Remote Access Certificate Authority Cryptography BioMetrics Intrusion Detection Sign-On Tokens Virus Protection User ID’s RACF Source: State of AZ, OH, NC

  24. Wireless LAN Security • 802.1X IEEE 802.11 standard for authentication. • 802.11i IEEE Standards group “fixing” 802.1X and WEP. • LEAP Lightweight Extensible Authentication Protocol – Cisco proprietary extensions to 802.1X (Aironet & secure access control server) • PEAP Protected Extensible Authentication Protocol – Microsoft, Cisco and RSA Security.IETF draft. • TKIP Temporal Key Integrity Protocol, developed by IEEE 802.11i as a WEP improvement. • TTLS Tunneled Transport Layer Security – Funk Software and Certicom – IETF draft alternative to PEAP. • WEP Wireless Equivalent Privacy – 802.11 standard.

  25. Web Services Security Framework. • SAML Security Assertion Markup Language. • XACML Extensible Access Control Markup Language • SPML Service Provisioning Markup Language • WS-Security SOAP Extensions. • XrML Extensible Rights Management Language • XCBF XML Common Biometric Format • XML Digital Signature • XML Encryption • XKMS XML Key Management Specification • Transport Layer Security/Secure Sockets Layer • SASL Simple Authentication and Security Layer • Kerberos • BEEP Blocks Extensible Exchange Protocol. • These are all OASIS, IETF and W3C specifications.

  26. Certificates • Windows • Makecert – only if you have W2K SDK. • OpenSSL – Need to download and compile – no GUI • iKeyMan – Only end user certificates – free download. • Mainframe • RACF – End user AND CA Certificates • Issues • PKCS#12 – Keys only as strong as the password. • MQ5.3 Bug importing through GUI – use amqscert • CRL’s • LDAP • OCSP • Cipherspec • MD5 or SHA-1, RC2, RC4, DES, T-DES, RC5, RC6, AES

  27. Application Level Security • If the message does not itself contain a certificate and is encrypted, you can NEVER be sure of it’s integrity or origin. One “Mistake” is all it takes to undo Link level security. • Application Level Security provides this capability. • Managed at the API level – BEFORE MQPut and AFTER MQGet or through API Crossing Exits (MQ5.3) • Crossing Exits have performance ‘baggage’. • API level means that you do NOT need WMQ… • E.g. “Mangle This”, “Unmangle This” • Means that it works with OTHER artifacts – e.g. • Tibco, SeeBeyond, WAS, WMQI, WebLogic, etc etc • Can use before “READ” and “WRITE” for files… • PathWAI Secure compliments both SSL and TAMBI

  28. Questions ?

  29. Questions & Answers • For more information, go to: www.candle.com/websphere • For a free whitepaper, go to : www.candle.com/websphereoffer • Candle offers security for WebSphere MQ, the award-winning MQSecure®

More Related