Areas - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

Areas

Description:

APIs can be written in Java, C and Pearl (developed by Morgan Stanley) ... Credit for the approach and the diagram: Bruce Schneier and IBM. WebSphere MQ ... – PowerPoint PPT presentation

Number of Views:58
Avg rating:3.0/5.0
Slides: 40
Provided by: jv25
Category:
Tags: areas

less

Transcript and Presenter's Notes

Title: Areas


1
Areas
WebSphere MQ
  • What is WebSphere MQ
  • Security objectives and architecture
  • Points of access / vulnerabilities
  • Audit considerations
  • Jargon and references
  • Q A

2
What is WebSphere MQ?
WebSphere MQ
3
what is WebSphere MQ?
WebSphere MQ
  • IBM WebSphere MQ is a store and forward network
    communication technology.
  • Launched by IBM in March 1992.
  • Previously known as MQ Series rebranded by IBM in
    2002.
  • Message Oriented Middleware offering.
  • Allows non-concurrent applications to communicate
    with each other.

4
what is WebSphere MQ?
WebSphere MQ
  • MQ is available on a wide range of platforms
    (both IBM and non IBM)
  • IBM System z (mainframe)
  • IBM System i (midrange)
  • UNIX (IBM AIX, HP NonStop, Sun Solaris)
  • Open VMS
  • Linux
  • Microsoft Windows

5
Security objectives and architecture
WebSphere MQ
6
security goals of MQ
WebSphere MQ
  • IBM made security a primary design goal for MQ.
    IBMs security goals for MQ include
  • detect and prevent unauthorised access and
    modification to resources.
  • record unauthorised attempts at access or
    modification or authorised attempts if deemed
    necessary.
  • handle complex security needs of internal and
    external connections.
  • provide isolation of less trusted systems.

7
MQ structure
WebSphere MQ
Queue Manager Channels
QM
QM
Message channel
Application (App security)
MCA
MCA
Link security
Link security
Application (App security)
Channel Exits
Channel Exits
8
application interface (API) level
WebSphere MQ
  • API are the most commonly used client interface
    with MQ Channels and queues. APIs can be written
    in Java, C and Pearl (developed by Morgan
    Stanley).
  • Standard APIs are written by application vendors
    including SWIFT.
  • API can contribute to security if written and
    managed appropriately.

9
application interface (API) level
WebSphere MQ
  • Application interface (API) security is not a
    complete solution.
  • API security services can not secure mutual
    authentication of two Message Channel Agents
    (MCAs).
  • API security services can not protect the
    transmission queue header.
  • API security services cannot protect the
    parameters of MQI calls that are sent over
    channels. i.e. application data in an MQPUT,
    MQPUT1, and MQGET calls.
  • At a message data level, it is possible to
    encrypt data before inserting it into the queue
    with an API. However, there are circumstances
    where this can be impractical. For example, where
    receiving applications do not use encryption and
    are owned by third parties.

10
security outside MQ
WebSphere MQ
  • MQ interfaces with security authorisation
    controls in the surrounding operating system.
    Examples include
  • System z has RACF or Top Secret
  • System i has object authorities which MQ can test
    including QMQMDATA or QMQMPROC.
  • WinTel (NT, XP, Vista) and UNIX (SCO, HP NonStop,
    AIX, Linux and Free BSD) provide ACLs (access
    control lists) by group and Installable Services
    Interfaces

11
Points of access / vulnerabilities
WebSphere MQ
12
points of access
WebSphere MQ
  • MQ can use security mechanisms and services in
    the surrounding environment, placing reliance on
    operating systems, network services and
    transaction managers.
  • Unauthorised access may be attempted from a
    console directly attached to the queue mangers
    server or from across the corporate network.

13
points of access
WebSphere MQ
QM
Default client channels
C l i e n t
MCA
Critical Application
SVRCONN
MQM
No object level security
No security exit

No link level security
No application level security
14
WebSphere MQ
points of access
QM
Default cluster channels
Queue Manager
MCA
Critical Application
SVRCONN
MQM
No object level security
No security exit

No link level security
No application level security
15
points of access
WebSphere MQ
QM
QM
MCA
C l i e n t
MCA
Critical Application
QM
X
MCA
MCA
MQM
Default channel open







16
WebSphere MQ
Client software"
17
WebSphere MQ
Client software"
18
WebSphere MQ
Client software"
19
general threat management
WebSphere MQ
  • Apply service packs to WebSphere MQ software
  • Update the configuration to address
    vulnerabilities were possible
  • Middleware upgrades should not be left off the
    work slate until software becomes end of life
  • Test the upgrades before rolling them out

20
WebSphere MQ



_______
21
cryptographic key storage
WebSphere MQ
  • A key repository for storing certificates must be
    prepared and secured appropriately. It is
    referred to differently on these named platforms,
    for example
  • Keyrings in RACF, ACF or TopSecret on System z
  • Key database on UNIX and System i (aka OS/400)
  • Key store or certificate stores on WinTel.
    Private keys are stored in the Windows registry.
  • Please note that default private keys are
    provided by IBM out of the box. They are widely
    known. However, they can and should be replaced.

22
MQ queue managers
WebSphere MQ
  • Queue managers provide
  • access control mechanisms
  • audit mechanisms
  • message context (information about the origin of
    a message)
  • exits (alerts for security, performance and
    errors, etc.)
  • There is no security by default. All of these
    must be designed and configured before they will
    work.

23
IBM attack tree analysis
WebSphere MQ
  • Example - bottom up attack tree for deleting MQ
    objects

24
remote denial of service
WebSphere MQ
  • If a server connection channel is defined to
    allow remote access for administration and the
    administrator has defined a server connection
    channel to allow remote administration with an
    MCAUSER ID set to an administration ID, then,
    when the client application puts a message on the
    input queue the response will go to the
    ReplyToQ causing a denial of service (DOS) to
    the server (Default installation of MQ on any
    platform).

25
Audit considerations
WebSphere MQ
26
WebSphere MQ
Recap - security
  • Default channels
  • Channel exit security
  • Channel encryption
  • The impact of patching
  • Applications can provide check sums
  • MQ sequencing numbers
  • MQ testing tools should be removed
  • Applications may provide message level encryption
  • MQ Secure edition (MQ and Tivoli) can encrypt
    queues so that mqm is not able to see the
    content

27
some questions to ask
WebSphere MQ
  • Has the IT department performed a thorough
    security assessment considering all attack
    routes?
  • Is the Windows environment configured to prevent
    remote read access to the registry (where the
    private encryption keys for MQ are kept)?
  • Do you have a dead-letter queue (DLQ) handler
    processes
  • Is there a formal change approval process for
    rules in the configuration table of the DLQ
    handler? If the rules and process for the DLQ are
    not agreed transactions (trades, settlement
    payments, etc.) may fall into the DLQ and not be
    addressed timely.
  • What authentication method is being used?
  • Are default IBM encryption keys being used?

28
queries and tools
WebSphere MQ
  • Queries and/or tools will be required to do the
    following
  • Confirming channel security
  • Verify version running

29
documentation
WebSphere MQ
  • Minimum documentation requirements
  • Inventory of all queues, channels, applications
    and application interfaces and links including
    detailed configuration information
  • Process manual should broadly contain, MQ
    installation and maintenance, MQ startup and
    shutdown, naming conventions, MQ security, MQ
    availability, monitoring and tuning.

30
MQ related jargon
WebSphere MQ
  • MQI Message Queue Interface (allows programs
    access to message queuing services)
  • MCA Message Channel Agent (each Message Channel
    comprises of two MCAs and a communications link)
  • Message Context - information about the origin of
    a message
  • Exits controls and alerting for security,
    performance and errors, etc.

31
references
WebSphere MQ
  • IBM's WebSphere MQ Security in an Enterprise
  • Bruce Schneiers Attack Trees article
    http//www.schneier.com/paper-attacktrees-ddj-ft.h
    tml

32
WebSphere MQ
Areas
  • What is WebSphere MQ
  • Security objectives and architecture
  • Points of access / vulnerabilities
  • Audit considerations
  • Jargon and references
  • Q A

33
Questions and answers
WebSphere MQ
  • Q A

34
Question One
  • Is there a WebSphere demo available?

35
Question Two
  • During penetration testing is there anything
    specific to look for?

36
Question Three
  • Is there still a Post Office product for
    WebSphere MQ?

37
Question Four
  • What do you need to look for in monitoring?

38
Question Five
  • Can you use WebSphere MQ for moving files?

39
WebSphere MQ
  • Jason Viola CISA CISSP

ISACA London Chapter Place 250 Bishopsgate Date
June 26, 2008
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Areas" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!