It's been a while since I've looked at MQ but I do recall a glaring hole:
the system does absolutely no authentication of messages submitted to the
system (MQ facilitates message passing between systems). There are
supposedly 3rd party products that add authentication capability to MQ.
The other concern I had was about the inability to sanity check messages
submitted to the system (e.g. integrity checking via digital signature)
Here's an excerpt from my notes after discussing MQ with IBM reps:
"They tried to argue that MQ shouldn't provide any security (encryption,
message authentication, or MQ to MQ server) but that the applications
should--even though using MQ is supposed to make message passing a
complete abstraction"
This is "by design"--pushing security to the applications. NIMBY.
-Jason
On Fri, 29 Sep 2000, David Lang wrote:
> Date: Fri, 29 Sep 2000 09:05:35 -0700 (PDT)
> From: David Lang <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: IBM MQ security?
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> can anyone give me pointers on IBM MQ security issues? I just had the
> development team come and say they want to start using it and I have not
> dealt with it before.
>
> the port info I can get from IBM easily enough, what I am really looking
> for is info on how risky the protocol itself is. I will be passing it
> through one or more internal firewalls.
>
> David Lang
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.2
>
> iQEVAwUBOdS90z7msCGEppcbAQEZmAf/QWhPPHnwYpIpRHFYYlyqdjgsSPkimjEd
> QqtQjMV6aXLxEGN/QWBSExyQ6BM3SGE9ErXMcA5y/dd8D0R/rJb1OrPptA0CrMtF
> YdP1G/tWDoFc6rPyQK4q3dnyFEXQRM0T/BOwy5tA7O3o4adMMfEUU4P9wuWWlO5Q
> x2qoBQBk3Q8N9LRGIyytnD3MCbkUbKUjGvMChTpsXiDIzvtBc71BAsozlT8m4jiG
> TiYVImN8nsbuGFsK6mzS5442oCdYyYYSStkeR9E01L0y0xgBrnQYRNjgTw9EVe78
> jZTDNNBXar6wAXbbdhy5XKH39H+VhZ0nvPTvPFWjSj/0+miSFSfN7Q==
> =WNFl
> -----END PGP SIGNATURE-----
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
--
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
