We have implemented an application using MQ. I would be very interested in
anything that you find related to security issues. We have also been
looking into the product, but have not have much success as of yet.
Thank You
Richard Lowery
Senior IS Auditor, CISA
First National Bank of Omaha
> -----Original Message-----
> From: Jason Axley [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, October 04, 2000 10:39 AM
> To: David Lang
> Cc: [EMAIL PROTECTED]
> Subject: Re: IBM MQ security?
>
> It's been a while since I've looked at MQ but I do recall a glaring hole:
> the system does absolutely no authentication of messages submitted to the
> system (MQ facilitates message passing between systems). There are
> supposedly 3rd party products that add authentication capability to MQ.
> The other concern I had was about the inability to sanity check messages
> submitted to the system (e.g. integrity checking via digital signature)
>
> Here's an excerpt from my notes after discussing MQ with IBM reps:
>
> "They tried to argue that MQ shouldn't provide any security (encryption,
> message authentication, or MQ to MQ server) but that the applications
> should--even though using MQ is supposed to make message passing a
> complete abstraction"
>
> This is "by design"--pushing security to the applications. NIMBY.
>
> -Jason
>
> On Fri, 29 Sep 2000, David Lang wrote:
>
> > Date: Fri, 29 Sep 2000 09:05:35 -0700 (PDT)
> > From: David Lang <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: IBM MQ security?
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > can anyone give me pointers on IBM MQ security issues? I just had the
> > development team come and say they want to start using it and I have not
> > dealt with it before.
> >
> > the port info I can get from IBM easily enough, what I am really looking
> > for is info on how risky the protocol itself is. I will be passing it
> > through one or more internal firewalls.
> >
> > David Lang
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.2
> >
> > iQEVAwUBOdS90z7msCGEppcbAQEZmAf/QWhPPHnwYpIpRHFYYlyqdjgsSPkimjEd
> > QqtQjMV6aXLxEGN/QWBSExyQ6BM3SGE9ErXMcA5y/dd8D0R/rJb1OrPptA0CrMtF
> > YdP1G/tWDoFc6rPyQK4q3dnyFEXQRM0T/BOwy5tA7O3o4adMMfEUU4P9wuWWlO5Q
> > x2qoBQBk3Q8N9LRGIyytnD3MCbkUbKUjGvMChTpsXiDIzvtBc71BAsozlT8m4jiG
> > TiYVImN8nsbuGFsK6mzS5442oCdYyYYSStkeR9E01L0y0xgBrnQYRNjgTw9EVe78
> > jZTDNNBXar6wAXbbdhy5XKH39H+VhZ0nvPTvPFWjSj/0+miSFSfN7Q==
> > =WNFl
> > -----END PGP SIGNATURE-----
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> --
>
> AT&T Wireless Services
> IT Security
> UNIX Security Operations Specialist
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
