-----Original Message-----
From: Pierson, Doug (ITD) [mailto:[EMAIL PROTECTED]
Sent: Friday, September 05, 2003 10:30 AM
To: [EMAIL PROTECTED]
Subject: Penetrating an outbound firewallHi MQers,
Does anyone have any experience with sending MQ messages outbound through a firewall that restricts outbound traffic? The traffic needs to be delivered to numerous destination servers. Are you using MQ-IPT? If so, are you using multiple ports to define multiple routes and sending the traffic to IPT instances deployed at each of the target servers? Or, is all of your traffic sent to a single IPT instance outside of the firewall using a single route? From there, queue name resolution can be used to direct it to the true destination server with the messages in MQ protocol.
The goal of the firewall administrator is to restrict us to minimal port usage. We see the restriction to a single port using IPT to be to costly in terms of performance. The traffic volume is significant. I'm also aware of MQ5.3's introduction of the LOCLADDR channel attribute to restrict outbound traffic to a single port or range of ports.
Any comments or feedback would be much appreciated.
Thanks,
Doug Pierson
Title: Penetrating an outbound firewall
Doug,
We are
using direct MQ connections with firewall rules as specified in
MA86
This
has been working fine for us except that servers with dual NICs or virtual IP
addresses (our Veritas clusters), the socket would sometimes bind to a different
address under MQ pre-5.3 and be blocked by the firewall. Prior to 5.3
we had to set up rules for the physical AND virtual addresses since the binding
was unspecified. The LOCALADDR field has really simplified things.
We have tried setting up rules for entire subnets but have since switched to
using a set of rules for each point-to-point connection. Although there
are more rules, there are less surprises when you change
one.
Might
I also suggest that you run a listener (not inetd) for external traffic
that is different from your internal traffic. This way, you can shut down
the external connection without impacting your internal network. If you
have multiple business partners connecting to the same QMgr, run a different
listener for each. Then you can disable one without impacting the
others.
If you
are really security conscious, run the listeners under a low-privileged
ID. For example, if you have connections to XYZ Corp and ABC Corp, you can
create UserIDs xyz and abc and put them into groups xyz and abc,
respectively. Then start listeners under each ID. This will allow
you to set up authorizations on the queues such that traffic from ABC and XYZ
cannot end up on each other's queues or, worse yet, on your Command Queue.
Every time I bring this up, people always reply that you can accomplish the same
thing with an exit or MCAUSER. My answer to that is that you cannot
restrict traffic to a specific channel. For example, if you define
XYZ.RCVR with MCAUSER('xyz'), there is nothing to prevent ABC Corp from
connecting to it. For that matter, there is nothing to prevent ABC Corp
from connecting to SYSTEM.DEF.SVRCONN or any other channel unless you run exits
on ALL of them or use SSL on ALL of them. Running the listeners
under low-privileged IDs allows you to lock down a specific path from the
firewall all the way down to specific queues.
Regards,
--
T.Rob
- Penetrating an outbound firewall Pierson, Doug (ITD)
- Re: Penetrating an outbound firewall Wyatt, T. Rob
- Re: Penetrating an outbound firewall Pierson, Doug (ITD)
- Re: Penetrating an outbound firewall Potkay, Peter M (PLC, IT)
- Re: Penetrating an outbound firewall Wyatt, T. Rob
- Re: Penetrating an outbound firewall Sid . Young
- Re: Penetrating an outbound firewall Sid . Young
- Re: Penetrating an outbound firewall Wyatt, T. Rob
- Re: Penetrating an outbound firewall Potkay, Peter M (PLC, IT)
- Re: Penetrating an outbound firewall Sam Garforth
- Re: Penetrating an outbound firewall Potkay, Peter M (PLC, IT)
- Re: Penetrating an outbound firewall Sam Garforth