Just as a matter of interest. Does anyone know of any actual, real world, deliberate, sophisticated, malicious, penetration of an MQSeries installation, and if so, what was the consequence?
Matt. -----Original Message----- From: Pavel Tolkachev [mailto:[EMAIL PROTECTED] Sent: 10 September 2003 14:28 To: [EMAIL PROTECTED] Subject: Re: Security with Server Connection channels Well, denial of service attack is always there, of course (I did not try it myself with MQ and listener pool, to be completely honest). Of course, I assume your system will use only SSL channels to have a strong authentication and confidentiality on the wire. Do not forget to set SSL_PEER to actually authenticate clients. It is slightly inconvenient though as you can only accept a single distinguished name per a channel instance -- but this is how it's done in MQ. Also, be careful with triggering and DLQ (and DLQ handlers) *inside* the cluster -- of course, the attacker must penetrate the SSL perimeter to try to take advantage of them. The threat here is that a legal, but restricted, user may try to get more privileges in trigger/dlq handler than s/he is supposed to have. That's one reason why I try to never use any of triggering / dlq handling. I am sure there are other threats, just because they are always there (access to system queues?) but I cannot think of anything concrete right away. Will let you know if (when?) I will run into anything. Hope this will help, Pavel [EMAIL PROTECTED] .AU To: [EMAIL PROTECTED] Sent by: MQSeries cc: List Subject: Security with Server Connection channels <[EMAIL PROTECTED] n.AC.AT> 09/10/2003 01:33 AM Please respond to MQSeries List Howdy all, I need some thoughts on possible security vulnabilities. If I have an MQ server being used as a gateway into a cluster, (it holds no queues) and no command server is running and a pool of listners are running for clients to connect with using a server connection channel, can anyone do anything malicious to my cluster. The platform would be Linux (red hat) and MQ v5.3 is installed, no other inetd services are installed. ____________________________________________ Sid Young B I.T. (cs dc) AD (cse) DBA Intranet Developer Analyst / Programmer Information Systems Department [EMAIL PROTECTED] QML Pathology Phone: (07) 3840 4941 Fax: Fax??? This is the 21st Century! www.qml.com.au 60 Ferry Rd West End, QLD 4101 -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive ============================================================================== This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you are not the intended recipient, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. CREDIT SUISSE GROUP and each legal entity in the CREDIT SUISSE FIRST BOSTON or CREDIT SUISSE ASSET MANAGEMENT business units of CREDIT SUISSE FIRST BOSTON reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. Unless otherwise stated, any pricing information given in this message is indicative only, is subject to change and does not constitute an offer to deal at any price quoted. Any reference to the terms of executed transactions should be treated as preliminary only and subject to our formal written confirmation. ============================================================================== Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive