| Author |
Message
|
| bruce2359 |
 Posted: Wed Nov 24, 2010 8:33 am Post subject: |
 |
|
Poobah
Joined: 05 Jan 2008
Posts: 9475
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| May give them the port, but not channel name etc. |
CHAD turned on?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
 |
| zpat |
| Posted: Wed Nov 24, 2010 8:34 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5867
Location: UK
|
As Jeff says, obscurity is not security.
Most insecure queue managers have standard or guessable channel names, and don't even log access attempts.
BlockIP2 is very useful to log as well as provide ways to avoid having many different svrconn channels (it does far more than simply check IPs). |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Nov 24, 2010 8:35 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bruce2359 wrote: |
| Quote: |
| May give them the port, but not channel name etc. |
CHAD turned on? |
You have got to be kidding! 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Nov 24, 2010 8:56 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9475
Location: US: west coast, almost. Otherwise, enroute.
|
| exerk wrote: |
| bruce2359 wrote: |
| Quote: |
| May give them the port, but not channel name etc. |
CHAD turned on? |
You have got to be kidding! |
Nope. I've seen CHAD(ENABLED) on qmgrs at several client sites.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Wed Nov 24, 2010 1:50 pm Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| exerk wrote: |
| zpat wrote: |
| I don't understand the fuss here, just keep the definitions in source form and use MO72 as a "compiler". |
As I've noticed in the past with shashivarungupta, if there's a difficult way of doing things, he/she will do it  |
Good ! I don't run away from the difficult projects !  
| exerk wrote: |
| ..he/she will do it |
He !! 
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Wed Nov 24, 2010 2:02 pm Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| Quote: |
MQ security starts at the network. Block every machine that is not known to be allowed to connect to the queue manager at the network level.
Then put SSL and MCAUSERS on *every* channel into the qmgr.
Then *tightly* control your certificates, and change and expire them routinely. |
Even check the IPs from where the connection requests are coming in, reject connection if they are trying to breach !
| Quote: |
| I repeat - a CCDT is not a security control. |
Yes. Still in the binary tab file you can see the IP(port) and ChannelName.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Nov 24, 2010 11:54 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| shashivarungupta wrote: |
| ...Good ! I don't run away from the difficult projects ! ... |
There is a world of difference between a difficult project, and making a project difficult...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Nov 25, 2010 1:28 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5867
Location: UK
|
MQ security has to be done inside the QM.
The IP address and port will never be 100% secret and you also can't remove knowledge of them once known.
But you can revoke SSL certiticates. Using SSL with BlockIp2 to gain additional flexibility in setting the MCAUSER dynamically (e.g from a value in the certificate) is the most secure and adaptable approach I know.
Of course there are products out there to do this stuff as well, and you can get by with plain MQ if you don't mind a lot of svrconn channel defs. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Thu Nov 25, 2010 6:49 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| exerk wrote: |
| shashivarungupta wrote: |
| ...Good ! I don't run away from the difficult projects ! ... |
There is a world of difference between a difficult project, and making a project difficult... |
And there is a world of difference between thinking right way and thinking wrong way about any thing... 
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
|
|
