|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
 |
|
Tracking possible security breacches |
« View previous topic :: View next topic » |
Author |
Message
|
jeevan |
Posted: Thu Aug 31, 2006 7:52 am Post subject: Tracking possible security breacches |
|
|
Grand Master
Joined: 12 Nov 2005 Posts: 1432
|
My client want to trace all possible security breakches. What is the best strtegies for this Will all these events to go SYSTEMS.ADMIN.QGMR.EVENT queue? Does it requie an additional effort to write an applicatino /security exit? |
|
Back to top |
|
 |
wschutz |
Posted: Thu Aug 31, 2006 8:00 am Post subject: |
|
|
 Jedi Knight
Joined: 02 Jun 2005 Posts: 3316 Location: IBM (retired)
|
MQ can only "detect" all security breaches if you have a totally secure system.. For example, most people wouldn't consider having mcauser('mqm') a secure system, because it's easily "breached", but MQ would never detect a problem.... _________________ -wayne |
|
Back to top |
|
 |
jeevan |
Posted: Thu Aug 31, 2006 8:02 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005 Posts: 1432
|
Thanks a lot for prompt reply.
Does that mean, these events will not be reported and if we like to trace these events, we need to write our own application.
Is that correct understanding? |
|
Back to top |
|
 |
Vitor |
Posted: Thu Aug 31, 2006 11:39 pm Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
Don't forget that some security breaches are undetectable by MQ. For instance, the contents of a queue can be read by a user with access to the file system. Likewise an intruder who has successfully spoofed an id (like "mqm") will not raise an alert within MQ. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
RogerLacroix |
Posted: Fri Sep 01, 2006 7:38 am Post subject: |
|
|
 Jedi Knight
Joined: 15 May 2001 Posts: 3265 Location: London, ON Canada
|
Vitor wrote: |
Likewise an intruder who has successfully spoofed an id (like "mqm") will not raise an alert within MQ. |
jeevan, read the following posts to get an idea on how spoofing can happen:
Any Java program can exploit this security hole. Here is an explanation of the problem that I wrote for MQ Visual Edit (but it applies to any Java program).
http://www.mqseries.net/phpBB2/viewtopic.php?t=17842
It is a little more difficult to exploit in MQ Explorer, MO71 (MQMon), RFHUtil, etc.. but it can be done with a dummy client-side security exit like the one I posted here. When you use any client-side security exit, MQ automatically blanks out the UserId!!! Weird, but true.
http://www.mqseries.net/phpBB2/viewtopic.php?t=21782
There are many things you need to look at:
- Auto channel creation
- Default SVRCONN channels
- Application SVRCONN channels
Then there are the myths like:
- A MQ Admin has stopped the command server hence it is secured - totally, absolutely NOT true. (plus how would you monitor it)
- Do not need to protect SVRCONN channels if the servers are in the same rack or data center - totally, absolutely NOT true.
My favorite 'blow their mind test' is when the MQ Admin does not allow any client connections and they delete the channels or put 'deny' or 'nobody' in the channels MCAUSER field. I tell them to put a secret phrase in a message on a queue of the secured queue manager.
Everybody forgets that the point of MQ is to communicate. So, I just find the 'weakest link' queue manager that I can access. Then I just use MQ's built-in routing mechanism to send messages from the 'weakest link' to the 'secured' queue manager. Once, I get enough information then I'll send command messages to alter or create a new channel on the secure queue manager. Then it is simply a matter of accessing the secure queue manager and finding the secret message.
This takes me about 5-10 minutes, and boy are there usually some pissed off people. All of this would not generate any alerts in MQ.
Regards,
Roger Lacroix
Capitalware Inc. _________________ Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
Back to top |
|
 |
|
|
 |
|
Page 1 of 1 |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|
|
|