Enterprise-Level WebSphere MQ Security 11 January 2017 Issue 1.0

Enterprise-Level WebSphere MQ
Security
11 January 2017 Issue 1.0
Candle Profile
Over 25 years in the business
One of the largest privately owned
software and services providers in the
world
Over 1200 professionals
Offices worldwide in 50+ countries
Renowned WebSphere MQ consultants
Profitable, significant R&D
investments
11 January 2017 Issue 1.0
The Program
 Understanding the need for security
 Best practices for protecting your
critical business information
 Real life experiences
11 January 2017 Issue 1.0
The Speakers
 Peter Rhys Jenkins, Candle Sr. Architect
 25 years consulting to Fortune 500
planet-wide
 IBM Certified WebSphere MQ
everything
 Published author with articles in EAI
Journal and WebSphere Advisor
magazines
11 January 2017 Issue 1.0
The Speakers
 Lydia Heitzman, AVP Workgroup
Computing, GE Commercial Distribution
Finance
 Manages a team implementing complex
messaging architectures
11 January 2017 Issue 1.0
WebSphere MQ Agenda.
Typical vulnerabilities
Infrastructure
Risks
Recommendations – Strategic and Tactical
WiFi, Web Services
SSL, CIPHERspec's, symmetric and asymmetric
key cryptography, PKI. WMQ, WMQI and
WAS
 Certificates






11 January 2017 Issue 1.0
Security is a PROCESS
 Prevention.
 Detection.
 Proactive Solutions.
 Cryptographic software products alone will not,
and can not, ensure 100 % security for an IT
infrastructure.
 For more information, read:
 “Secrets and Lies” by Bruce Schneier.
 “Crypto” by Stephen Levy.
11 January 2017 Issue 1.0
Infrastructure – Typical 3 Tier
Architecture
11 January 2017 Issue 1.0
Tier 1: Parallel Sysplex.
11 January 2017 Issue 1.0
Tier 2: WMQ Message Concentrators
11 January 2017 Issue 1.0
Tier 3: MQ Servers and Clients
Router
to Tier 2
Gateway
to Tier 2
11 January 2017 Issue 1.0
Risks.
11 January 2017 Issue 1.0
Risks.
 Millions of Messages a day make WebSphere
MQ mission critical





Risk
Risk
Risk
Risk
Risk
1
2
3
4
5
–
–
–
–
–
See and collect significant data
Build your own and insert into a Queue
Delete messages
Change message content
Denial of service
11 January 2017 Issue 1.0
Security Issues
 Physical Security
 LAN Security
 Wan, Pan, Lan, WiFi
 Well known ports
 25
 1414
 Default parameters
 Lack of knowledge surrounding certificates
 Lack of money
 Difficult ROI
 ‘It won’t happen to me’
 False Sense of Confidence
11 January 2017 Issue 1.0
So, Where Are the Weak Points ?
11 January 2017 Issue 1.0
WMQ Recommendations.
11 January 2017 Issue 1.0
WMQ 5.3 SSL
SSL
SSL
WMQ SSL supports TCP/IP
WMQ Reuses Secret Key for life of channel
WMQ is link level security
Data on Xmit Queue and local queues is in plaintext
WMQ SSL is LINK LEVEL SECURITY – good for WMQ clients
11 January 2017 Issue 1.0
Strategic Recommendations.


Distrust The Network
Build End-to-End Security (MQSecure)

Identification, Non-Repudiation, Integrity, Privacy;
 Digital Certificates.
 PKI. (LDAP).









Authorization – different problem – RACF, OAM, TAMBI,
ACL’s.
Offload Crypto Processing
Build and Deploy an Enterprise Wide Security Model
Investigate security tokens to offset load on cert services
Expand Automation to embrace WMQ on distributed platforms
Improve the Granularity of Systems Management
Explore new technologies – WiFi Sniffers, biometrics
Deploy a Message Firewall…
Test the tools yourself – know your enemy.
11 January 2017 Issue 1.0
Tactical Recommendations.










SYSTEM.ADMIN.COMMAND.QUEUE
SYSTEM.COMMAND.INPUT
SYSTEM.DEF.xxxxxx
Limit PQEdit and similar tools to Developers
Standards and Documentation
Use Security exits to validate DNS Names
Turn on WEP
Automate DLQ Management
Turn on OAM MQ Security
Turn on SAF MQ Security
11 January 2017 Issue 1.0
Security Miscellaneous
11 January 2017 Issue 1.0
Cryptographic Co-Processor
 “Free” Co-Processor


Needs ICSF etc on z/OS
Standard PCI Card – low cost.
11 January 2017 Issue 1.0
“The National Strategy To Secure Cyberspace”







Released by US Administration mid September 2002.
www.securecyberspace.gov
Key Recommendations:
CEO’s should consider forming security councils to integrate
cyber security, privacy, physical security and operational
considerations.
Boards should consider forming committees on IT security and
should ensure that the CEO regularly reviews
recommendations of the chief information security official.
IT continuity plans should be regularly reviewed and
exercised, and should consider site and staff alternatives.
Consideration should be given to diversity in IT service
providers.
Corporations should consider active involvement in industry
wide programs to develop IT security best practices.
Companies should review mainframe security software and
procedures, and consider developing a partnership to review
and update best practices.
11 January 2017 Issue 1.0
What should be in a Security Model
TECHNOLOGY
SERVICES
IDENTIFI AUTHENT
CATION ICATION
AUTHORIZATION
ACCESS CONTROL
ADMINIS
TRATION
X.509
Certificates
RACF/Unix/
Windows Security
Security
Domains
Smart
Cards
Card
Readers
PKI
BioMetrics
Cryptography
Tokens
User ID’s
RACF
Source: State of AZ, OH, NC
11 January 2017 Issue 1.0
AUDIT
Audit
Tools
Firewalls
Access Control
Administration
Monitor
-Filter
Remote
Access
Certificate
Authority
Network
Integrity
Sign-On
Intrusion
Detection
Virus
Protection
Wireless LAN Security


802.1X
802.11i

LEAP

PEAP

TKIP

TTLS

WEP
IEEE 802.11 standard for authentication.
IEEE Standards group “fixing” 802.1X and
WEP.
Lightweight Extensible Authentication Protocol
– Cisco proprietary extensions to 802.1X
(Aironet & secure access control server)
Protected Extensible Authentication Protocol –
Microsoft, Cisco and RSA Security.IETF
draft.
Temporal Key Integrity Protocol, developed
by IEEE 802.11i as a WEP improvement.
Tunneled Transport Layer Security – Funk
Software and Certicom – IETF draft
alternative to PEAP.
Wireless Equivalent Privacy – 802.11
standard.
11 January 2017 Issue 1.0
Web Services Security Framework.














SAML
Security Assertion Markup Language.
XACML
Extensible Access Control Markup Language
SPML
Service Provisioning Markup Language
WS-Security SOAP Extensions.
XrML
Extensible Rights Management Language
XCBF
XML Common Biometric Format
XML Digital Signature
XML Encryption
XKMS
XML Key Management Specification
Transport Layer Security/Secure Sockets Layer
SASL
Simple Authentication and Security Layer
Kerberos
BEEP
Blocks Extensible Exchange Protocol.
These are all OASIS, IETF and W3C specifications.
11 January 2017 Issue 1.0
Certificates
 Windows



Makecert – only if you have W2K SDK.
OpenSSL – Need to download and compile – no GUI
iKeyMan – Only end user certificates – free download.
 Mainframe

RACF – End user AND CA Certificates
 Issues


PKCS#12 – Keys only as strong as the password.
MQ5.3 Bug importing through GUI – use amqscert
 CRL’s



LDAP
OCSP
Cipherspec
 MD5 or SHA-1, RC2, RC4, DES, T-DES, RC5, RC6, AES
11 January 2017 Issue 1.0
Application Level Security
 If the message does not itself contain a certificate and is
encrypted, you can NEVER be sure of it’s integrity or origin.
One “Mistake” is all it takes to undo Link level security.
 Application Level Security provides this capability.
 Managed at the API level – BEFORE MQPut and AFTER MQGet
or through API Crossing Exits (MQ5.3)
 Crossing Exits have performance ‘baggage’.
 API level means that you do NOT need WMQ…
 E.g. “Mangle This”, “Unmangle This”
 Means that it works with OTHER artifacts – e.g.
 Tibco, SeeBeyond, WAS, WMQI, WebLogic, etc etc
 Can use before “READ” and “WRITE” for files…
 PathWAI Secure compliments both SSL and TAMBI
11 January 2017 Issue 1.0
Questions ?
11 January 2017 Issue 1.0
Questions & Answers
 For more information, go to:
www.candle.com/websphere
 For a free whitepaper, go to :
www.candle.com/websphereoffer
 Candle offers security for
WebSphere MQ, the award-winning
MQSecure®
11 January 2017 Issue 1.0