Enterprise-Level WebSphere MQ Security 11 January 2017 Issue 1.0 Candle Profile Over 25 years in the business One of the largest privately owned software and services providers in the world Over 1200 professionals Offices worldwide in 50+ countries Renowned WebSphere MQ consultants Profitable, significant R&D investments 11 January 2017 Issue 1.0 The Program  Understanding the need for security  Best practices for protecting your critical business information  Real life experiences 11 January 2017 Issue 1.0 The Speakers  Peter Rhys Jenkins, Candle Sr. Architect  25 years consulting to Fortune 500 planet-wide  IBM Certified WebSphere MQ everything  Published author with articles in EAI Journal and WebSphere Advisor magazines 11 January 2017 Issue 1.0 The Speakers  Lydia Heitzman, AVP Workgroup Computing, GE Commercial Distribution Finance  Manages a team implementing complex messaging architectures 11 January 2017 Issue 1.0 WebSphere MQ Agenda. Typical vulnerabilities Infrastructure Risks Recommendations – Strategic and Tactical WiFi, Web Services SSL, CIPHERspec's, symmetric and asymmetric key cryptography, PKI. WMQ, WMQI and WAS  Certificates       11 January 2017 Issue 1.0 Security is a PROCESS  Prevention.  Detection.  Proactive Solutions.  Cryptographic software products alone will not, and can not, ensure 100 % security for an IT infrastructure.  For more information, read:  “Secrets and Lies” by Bruce Schneier.  “Crypto” by Stephen Levy. 11 January 2017 Issue 1.0 Infrastructure – Typical 3 Tier Architecture 11 January 2017 Issue 1.0 Tier 1: Parallel Sysplex. 11 January 2017 Issue 1.0 Tier 2: WMQ Message Concentrators 11 January 2017 Issue 1.0 Tier 3: MQ Servers and Clients Router to Tier 2 Gateway to Tier 2 11 January 2017 Issue 1.0 Risks. 11 January 2017 Issue 1.0 Risks.  Millions of Messages a day make WebSphere MQ mission critical      Risk Risk Risk Risk Risk 1 2 3 4 5 – – – – – See and collect significant data Build your own and insert into a Queue Delete messages Change message content Denial of service 11 January 2017 Issue 1.0 Security Issues  Physical Security  LAN Security  Wan, Pan, Lan, WiFi  Well known ports  25  1414  Default parameters  Lack of knowledge surrounding certificates  Lack of money  Difficult ROI  ‘It won’t happen to me’  False Sense of Confidence 11 January 2017 Issue 1.0 So, Where Are the Weak Points ? 11 January 2017 Issue 1.0 WMQ Recommendations. 11 January 2017 Issue 1.0 WMQ 5.3 SSL SSL SSL WMQ SSL supports TCP/IP WMQ Reuses Secret Key for life of channel WMQ is link level security Data on Xmit Queue and local queues is in plaintext WMQ SSL is LINK LEVEL SECURITY – good for WMQ clients 11 January 2017 Issue 1.0 Strategic Recommendations.   Distrust The Network Build End-to-End Security (MQSecure)  Identification, Non-Repudiation, Integrity, Privacy;  Digital Certificates.  PKI. (LDAP).          Authorization – different problem – RACF, OAM, TAMBI, ACL’s. Offload Crypto Processing Build and Deploy an Enterprise Wide Security Model Investigate security tokens to offset load on cert services Expand Automation to embrace WMQ on distributed platforms Improve the Granularity of Systems Management Explore new technologies – WiFi Sniffers, biometrics Deploy a Message Firewall… Test the tools yourself – know your enemy. 11 January 2017 Issue 1.0 Tactical Recommendations.           SYSTEM.ADMIN.COMMAND.QUEUE SYSTEM.COMMAND.INPUT SYSTEM.DEF.xxxxxx Limit PQEdit and similar tools to Developers Standards and Documentation Use Security exits to validate DNS Names Turn on WEP Automate DLQ Management Turn on OAM MQ Security Turn on SAF MQ Security 11 January 2017 Issue 1.0 Security Miscellaneous 11 January 2017 Issue 1.0 Cryptographic Co-Processor  “Free” Co-Processor   Needs ICSF etc on z/OS Standard PCI Card – low cost. 11 January 2017 Issue 1.0 “The National Strategy To Secure Cyberspace”        Released by US Administration mid September 2002. www.securecyberspace.gov Key Recommendations: CEO’s should consider forming security councils to integrate cyber security, privacy, physical security and operational considerations. Boards should consider forming committees on IT security and should ensure that the CEO regularly reviews recommendations of the chief information security official. IT continuity plans should be regularly reviewed and exercised, and should consider site and staff alternatives. Consideration should be given to diversity in IT service providers. Corporations should consider active involvement in industry wide programs to develop IT security best practices. Companies should review mainframe security software and procedures, and consider developing a partnership to review and update best practices. 11 January 2017 Issue 1.0 What should be in a Security Model TECHNOLOGY SERVICES IDENTIFI AUTHENT CATION ICATION AUTHORIZATION ACCESS CONTROL ADMINIS TRATION X.509 Certificates RACF/Unix/ Windows Security Security Domains Smart Cards Card Readers PKI BioMetrics Cryptography Tokens User ID’s RACF Source: State of AZ, OH, NC 11 January 2017 Issue 1.0 AUDIT Audit Tools Firewalls Access Control Administration Monitor -Filter Remote Access Certificate Authority Network Integrity Sign-On Intrusion Detection Virus Protection Wireless LAN Security   802.1X 802.11i  LEAP  PEAP  TKIP  TTLS  WEP IEEE 802.11 standard for authentication. IEEE Standards group “fixing” 802.1X and WEP. Lightweight Extensible Authentication Protocol – Cisco proprietary extensions to 802.1X (Aironet & secure access control server) Protected Extensible Authentication Protocol – Microsoft, Cisco and RSA Security.IETF draft. Temporal Key Integrity Protocol, developed by IEEE 802.11i as a WEP improvement. Tunneled Transport Layer Security – Funk Software and Certicom – IETF draft alternative to PEAP. Wireless Equivalent Privacy – 802.11 standard. 11 January 2017 Issue 1.0 Web Services Security Framework.               SAML Security Assertion Markup Language. XACML Extensible Access Control Markup Language SPML Service Provisioning Markup Language WS-Security SOAP Extensions. XrML Extensible Rights Management Language XCBF XML Common Biometric Format XML Digital Signature XML Encryption XKMS XML Key Management Specification Transport Layer Security/Secure Sockets Layer SASL Simple Authentication and Security Layer Kerberos BEEP Blocks Extensible Exchange Protocol. These are all OASIS, IETF and W3C specifications. 11 January 2017 Issue 1.0 Certificates  Windows    Makecert – only if you have W2K SDK. OpenSSL – Need to download and compile – no GUI iKeyMan – Only end user certificates – free download.  Mainframe  RACF – End user AND CA Certificates  Issues   PKCS#12 – Keys only as strong as the password. MQ5.3 Bug importing through GUI – use amqscert  CRL’s    LDAP OCSP Cipherspec  MD5 or SHA-1, RC2, RC4, DES, T-DES, RC5, RC6, AES 11 January 2017 Issue 1.0 Application Level Security  If the message does not itself contain a certificate and is encrypted, you can NEVER be sure of it’s integrity or origin. One “Mistake” is all it takes to undo Link level security.  Application Level Security provides this capability.  Managed at the API level – BEFORE MQPut and AFTER MQGet or through API Crossing Exits (MQ5.3)  Crossing Exits have performance ‘baggage’.  API level means that you do NOT need WMQ…  E.g. “Mangle This”, “Unmangle This”  Means that it works with OTHER artifacts – e.g.  Tibco, SeeBeyond, WAS, WMQI, WebLogic, etc etc  Can use before “READ” and “WRITE” for files…  PathWAI Secure compliments both SSL and TAMBI 11 January 2017 Issue 1.0 Questions ? 11 January 2017 Issue 1.0 Questions & Answers  For more information, go to: www.candle.com/websphere  For a free whitepaper, go to : www.candle.com/websphereoffer  Candle offers security for WebSphere MQ, the award-winning MQSecure® 11 January 2017 Issue 1.0