| Author |
Message
|
| jbur |
 Posted: Thu Jun 07, 2007 3:23 pm Post subject: |
 |
|
Novice
Joined: 07 Jun 2007
Posts: 11
|
| jefflowrey wrote: |
| jbur wrote: |
Whoah! Easy Nigel! Who said I was an MQ System Admin? I'm just using a sandbox for these tests at the moment, but I appreciate your concern.  |
If you're not an MQ Admin, you likely have no business knowing the names of the qmgrs.
Regardless, I do not know of a single enterprise large enough to have "lots of systems admins" that would approve of anyone running what amounts to an enterprise wide portscan.
Have you considered asking your boss what the proper way for you to document this is? |
We already do enterprise wide port scans actually, but I haven't found any network tools that can probe the qmgr service to pull MQ specific information. That's why I posted here.
I thought this would be a technical discussion. I really didn't expect people to get so upset.  |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Thu Jun 07, 2007 3:32 pm Post subject: |
|
|
Guest
|
| Had you asked in your original post for a network tools that can probe the qmgr service to pull MQ specific information, you might have received a warmer response. |
|
| Back to top |
|
|
| Nigelg |
| Posted: Thu Jun 07, 2007 9:55 pm Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
| Quote: |
| I just hope it doesn't freeze the qmgr and cause a dump. |
Does not sound like a sandbox to me.
Are you really allowed to play ducks and drakes with the production servers in the enterprise?
I suppose if it did cause a dump there would be a problem raised with IBM demanding an immediate explanation. I should imagine IBM support have better things to do than play nursemaid to irresponsible dilettantes.
_________________
MQSeries.net helps those who help themselves.. |
|
| Back to top |
|
|
| jbur |
| Posted: Fri Jun 08, 2007 5:24 am Post subject: |
|
|
Novice
Joined: 07 Jun 2007
Posts: 11
|
[quote="Nigelg"]
| Quote: |
| ducks and drakes..nursemaid..irresponsible dilettantes. |
Uh ok, thanks Nigel. 
Anyway, thanks to everyone that tried to answer my question, even if I didn't phrase it correctly at first. I'll probably take this topic to the Nmap development mailing list from here. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Jun 08, 2007 5:40 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
It's really almost entirely backwards to try and document your systems by probing the network. Configurations should be documented as they are made and changed, not independantly and externally.
And it's probably indicative of questionable security practices - questionable to the level that might involve Sarbanes-Oxley if you're in the U.S. - that you're able to do this at all and do it FREQUENTLY.
You generally won't find a lot of technical discussion on MQ "over the wire", the kinds of things you'll see if you use a network traffic analyzer. There are a couple of reasons for this - one of which is that it's undocumented, another of which is that at least some parts of it are, if not proprietary, then very close. Also, in part because the network protocol is undocumented, it's subject to change.
More importantly, there are always better (technically, organizationally, and managerially better!) ways to solve whatever problem you're tyring to solve by sniffing packets.
It's like trying to change your tires by driving the car and holding the wrench still.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jun 08, 2007 6:38 am Post subject: |
|
|
Guest
|
Ah. It looks like we have an auditor/security administrator here. (I'm optimistic that he isn't a garden-variety hacker, but I could be wrong.)
Your original post was interpreted as 'how can I hack into MQ?' We here at mqseries.net are defenders of MQ. We are interested in keeping the MQ environment secure. Not a surprise that you received a cold, angry response.
Testing network and MQ security for the benefit of the organization is a good thing. It is refered to as ethical hacking. Your original post sounded like the other kind of hacking. |
|
| Back to top |
|
|
| jbur |
| Posted: Fri Jun 08, 2007 7:37 am Post subject: |
|
|
Novice
Joined: 07 Jun 2007
Posts: 11
|
| bruce2359 wrote: |
Ah. It looks like we have an auditor/security administrator here. (I'm optimistic that he isn't a garden-variety hacker, but I could be wrong.)
Your original post was interpreted as 'how can I hack into MQ?' We here at mqseries.net are defenders of MQ. We are interested in keeping the MQ environment secure. Not a surprise that you received a cold, angry response.
Testing network and MQ security for the benefit of the organization is a good thing. It is refered to as ethical hacking. Your original post sounded like the other kind of hacking. |
You're very observant Bruce. This isn't a security forum, so I did my best to phrase it as an administration question hoping that I could get the information I needed while still providing value for non-security forum members.
Yes, I'm doing some security research for a client planning to implement Websphere MQ. Right now they only have a few sandbox environments up with a basic config (OAM security with OS level accounts).
At this point the security in Websphere MQ looks pretty sad since anyone can bypass OAM security with a few client side tricks or PCF programming. Now, I'm just trying to figure out the most efficient way to protect the qmgrs from unauthorized access. If there's no easy way to secure it, then maybe they're better off looking at a different middleware product. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Jun 08, 2007 7:40 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
There's an excellent developerworks article by T.Robb Wyatt that covers most of the highlights.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Jun 08, 2007 7:58 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
There's also a Security Edition of MQSeries if this is paramount to you.
A QMGR can be made very secure, with or without the Security Edition.
A QMGR built on a server and left with all the defaults is wiiiiide open.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| jbur |
| Posted: Fri Jun 08, 2007 9:03 am Post subject: |
|
|
Novice
Joined: 07 Jun 2007
Posts: 11
|
| jefflowrey wrote: |
| There's an excellent developerworks article by T.Robb Wyatt that covers most of the highlights. |
Thanks Jeff.
Is this the one you're referring to?
http://www.ibm.com/developerworks/websphere/techjournal/0701_col_wyatt/0701_col_wyatt.html
It's good to know there is a security edition available. I wouldn't say security is paramount to us, but I don't think anyone would feel comfortable with the default install granting full qmgr access to anyone on the network. It sounds like the first step to lock it down is to use SSL. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jun 08, 2007 10:15 am Post subject: |
|
|
Guest
|
MQ, like most middleware applications and most operating systems, must be configured to meet site-specific security specifications.
Please refer to the WebSphere MQ V6 Security manual for a fairly comprehensive narrative and how-to on securing the MQ environment.
Remember, too, that some platforms are more secure than others. It all depends on businesss requirements and cost/benefit analysis. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Fri Jun 08, 2007 11:22 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| jefflowrey wrote: |
| Configurations should be documented as they are made and changed, not independantly and externally. |
did someone call me  (in case you did't get it, click the logo...)
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| jbur |
| Posted: Fri Jun 08, 2007 1:13 pm Post subject: |
|
|
Novice
Joined: 07 Jun 2007
Posts: 11
|
|
| Back to top |
|
|
| Michael Dag |
| Posted: Fri Jun 08, 2007 1:57 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
| jbur |
| Posted: Mon Jun 11, 2007 5:19 am Post subject: |
|
|
Novice
Joined: 07 Jun 2007
Posts: 11
|
|
| Back to top |
|
|
|
|
