| Author |
Message
|
| flaufer |
 Posted: Tue Mar 15, 2011 5:22 am Post subject: BlockIP2/MQSSX - forward lookup or reverse lookup? |
 |
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
Folks,
I'm just stumbling over something in my head which I need to figure out...
If I decide to use a channel security exit, say BlockIP2 or Capitalware's Standard Security Exit (MQSSX) in order to allow only a selected range of IPs to connect to a channel.... rrr.. to be precise.. only a allow A SINGLE IP to connect to a channel...
can I:
a) provide a hostname instead of a an IP adress (FQDN, resolvable through the hosts lookup setup)?
Neither MQSSX nor BlockIP2 documentaion say anything about this...
b) if yes... how would the matching between the incoming IP and the filter-hostname be achieved... by
b1) forward lookup of the configured FQDN to match the incoming IP?
or
b1) reverse lookup of the incoming IP to match the configured FQDN?`
Felix |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Mar 15, 2011 5:40 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I understand your quandry. It looks like you have a dynamic allocation for the IP of the box you want to authorize.
Make it easy on yourself and solve this with SSL. Set the SSL peer matching and make it so that it only matches the single cert you will deliver to that user/machine.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| flaufer |
| Posted: Tue Mar 15, 2011 5:47 am Post subject: ssl is being considered ... |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
| fjb_saper wrote: |
I understand your quandry. It looks like you have a dynamic allocation for the IP of the box you want to authorize.
Make it easy on yourself and solve this with SSL. Set the SSL peer matching and make it so that it only matches the single cert you will deliver to that user/machine.
Have fun :innocent: |
:-) SSL is under consideration....
however. The peers I want to "limit access to particular channels" do have static IP setup.
So I guess, neither Capitwalware's MQSSX nor BlockIP2 then support other than direct IP filtering?
Felix |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Mar 15, 2011 6:43 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
BlockIP2 will resolve hostnames. I use that feature to avoid coding IP numbers in the ini file. You can list several hostnames (but not on the same CON= line) in the BlockIP2 ini file.
A range of numbers like (10.1.2.*) is inherently numeric only in nature.
Since this exit is free, I suggest you try it out. |
|
| Back to top |
|
|
| flaufer |
| Posted: Tue Mar 15, 2011 6:54 am Post subject: still.. forward of backward? |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
| zpat wrote: |
BlockIP2 will resolve hostnames. I use that feature to avoid coding IP numbers in the ini file. You can list several hostnames (but not on the same CON= line) in the BlockIP2 ini file.
A range of numbers like (10.1.2.*) is inherently numeric only in nature.
Since this exit is free, I suggest you try it out. |
I'm currently trying out both, BlockIP2 and MQSSX from Capitalware, however I have no possibility to influence DNS resolving here (both forward or backward resolution) and I'd still need to know if forward or backward resolution is performed on the case a FQDN is used.
Felix |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Mar 15, 2011 8:06 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I think BlockIP2 only converts the IP names in the ini file to IP numbers (from a quick look at the source).
I imagine that the channel exit is passed an IP number by MQ. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Mar 15, 2011 10:05 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
All,
When a security exit is invoked, MQ supplies the exit with the incoming IP address (and not the hostname).
MQSSX (or MQAUSX) do not do a reverse lookup of IP address for hostname for 1 very specific reason: it is extremely slow. Since, I am a speed freak, reverse lookups just don't cut it.
I have done performance tests and MQSSX can process 165 incoming connections per second (sustained over an hour) and the server was only running at 65% CPU. So, there was more room to grow. Speed is important to most companies.
I get the "filter hostname" question about once every 6-months from people who do not want authentication but want filtering of hostname. I have never seen a production server have a dynamic IP address, so if you are talking about failover situations the question becomes why can't you just list the IP addresses in the filter.
If you have 5 servers, 1.1.1.1, 1.1.1.2, 1.1.1.3 , 1.1.1.4 , 1.1.1.5 then just do the filter as:
UseAllowIP=Y
AllowIP=1.1.1.[1-5]
If your DR servers are on a different subnet then just add them like
UseAllowIP=Y
AllowIP=1.1.1.[1-5];1.2.2.[1-5]
Once a person comes to understand that MQ supplies the IP address to the exit, and that really "it is ok", then filtering by IP address is really easy.
Finally, MQSSX is a supported commercial product. Meaning, you get help if / when you have issues. BlockIP2 is an unsupported.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| flaufer |
| Posted: Tue Mar 15, 2011 10:29 am Post subject: IP or FQDN |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
Roger,
thanks for your input to this.
| RogerLacroix wrote: |
MQSSX (or MQAUSX) do not do a reverse lookup of IP address for hostname for 1 very specific reason: it is extremely slow. Since, I am a speed freak, reverse lookups just don't cut it.
I have done performance tests and MQSSX can process 165 incoming connections per second (sustained over an hour) and the server was only running at 65% CPU. So, there was more room to grow. Speed is important to most companies.
I get the "filter hostname" question about once every 6-months from people who do not want authentication but want filtering of hostname. I have never seen a production server have a dynamic IP address, so if you are talking about failover situations the question becomes why can't you just list the IP addresses in the filter.
|
Maybe I should have been more precise...
My scenario is about sender/receiver channels, no client connections here... so there is supposedly no high rate of connection attempts that want to establish a server connection channel.
Furthermore the IP adress assignment is static. Not dynamic (no DHCP or something varyiing a lot).
Also in our special case, the administration of the remote peers is very complex and complicated... this is why pushing ssl certificates to the remote ends is currently not an option (however still under consideration).
However, we do trust our DNS, this is something we have control over... and my personal experience over the past years (and goal from a sysadmin point of view) is to reduce mentioning of IPs and rather use FQDNs (or relative DNs). Especially in growing companies where IP adresses change from time to time (haven't seen it here, but have seen it elsewhere and it always comes at times when you don't want to deal with it), so adding a place in a config file where an IP is recorded - and needs to be changed manually - should be avoided imho, thus replaced by lookup using a naming service (e.g. DNS).
Cheers,
Felix |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Mar 15, 2011 10:59 am Post subject: Re: IP or FQDN |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| flaufer wrote: |
| haven't seen it here, but have seen it elsewhere and it always comes at times when you don't want to deal with it |
Yup, and I have been at companies where people update the DNS on the fly and things get messed up. There is a always an achilles heel. 
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Mar 15, 2011 12:14 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Production servers may not have DHCP dynamic IP addresses but ours will have different IP addresses based on DNS aliases which are regularly re-pointed from one data centre to another for various reasons.
I use the optional feature of BlockIP2 to list the more human readable hostnames (DNS aliases) which do not require a change if the DNS entry is changed for whatever reason and also are much more meaningful to look at in a list. Connection frequency to MQ will not be that rapid unless you have a large number of very badly written client applications. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Mar 15, 2011 1:15 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
All,
 Ok. Fine. Here's my thinking: I think the best solution, to not to affect other customers, is to add new keywords (and not touch AllowIP).
e.g.
UseAllowHostname=Y
AllowHostname=server1.aaa.com;server2.bbb.*;server3.*.com
Hence, the function gethostbyaddr() would only be called if UseAllowHostname is set to 'Y'. This would allow MQSSX (or MQAUSX) to still be extremely fast and the penalty is only for those who want the reverse lookup.
Note: AllowHostname will support regular expressions like AllowIP, AllowUserID, etc... Hence, you will be able to use place-holders and wild cards.
| zpat wrote: |
| Connection frequency to MQ will not be that rapid unless you have a large number of very badly written client applications. |
Actually, I have a number of customers who, at any given time, have 20 client connection requests per second and this "normal" operation. So for them, speed is very important.
The fun comes when there is an issue. Reading through log files when there are 100 connection requests per second is a head-banging experience.  
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Mar 15, 2011 1:19 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
MQConn is a relatively heavy overhead MQI call as I am sure you know.
They should get their client applications fixed! I get annoyed if I see an MQ application reconnecting more than once every 30 seconds.
If they want to use a central, shared, secured queue manager they have to follow the rules, so that they don't compromise the service. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Mar 15, 2011 1:28 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
You are thinking too small. These queue managers are part of a shared infrastructure with a max channels of 10,000. Web servers are growing and shrinking the number of connections (per normal), new applications starting and stopping, etc.
These queue managers are not running on a simple dual core servers but are pumped-up beasts that are very busy servicing hundreds of applications with thousands of connections.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Mar 15, 2011 5:30 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Why is it worse for a correctly written exit to add this option, rather than requiring that a qmgr allow this option? |
|
| Back to top |
|
|
| flaufer |
| Posted: Tue Mar 15, 2011 9:59 pm Post subject: Re: IP or FQDN |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
| RogerLacroix wrote: |
| flaufer wrote: |
| haven't seen it here, but have seen it elsewhere and it always comes at times when you don't want to deal with it |
Yup, and I have been at companies where people update the DNS on the fly and things get messed up. There is a always an achilles heel. :)
Regards,
Roger Lacroix
Capitalware Inc. |
Yes... same goes with every external service somebody relies on (name service, catalog service, authorization service, etc. pp.) . Think of this in a "cloud". Or a normal distributed environment in a big company. Rarely you will find the one/team who controls your directory in the same group - or even with MQ knowledge.
Felix |
|
| Back to top |
|
|
|
|
