| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Is SSL required if you have a secure VPN connection? |
« View previous topic :: View next topic » |
| Author |
Message
|
| thindk00 |
 Posted: Thu Jul 07, 2005 12:12 am Post subject: Is SSL required if you have a secure VPN connection? |
 |
|
Voyager
Joined: 16 May 2001
Posts: 75
Location: UK
|
Hi,
I understand from reading the MQ Security manual that SSL provides security when transmitting data over an insecure network. SSL defines methods for authentication, data encryption and message integrity.
If we're using a secure VPN connection, where the security models around access to the source and destination queue managers is well defined, do we need to use SSL?
If we didn't use SSL, what risks are we exposed to?
Cheers,
Kulbir. |
|
| Back to top |
|
 |
| sebastianhirt |
| Posted: Thu Jul 07, 2005 1:06 am Post subject: |
|
|
Yatiri
Joined: 07 Jun 2004
Posts: 620
Location: Germany
|
Hi,
I hope I am not telling complete bullsh*t now  !
VPN is creating a secure connection between your servers.
SSL is creating a secure connection between your 2 queue managers.
If you have only VPN, a intruder to the other Server could still get access to the queue manager on the one server.
So in other words, SSL is making sure, that only authorized queue managers can talk to each other. VPN is making sure that only authorized Servers can talk to each other, but I don't see one to replace the other.
hope this helps |
|
| Back to top |
|
|
| thindk00 |
| Posted: Thu Jul 07, 2005 1:52 am Post subject: VPN with secured access to QM |
|
|
Voyager
Joined: 16 May 2001
Posts: 75
Location: UK
|
Hi,
Thanks for your reply. If we're using VPN and have security around getting access to the servers and queue managers (using OS security, OAM, etc), is that considered sufficient or are there still risks associated?
Thanks,
Kulbir. |
|
| Back to top |
|
|
| sebastianhirt |
| Posted: Thu Jul 07, 2005 4:32 am Post subject: |
|
|
Yatiri
Joined: 07 Jun 2004
Posts: 620
Location: Germany
|
That depends on your requirements.
But keep in mind, that if somebody is connecting trough one of your svrconn channels, he or she will have (in the most cases) mqm authority. And as MQM is always full access, again your security attempts might be useless.
But if you don't want to use SSL and still want to have good secutiry, go for Security Exits. There are even some free ones out there, that are apparently pretty good.
One more alternative is, setting the MCAUSER to a user that can't do any harm.
There are many things to consider, many possibilities on how to make your stuff secure. I'd like to recommend you to read the Security red book by IBM, and have a close look to the security manual.
cheers
Sebastian |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jul 07, 2005 2:07 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Using VPN will allow anyone in the network to read your messages/ the channel traffic.
VPN secures your network against the outside i.e. Internet.
VPN does not secure your network against the inside.
SSL secures the channel traffic. Channel traffic is encrypted and authentication is done via certs...
SSL does not encrypt the messages on the queues.
Enjoy  |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
