ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere DataPower » Usage of DataPower as MQ secure external gateway

Post new topic  Reply to topic Goto page 1, 2  Next
 Usage of DataPower as MQ secure external gateway « View previous topic :: View next topic » 
Author Message
anveshita
PostPosted: Sun Dec 04, 2011 11:46 am    Post subject: Usage of DataPower as MQ secure external gateway Reply with quote

Master

Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam

Per IBM documentation XS40(XI50) could be used as an external gateway to secure traffic in and out of of the organization network. Let us say organization A sends MQ messages to Organization B via secured private network.
The proposed flow is A-->MQ-XI50 (internal ESB)-->MQ--->External DP XS40(XI50)-->MQ--->B
In the above flow:
We could use XS40 or XI50 as External secured gateway.

does the external DP XS40(XI50) really needed to secure the messages? Can't we enforce security on MQ? If we really need to use XS40 or XI50 to secure the messages how do we implement. Please let me know if there is any documentation implementing the above pattern.
Thanks
Back to top
View user's profile Send private message
mqjeff
PostPosted: Mon Dec 05, 2011 1:59 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

DataPower can only act as an MQ Client. It can't, for example, act as an MQ IPT device.

So you must have a queue manager in place on either "side" of a datapower device, from which you get and put messages. These can, of course, be the same or different queue managers.
Back to top
View user's profile Send private message
Vitor
PostPosted: Mon Dec 05, 2011 6:11 am    Post subject: Re: Usage of DataPower as MQ secure external gateway Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

anveshita wrote:
does the external DP XS40(XI50) really needed to secure the messages? Can't we enforce security on MQ?


Not my area of expertise you understand, but broadly yes you can secure with only WMQ between 2 queue managers.

There are a number of reasons why you might want to put DataPower between them. Perhaps all the traffic isn't over WMQ. Perhaps you want to use DataPower's transformational capabilities as well. Perhaps the WMQ security isn't strong enough for your site's needs & you want to plug a HSM into the side of DataPower.

Other and probably better reasons undoubtably exist.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
lancelotlinc
PostPosted: Mon Mar 12, 2012 8:35 am    Post subject: Reply with quote

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

Perhaps you can specify what document you are looking at. IBM DataPower XI50s are typically deployed in datacenters to tackle high performance security and mediation workloads. They offer shared security enforcement for XML threat protection (XML Firewall), authentication, authorization, access control and auditing as well as DMZ-ready tamper resistant security features.

This is a different concept than applying MQ-specific security to queue access.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Back to top
View user's profile Send private message Send e-mail
anveshita
PostPosted: Fri Mar 30, 2012 10:15 am    Post subject: Reply with quote

Master

Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam

Let me clarify a bit.
The flow I have is:

A-->MQ-XI50 (internal ESB)-->MQ--{firewall}->DMZ[External DP] XS40(XI50)-->MQ--{firewall}-->{secured network}--->{firewall}-MQ---> B
-------------------------------------------

But is it a right set up. In the above I do not see a need for [External DP] .

The flow can be
A-->MQ-XI50 (internal ESB)-->{firewall}->MQ--{firewall}-->{secured network}--->{firewall}-MQ---> B

Can some one explain what purposed does the Extenal DP serves?

TIA
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Mar 30, 2012 10:23 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

The external DP will be used to ensure that messages are authenticated from the correct source and contain valid business data from that authenticate source.

To keep, for example, Customer 1 from submitting records for Customer 2...
Back to top
View user's profile Send private message
anveshita
PostPosted: Fri Mar 30, 2012 10:29 am    Post subject: Reply with quote

Master

Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam

mqjeff wrote:
The external DP will be used to ensure that messages are authenticated from the correct source and contain valid business data from that authenticate source.

To keep, for example, Customer 1 from submitting records for Customer 2...


If it is a secured network, will not ensure authentication ? Not sure if external DP is adding value. Moreover we could even put security on MQ if needed. a counter argument....
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Mar 30, 2012 10:33 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

anveshita wrote:
mqjeff wrote:
The external DP will be used to ensure that messages are authenticated from the correct source and contain valid business data from that authenticate source.

To keep, for example, Customer 1 from submitting records for Customer 2...


If it is a secured network, will not ensure authentication ? Not sure if external DP is adding value. Moreover we could even put security on MQ if needed. a counter argument....


If it's a secured network link to a completely unsecure business partner, is it still a secured network link?
Back to top
View user's profile Send private message
anveshita
PostPosted: Fri Mar 30, 2012 10:37 am    Post subject: Reply with quote

Master

Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam

mqjeff wrote:
anveshita wrote:
mqjeff wrote:
The external DP will be used to ensure that messages are authenticated from the correct source and contain valid business data from that authenticate source.

To keep, for example, Customer 1 from submitting records for Customer 2...


If it is a secured network, will not ensure authentication ? Not sure if external DP is adding value. Moreover we could even put security on MQ if needed. a counter argument....


If it's a secured network link to a completely unsecure business partner, is it still a secured network link?


I think I did not get it. Its a secured private network. Can you explain with an example?
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Mar 30, 2012 10:43 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

I mean this.

If your end is secure.

And the link is secure.

And the other side is UNSECURE.

Is the link secure, actually?

My point is, how much do you actually trust your partners?

If the answer is "not much", then the DP box adds value.

If the answer is "a lot", then maybe it doesn't.
Back to top
View user's profile Send private message
anveshita
PostPosted: Fri Mar 30, 2012 10:45 am    Post subject: Reply with quote

Master

Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam

mqjeff wrote:
I mean this.

If your end is secure.

And the link is secure.

And the other side is UNSECURE.

Is the link secure, actually?

My point is, how much do you actually trust your partners?

If the answer is "not much", then the DP box adds value.

If the answer is "a lot", then maybe it doesn't.


Yes. It is between two trading partners who trust each other. But to your point if the other side is UNSECURE, as long as you secure MQ, I find there is no reason why a external DP is needed
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Mar 30, 2012 10:54 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

anveshita wrote:
I think I did not get it. Its a secured private network. Can you explain with an example?


While I don't plan to put words in the mouth of my most worthy associate, consider this example which is utterly theoretical & never happened...

Company A is a supplier sending invoices directly to Company B. Because A is a principle supplier of B, sending many hundreds of invoices of all amounts, they submit invoices directly into the procurement process where they're charged against cost centers and paid automatically. B has provided a secure network in the form of a hardware dedicated ISDN line between A & B which has hardware provided wire-level encryption at each end. This line went through dedicated hardware into a network card on B's server that recieved inbound invoices.

At the other end it went into a 10 port router on a table to one side of their accounts office. To make things eaiser, they'd enabled the hub for WiFi so they didn't need to trail wires into the PCs generating the invoices. The Wifi was of course WPA2 secured with a pre-allocated password, which could only be obtained by looking at the Post-It note on the router.

Like I said, this never happened. It didn't nearly end a 10 year relationship between the 2 compaines and didn't result in supply costs dropping by nearly 15%.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
anveshita
PostPosted: Fri Mar 30, 2012 11:12 am    Post subject: Reply with quote

Master

Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam

Vitor wrote:
anveshita wrote:
I think I did not get it. Its a secured private network. Can you explain with an example?


While I don't plan to put words in the mouth of my most worthy associate, consider this example which is utterly theoretical & never happened...

Company A is a supplier sending invoices directly to Company B. Because A is a principle supplier of B, sending many hundreds of invoices of all amounts, they submit invoices directly into the procurement process where they're charged against cost centers and paid automatically. B has provided a secure network in the form of a hardware dedicated ISDN line between A & B which has hardware provided wire-level encryption at each end. This line went through dedicated hardware into a network card on B's server that recieved inbound invoices.

At the other end it went into a 10 port router on a table to one side of their accounts office. To make things eaiser, they'd enabled the hub for WiFi so they didn't need to trail wires into the PCs generating the invoices. The Wifi was of course WPA2 secured with a pre-allocated password, which could only be obtained by looking at the Post-It note on the router.

Like I said, this never happened. It didn't nearly end a 10 year relationship between the 2 compaines and didn't result in supply costs dropping by nearly 15%.

Vitor: Good example. But not sure how using External DP would have caught such a thing. And how MQ Security would not be able to handle this.
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Mar 30, 2012 11:32 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

anveshita wrote:
Vitor: Good example. But not sure how using External DP would have caught such a thing. And how MQ Security would not be able to handle this.


The example was more to highlight the difference between a secured private network and a private network that is secure, rather than any direct relevance to you situation.

MQ Security would not have been able to handle this (because it didn't happen) because MQ was not in use; invoices were submitted in an XML format via a web based client. The assumption was that this client was sitting directly on the secured line, not available to anyone who could connect to the network, so any XML attached to an http-post was considered legitimate. I would theorise that if there had been a queue manager at the other end using SSL (or otherwise) to secure the channel it would have been equally vunerable to XML being added to it's queue by unauthorised people.

I'm equally unconvinced that DP would have helped this situation. It would have closed the vunerabliity to someone working for Company C launching a DoS attack down a secure line with no firewall protecting it.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Mar 30, 2012 11:37 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Presumably DP would be able to validate that the received XML message was signed by a legitimate sender and not a random employee of the other end who knows something about computers.

Presumably DP would be able to react to messages that weren't even in the correct format to begin with, and thus flag them at the edge and legitimately as bad data, rather than leaving them to be caught by the internal ESB which might not be able to tell which partner sent the bad data or that the data hasn't been mangled between it and the partner.

Presumably DP would be able to validate that the partner is allowed to submit the records they have submitted, and not for example have ordered parts that are only available to their competitor.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » WebSphere DataPower » Usage of DataPower as MQ secure external gateway
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.