Capitalware Clamps Down on WebSphere MQ's 'Big Dirty' Security Secret
Updated: March 24, 2009
by Alex Woodie
Capitalware is bringing three WebSphere MQ products to the IBM i operating system, the vendor announced recently. The three tools--MQ Standard Security Exit, MQ Authenticate User Security Exit, and MQ Instant Secure Data--will help to address major security shortfalls with default installations of WebSphere MQ, company officials say. The i OS ports of the products are currently in beta, with GA expected next month.
There's a "big dirty secret" in the WebSphere MQ community, says Roger Lacroix, president of Capitalware, which is based in Markham, Ontario. "As you may not be aware of, after a default install of [WebSphere] MQ, MQ security is extremely limited, or basically, nonexistent," he says.
Unless WebSphere MQ users take one of three actions--implement end-to-end SSL encryption, write their own security routines, or buy a third-party product--any internal user with a modicum of technical expertise can tap into WebSphere MQ data and breach the organization's security, Lacroix says. Considering that the biggest users of WebSphere MQ are Fortune 100 financial services companies, and that only one out of 20 WebSphere MQ customers are estimated to take the time to implement security, that is a "big dirty secret," indeed.
There are several security shortcomings in the default installation of WebSphere MQ. For starters, it stores sensitive data in plain text, which enables MQ data to be easily accessed from WebSphere MQ Explorer or other tools available for browsing the content of MQ message queues (including freeware available from Capitalware). User authentication is also minimal. And there is also a spoof threat with out-of-the-box WebSphere MQ installations.
"This means that anybody with a little bit of knowledge can pull the queue, with a rogue application or a little GUI application, and then they can view somebody's details," Lacroix says. "So if I want to transfer money, all I have to do is fill in these fields with these amounts, and then push it into my bank account. If I'm working for a retailer, I could say, 'I want to buy 10 of those. They're supposed to be $99, but let's just move the decimal point.'"
The [De]Securitization of MQ Series
So how did WebSphere MQ, which has such a rock-solid reputation, develop such a poor out-of-the-box security posture? Lacroix traces the roots back to Microsoft's launch of Windows 2000 and lingering fear over the whipping that Microsoft put on OS/2.
"When NT 5 was coming to market, there was a great fear at IBM because Microsoft was coming out with embedded MSMQ [Microsoft Message Queue]," Lacroix says. "So IBM turned around and basically said, 'We're going to make MQ Series the same way Microsoft makes Windows: Super easy. We're not going to worry about security. You can add it after the fact.' They had this great fear that Microsoft was going to eat their lunch."
It's not that WebSphere MQ can't be secured, Lacroix says. "It's just that the default install of it isn't." Instead, IBM provided security hooks, or exits, for developers to write their own security routines. "Ever since then, they've left that as the standard," Lacroix says. Unfortunately, it takes a certain amount of technical skill to write exit programs for WebSphere MQ.
For years, before committing his energy to Capitalware full time, Lacroix would write exit programs that lock down WebSphere MQ at the various companies where he worked. He would share these tools with other IT professionals facing similar dilemmas with WebSphere MQ. He also wrote a series of handy WebSphere MQ utilities, which help developers accomplish basic tasks. After a while, he realized he could make money doing this, and so he started selling and supporting the tools through Capitalware, where he has worked full time since 2001.
At the request of a customer, Capitalware is bringing its three core MQ security tools to i OS. This will give the company coverage across every major platform, including Unix, Linux, Windows, and z/OS (the company offers separate versions of the security tools for the mainframe).
Both MQ Standard Security Exit (MQSSX) and MQ Authenticate User Security Exit (MQAUSX) focus on stopping unauthorized users from accessing WebSphere MQ resources. MQAUSX allows a company to fully authenticate a user who is accessing a WebSphere MQ resource. It authenticates the user's UserID and Password against the server's native OS system or a remote LDAP server. MQSSX allows a company to control and restrict based on UserID and IP address who is accessing a WebSphere MQ resource.
The third product coming to i OS, MQ Instant Secure Data (MQISD), protects WebSphere MQ data by encrypting it. The product uses TEA Variant, a "fast block cipher" algorithm with a 128-bit key, to encrypt the data. Lacroix chose TEA Variant because it's very fast, and only adds about a 1 percent performance hit, he says. The company is looking at implementing AES encryption to satisfy government agencies, he says.
Lacroix says he designed his WebSphere MQ security tools to be lightweight and easy to use. Unlike IBM's WebSphere MQ Extended Security Edition (ESE), which implements Tivoli security software into the MQ environment (and which incidentally no longer supports i OS), the Capitalware products do not require a dedicated server, he says.
Currently, Capitalware sells ten commercial WebSphere MQ-related products and also offers five open source solutions. In addition to the three security tools the company is bringing to the i-based Power Systems (iSeries) platform, Capitalware's five free and open source utilities including a port scanner, a message multiplexer, a file mover, a message router, and a server status display product can be used on the i OS server.
Capitalware's commercial products MQ Visual Edit and MQ Visual Browse are mainly geared at programmers who need an easier way to view WebSphere MQ products and have been around for many years. The three security tools (and their mainframe counterparts) are fairly new products, having been on the market only for a few years.
Licenses for MQISD start at $299 per server, with an unlimited enterprise license going for $55,000. MQAUSX costs $499 per server, or $90,000 for an enterprise license. MQSX goes for $249 per server, or a site license of $45,000. Capitalware is targeting all i OS releases from i5/OS V5R3 to IBM i 6.1. For more information, visit www.capitalware.biz.
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot