Hi Folks,
I'm trying to figure out what help MQIPT gives me with regard to security rather than routing.
 
Assuming that TLS termination is done by my firewall and MQIPT is in proxy mode I can't see any reason to have it in the mix as it can't verify the messages passing through it and all the other features I can get using the firewall/gateway combo.

If it is acting as the TLS termination point then the somewhat vague statement in the MQ docs says that it "verifies" the messages flowing through it. Does anyone know if that is all the messages going through it for their formatting/validity or just the initial connection messages. I can see that as useful as no other product can do that - am I correct?

thanks for your help!
John.

------------------------------
John Hawkins
Integration Consultant
------------------------------

Hi @John Hawkins- I'm looking into this for you. Hoping to get you a response here soon!
​

------------------------------
Jina K
------------------------------

Original Message:
Sent: Tue August 02, 2022 05:41 AM
From: John Hawkins
Subject: MQIPT as Security component

Hi Folks,
I'm trying to figure out what help MQIPT gives me with regard to security rather than routing.
 
Assuming that TLS termination is done by my firewall and MQIPT is in proxy mode I can't see any reason to have it in the mix as it can't verify the messages passing through it and all the other features I can get using the firewall/gateway combo.

If it is acting as the TLS termination point then the somewhat vague statement in the MQ docs says that it "verifies" the messages flowing through it. Does anyone know if that is all the messages going through it for their formatting/validity or just the initial connection messages. I can see that as useful as no other product can do that - am I correct?

thanks for your help!
John.

------------------------------
John Hawkins
Integration Consultant
------------------------------

Hi John,

MQIPT checks that all data transmissions conform to the MQ protocol, not just the initial connection messages. That doesn't mean that MQIPT is able to verify that every field in the data received is valid, but it does need to broadly conform to the MQ protocol to get past MQIPT.

Regards

Gwydion

------------------------------
Gwydion Tudur
------------------------------

Original Message:
Sent: Wed August 10, 2022 10:55 AM
From: Jina K
Subject: MQIPT as Security component

Hi @John Hawkins- I'm looking into this for you. Hoping to get you a response here soon!
​

------------------------------
Jina K

Original Message:
Sent: Tue August 02, 2022 05:41 AM
From: John Hawkins
Subject: MQIPT as Security component

Hi Folks,
I'm trying to figure out what help MQIPT gives me with regard to security rather than routing.
 
Assuming that TLS termination is done by my firewall and MQIPT is in proxy mode I can't see any reason to have it in the mix as it can't verify the messages passing through it and all the other features I can get using the firewall/gateway combo.

If it is acting as the TLS termination point then the somewhat vague statement in the MQ docs says that it "verifies" the messages flowing through it. Does anyone know if that is all the messages going through it for their formatting/validity or just the initial connection messages. I can see that as useful as no other product can do that - am I correct?

thanks for your help!
John.

------------------------------
John Hawkins
Integration Consultant
------------------------------

Hi John,

I think some of the more common use-cases for MQIPT are when you must tunnel MQ via HTTP or you want concentrate connections to simplify firewall rules. I don't believe MQIPT is going to provide anything like the layer 3 DoS protection from: ICMP flood, UDP flood, TCP flood, SYN flood etc. that a dedicated device can provide so it will depend on the requirements. I know some customers are using firewalls etc. for the lower layer protection but those devices don't typically understand MQ at L7  like they understand HTTP etc. so I'm not sure if the value of terminating TLS at the firewall outweighs the additional management of of certs etc. but again it will come down to requirements.

------------------------------
Regards,

Martin Evans
IBM MQ Technical Product Manager
------------------------------

Original Message:
Sent: Tue August 02, 2022 05:41 AM
From: John Hawkins
Subject: MQIPT as Security component

Hi Folks,
I'm trying to figure out what help MQIPT gives me with regard to security rather than routing.
 
Assuming that TLS termination is done by my firewall and MQIPT is in proxy mode I can't see any reason to have it in the mix as it can't verify the messages passing through it and all the other features I can get using the firewall/gateway combo.

If it is acting as the TLS termination point then the somewhat vague statement in the MQ docs says that it "verifies" the messages flowing through it. Does anyone know if that is all the messages going through it for their formatting/validity or just the initial connection messages. I can see that as useful as no other product can do that - am I correct?

thanks for your help!
John.

------------------------------
John Hawkins
Integration Consultant
------------------------------

My understanding has always been that IBM have never realised the MQ FAP (wire protocol) so NO other firewall/gateway can check the wire contents - is that still correct?

In which case, that *may* sway a customer to have both a firewall and MQIPT - but the overhead, as you say, of having ANOTHER TLS termination may stop anyone from doing that.

Seem fair?

------------------------------
John Hawkins
Integration Consultant
------------------------------

Original Message:
Sent: Fri August 12, 2022 05:16 AM
From: Martin Evans
Subject: MQIPT as Security component

Hi John,

I think some of the more common use-cases for MQIPT are when you must tunnel MQ via HTTP or you want concentrate connections to simplify firewall rules. I don't believe MQIPT is going to provide anything like the layer 3 DoS protection from: ICMP flood, UDP flood, TCP flood, SYN flood etc. that a dedicated device can provide so it will depend on the requirements. I know some customers are using firewalls etc. for the lower layer protection but those devices don't typically understand MQ at L7  like they understand HTTP etc. so I'm not sure if the value of terminating TLS at the firewall outweighs the additional management of of certs etc. but again it will come down to requirements.

------------------------------
Regards,

Martin Evans
IBM MQ Technical Product Manager

Original Message:
Sent: Tue August 02, 2022 05:41 AM
From: John Hawkins
Subject: MQIPT as Security component

Hi Folks,
I'm trying to figure out what help MQIPT gives me with regard to security rather than routing.
 
Assuming that TLS termination is done by my firewall and MQIPT is in proxy mode I can't see any reason to have it in the mix as it can't verify the messages passing through it and all the other features I can get using the firewall/gateway combo.

If it is acting as the TLS termination point then the somewhat vague statement in the MQ docs says that it "verifies" the messages flowing through it. Does anyone know if that is all the messages going through it for their formatting/validity or just the initial connection messages. I can see that as useful as no other product can do that - am I correct?

thanks for your help!
John.

------------------------------
John Hawkins
Integration Consultant
------------------------------

Hi John,

I believe that is the case, and even if it were open you would still need the firewall/gateway to know what is good vs bad.

I'm pretty sure you can pass the TLS through to the queue manager with both a firewall and MQIPT in place, that would protect you from the lower layer attacks but expose the queue manager's server something like a TLS flood, but if you were hit with that it would just tie up the QM until you can block the source with your firewall. You could use multiple MQ gateway queue managers to limit your exposure to such attacks.

------------------------------
Regards,

Martin Evans
IBM MQ Technical Product Manager
------------------------------

Original Message:
Sent: Fri August 12, 2022 06:59 AM
From: John Hawkins
Subject: MQIPT as Security component

My understanding has always been that IBM have never realised the MQ FAP (wire protocol) so NO other firewall/gateway can check the wire contents - is that still correct?

In which case, that *may* sway a customer to have both a firewall and MQIPT - but the overhead, as you say, of having ANOTHER TLS termination may stop anyone from doing that.

Seem fair?

------------------------------
John Hawkins
Integration Consultant

Original Message:
Sent: Fri August 12, 2022 05:16 AM
From: Martin Evans
Subject: MQIPT as Security component

Hi John,

I think some of the more common use-cases for MQIPT are when you must tunnel MQ via HTTP or you want concentrate connections to simplify firewall rules. I don't believe MQIPT is going to provide anything like the layer 3 DoS protection from: ICMP flood, UDP flood, TCP flood, SYN flood etc. that a dedicated device can provide so it will depend on the requirements. I know some customers are using firewalls etc. for the lower layer protection but those devices don't typically understand MQ at L7  like they understand HTTP etc. so I'm not sure if the value of terminating TLS at the firewall outweighs the additional management of of certs etc. but again it will come down to requirements.

------------------------------
Regards,

Martin Evans
IBM MQ Technical Product Manager

Original Message:
Sent: Tue August 02, 2022 05:41 AM
From: John Hawkins
Subject: MQIPT as Security component

Hi Folks,
I'm trying to figure out what help MQIPT gives me with regard to security rather than routing.
 
Assuming that TLS termination is done by my firewall and MQIPT is in proxy mode I can't see any reason to have it in the mix as it can't verify the messages passing through it and all the other features I can get using the firewall/gateway combo.

If it is acting as the TLS termination point then the somewhat vague statement in the MQ docs says that it "verifies" the messages flowing through it. Does anyone know if that is all the messages going through it for their formatting/validity or just the initial connection messages. I can see that as useful as no other product can do that - am I correct?

thanks for your help!
John.

------------------------------
John Hawkins
Integration Consultant
------------------------------