Posts Tagged ‘Great Wall’

When is a wall a great wall? When it’s a firewall?

June 6, 2017

hankleycommonatlanticwall21

Today is June 6th – and the 73rd anniversary of the D-Day landings in Normandy in World War 2. There were 156000 soldiers landed who attacked the defences on those beaches – the dreaded Atlantic Wall. But they had been preparing for this and had even built walls to practice assaulting, such as the one shown above in Hankley Common in Surrey (down the road from where I live).

Not all walls can withstand assault. But they are almost all built for a specific purpose – to provide safe and secure separation. This holds true for today’s firewalls as well as historical defensive walls.

firewall

Hundreds if not thousands of IBM’s customers use IBM MQ to communicate with business partners or separate parts of their own businesses beyond their enterprise firewall. There are a number of ways to do this – including deploying MQ Internet Passthru (MQIPT), opening ports for MQ connectivity, or deploying MQ servers in the DMZ. Not all DMZs are quite as scary or indeed obvious as the one separating North and South Korea. But they exist for good reason – to protect what’s behind the firewall. There is a huge cost associated with data breaches.

koreaDMZ
The issue some customers have with deploying MQ servers in the DMZ, is that this can lead to messages being persisted to disk in the DMZ – and while devices like IBM DataPower appliances are designed to run in the DMZ this is because they are, on the whole, stateless with no information persisted. This is not the case with IBM MQ, and thus the data on the disk in the DMZ poses a concern due to the increased risk in this environment. This is the primary reason that MQ IPT is used – to avoid the persistence of MQ data here.

IBM doesn’t prevent customers deploying MQ Servers or indeed MQ Appliances in the DMZ – despite typically recommending that customer choose not to do that – there is no impact in terms of their IBM contract or support if they do – this deployment of IBM MQ is still supported – but IBM wants to make sure that customers consider the implication and risk of this (as we do with all their MQ deployment choices – as this is typically critical for their business).
Our concern with the deployment of the MQ Appliance into a DMZ has been that due to being based on the DP hardware customers might see it as addressing these concerns and deploying it as a secure solution to DMZ deployment – whereas the fundamental issue of persisted data still exists. This can be mitigated in various ways such as the end to end encryption of AMS included in the Appliance – but there is no absolute lock-down of the Appliance and therefore we have that statement included in the documentation to ensure that customers make their choice knowingly.
thisisfine

There are therefore a number of different options to allow the movement of MQ messages through the firewall without it going horribly wrong. Customers can deploy MQ or the MQ Appliance into the DMZ if they want to – taking the precautions that are sensible to mitigate risks. IBM will support them with PMRs they raise, but we would work to ensure they are aware that they can be increasing the risk of data compromise and that they should take steps to lock down the environment as much as possible, and use MQ AMS for end to end encryption if using MQ Advanced or MQ Appliance.

greatwall

Walls are essential, but the best walls make the best neighbours, and with IBM MQ deployed successfully and securely, you can ensure your firewall is a great wall, but that it doesn’t lock your business in – but helps it to grow with safety.