messaging security using glassfish and open message …2011.appsecusa.org/p/omq.pdf · goals and...
TRANSCRIPT
![Page 1: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/1.jpg)
MESSAGING SECURITY USING
GLASSFISH AND OPEN MESSAGE
QUEUE
OWASP AppSec USA 2011 Conference (@appsecusa / hashtag: #appsecusa)
Srini Penchikala (@srinip)
09.23.11
![Page 2: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/2.jpg)
GOALS AND SCOPE
Goals: Messaging security architecture & design considerations and best practices
How to use NoSQL Databases for some messaging security use cases
Is Not: Security vulnerabilities talk
Is: Focus on application security in messaging:
Authentication & authorization
Message encryption
Logging and monitoring
Code examples on messaging security aspects (Java based)
Target Audience: Architects, Application Developers, and Security Ops
Format: 45 min presentation + 5 min Q&A
Demo Application (Java) 2
![Page 3: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/3.jpg)
ABOUT THE SPEAKER
Security Architect
Certified Scrum Master
Author, Editor (InfoQ)
IASA Austin Chapter Leader
Detroit Java User Group Leader (past)
Working with Java since 1996, JEE (2000), SOA (2006), Security (2007) & PPT since 03/2011
Current: Agile Security Architectures, NoSQL Security, Domain-Driven Security Design, Security Architecture Enforcement, Model Driven Development
Future: Role of DSL in Architecture Enforcement, NoSQL Security Tools and Frameworks
3
![Page 4: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/4.jpg)
BEFORE WE START
How many are currently using messaging in their
applications?
How many are currently working in security
architecture or development?
Any regulatory compliance requirements (Federal,
State, Local, or Finance related)?
4
![Page 5: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/5.jpg)
BACKGROUND
Financial services
J2EE security model
Agile software development
Regulatory compliance and its impact on IT
Software architecture
5
![Page 6: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/6.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
6
![Page 7: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/7.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
7
![Page 8: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/8.jpg)
MESSAGING ARCHITECTURE
Asynchronous Communication
Message-Oriented Middleware (MOM) pattern
Java Message Service (JMS)
Architecture Components:
Broker
Connection
Destination (Queue or Topic)
Transactions
Message
Enterprise Integration Patterns* 8
*Source: http://www.eaipatterns.com/toc.html
![Page 9: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/9.jpg)
MESSAGING SECURITY CONSIDERATIONS
Current state: Not enough focus on the middleware
Authentication
Role Based Access Control
Message Encryption
Transport Layer Security
Message Persistence
Secure Logging and Auditing
Secure Message Monitoring Standards based administration (JMX)
Availability Broker clustering
Automatic reconnect
Connection event notification
9
![Page 10: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/10.jpg)
TECHNOLOGIES
GlassFish (v3.1)
Java EE 6 compliant application server
Open source and commercial versions
Open Message Queue (v4.5)
Implements JMS standard
Stand-alone service or deployed in an application server
Standard JMS Provider in GlassFish Server
Supports messaging security at various levels
Broker clusters (conventional and enhanced clusters)
Spring Integration Framework
Secure message channel (role based access) 10
![Page 11: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/11.jpg)
SAMPLE DEMO APPLICATION
Technologies:
GlassFish 3.1 Application Server
Open MessageQueue
Neo4J (authentication and authorization)
MongoDB (persistence and logging)
Spring Data Framework
Spring Integration
Aspect-oriented Programming
Tools:
JDK 1.6
Eclipse 11
![Page 12: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/12.jpg)
SAMPLE APPLICATION ARCHITECTURE
12
Client
SOAP
Client
OpenMQ
Server
Neo4J
DB
AuthN/ AuthZ
JMX
Client
Mongo
DB
Msg Persistence
in DB
Logging
Mongo
DB
![Page 13: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/13.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
13
![Page 14: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/14.jpg)
AUTHENTICATION
Authentication
Flat file repository
LDAP authentication
JAAS-based authentication
Per broker repository
NoSQL database for storing user profiles
Graph databases (Neo4J)
14
![Page 15: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/15.jpg)
JAAS AND MESSAGE QUEUE
15
Source: OpenMessage Queue 4.5 Administration Guide
![Page 16: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/16.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
16
![Page 17: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/17.jpg)
AUTHORIZATION
Users and groups
Pre-defined groups
admin
user
anonymous
Access control events
Connecting to a broker
Creating a message producer or consumer
Auto-creating or browsing a queue destination
Configuration based
accesscontrol.properties 17
![Page 18: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/18.jpg)
AUTHENTICATION AND AUTHORIZATION
18
Source: OpenMessage Queue 4.5 Administration Guide
![Page 19: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/19.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
19
![Page 20: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/20.jpg)
MESSAGING SECURITY
Broker Level (Connection)
Destination Level
Message Level
20
![Page 21: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/21.jpg)
ENCRYPTION
Encrypted client-broker communication
SSL based connection service
Connection service types
ssljmsservice (TCP/IP)
httpsjms (HTTPS Tunnel Servlet with HTTP protocol)
ssladmin (TCP/IP)
Cluster connection service
JMX connector (RMI over TCP)
21
![Page 22: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/22.jpg)
ENCRYPTION BEST PRACTICES
Symmetric Key Algorithms: AES with minimum 128 bit key length
Hash Functions: SHA-256
Always use a salt value (salted SHA, SSHA) especially for passwords to defend against rainbow table attacks
Asymmetric or Public Key Algorithms: rDSA with 1024 bit minimum key length
Data Integrity: Data Integrity/Data Signature or Message Authentication Code – HMAC
(hash function-based message authentication code)
Use any underlying hashing algorithm since HMACs are substantially less affected by the potential for collisions that the related hashing functions alone
Secure Network Communication: SSLv3 or TLS to ensure the encrypted transmission of data between systems
Security Standards Java API: OWASP’s ESAPI libraries
22
![Page 23: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/23.jpg)
MESSAGE PERSISTENCE
23
Configurable persistence
File or JDBC-based data store
Securing a JDBC persistence store
NoSQL DB for persistence (MongoDB)
![Page 24: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/24.jpg)
PERSISTENCE OPTIONS
24
Source: OpenMessage Queue 4.5 Administration Guide
![Page 25: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/25.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
25
![Page 26: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/26.jpg)
SECURITY LOGGING AND AUDITING
Event management (SIEM) and forensics
Critical for regulatory compliance (SOX, HIPAA, PCI, FISMA)
Log events
Startup, shutdown, restart, and removal of broker
User authentication and authorization
Reset of a persistent store
Creation, purge, and destruction of destinations
Administrative destruction of durable subscribers
Message Queue audit logging
JAAS based audit logging
Performance:
MongoDB Logger 26
![Page 27: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/27.jpg)
SECURITY LOGGING CONSIDERATIONS
What data needs to be logged for security analytics
purposes?
What should be the log format for business v. security
logs?
Do we need to store the security logs in a different file
(a new log4j appender) so only authorized users
(admin) will have access to it?
How would the logs work with SIEM tool (if
applicable)?
27
![Page 28: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/28.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
28
![Page 29: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/29.jpg)
MONITORING
Standards:
JMX
Remote JMX
Secure JMX
Tools:
JConsole/VisualVM
29
![Page 30: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/30.jpg)
MONITORING MESSAGING COMPONENTS
Messaging components
Broker
Connections
Destinations
Producers
Consumers
Messages
Monitoring Tools:
VisualVM
Open MQ Administration Console
Any standards based monitoring tool (e.g. JMX for Java) 30
![Page 31: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/31.jpg)
MONITORING SERVICES
31
Source: OpenMessage Queue 4.5 Administration Guide
![Page 32: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/32.jpg)
DEMO
32
![Page 33: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/33.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
33
![Page 34: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/34.jpg)
BEST PRACTICES
Separation of messaging logic from application & business logic
Messaging code should be agnostic to MQ container
Declarative v. Programmatic message security
Emerging trends in messaging architecture
Light-weight and Agile message brokers
Embedded brokers (for unit testing)
Built-in security, monitoring and clustering
“Build in” security logging and monitoring capabilities into the product as a feature
Involve Dev & Ops from early phases of project lifecycle 34
![Page 35: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/35.jpg)
AGENDA
Messaging and Security
Authentication
Authorization
Message Security and Encryption
Logging
Monitoring
Best Practices
Conclusions
35
![Page 36: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/36.jpg)
CONCLUSIONS
Messaging security is critical
Message at rest, in transit and in use
Messaging security considerations
Authentication, Role Based Access, Encryption
Logging and Monitoring
Messaging security support in Open MQ container
Role of NoSQL DBs in messaging security use cases
“One Size Fits All” fits nothing
36
![Page 37: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/37.jpg)
RESOURCES
Messaging Patterns
Java Message Service (JMS)
Open Message Queue
Java Management Extensions (JMX) Technology
Open Message Queue 4.5 Administration Guide
Glassfish Samples
GlassFish Server Open Source Edition 3.1 Security
Guide
GlassFish Server Open Source Edition 3.1
Administration Guide
37
![Page 38: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/38.jpg)
THANK YOU
Thank you
Contact Information
http://www.infoq.com/author/Srini-Penchikala
@srinip
http://srinip2007.blogspot.com
Questions?
38
![Page 39: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/39.jpg)
BONUS SLIDES
![Page 40: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/40.jpg)
SECURITY IMPLEMENTATION AND
ENFORCEMENT USING AOP
Implement messaging security using Aspects
Architecture:
Separate security event logic from application and business
logic
Tools & Technologies:
ActiveMQ
MongoDB
Esper
AspectJ and SpringAOP
Demo
40
![Page 41: MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE …2011.appsecusa.org/p/omq.pdf · GOALS AND SCOPE Goals: Messaging security architecture & design considerations and best practices](https://reader033.vdocuments.mx/reader033/viewer/2022042923/5f7110e05aa8cd20b2656531/html5/thumbnails/41.jpg)
INTEGRATING SOAP AND MESSAGEQUEUE
41