It's not just your server connection channels you have to watch! As the external QMs will be connecting over the Extranet, how do you KNOW that they are who they claim to be and how are you going to ensure that other QMs don't join the cluster, or just connect to regular channels on your QMs now that you've opened the firewall for MQ traffic.
If I'm Mr Evil Hacker and know the name and listener port for one of your cluster repositories, I can attach my QM to your cluster pretty sharply and put all sorts of messages to all sorts of queues, the possibilities are quite drool making for the bad guy. Lets see what I can think of quickly: Put interesting messages to SYSTEM.COMMAND.QUEUE on your QMs Find some interesting clusters queues and put some messages to them - you never know I might find a SWIFT queue and put some SWIFT format messages on there to pay me lots of ??????. Fill up your cluster queues with invalid messages causing interesting Denial of Service problems. You can protect against most of this with a product like Data Secure for MQ, and to a lesser extent using SSL. HTH Dave -----Original Message----- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Warren Sent: 10 February 2004 16:21 To: [EMAIL PROTECTED] Subject: Clustering Question In a nutshell, we will be allowing an outside firm access to "put" to a few "internal" queue managers. In order to achieve some method of workload balancing, we wanted to use MQ's clustering capabilities. First of all, what are the drawbacks of just making one big cluster (external and internal queue managers in the same cluster) as opposed to having a "gateway" queue manager in overlapping clusters (which is recommended from one document that I've read). Aside from issues with server connection channels, what other security issues should we be concerned with, and how would those issues be addressed? -Warren Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive