I know that HornetQ offers
- Netty SSL Transport
- A Role Based Security Model
My Use-Case:
My HornetQ Server will/should be running on a public host (=the service bound to a public IP) that everone can access (=anyone can detect the service via a port scan…)
My Questions:
1.) As far as I can thell, the netty SSL Transport does not provide an authentication via SSL (if I have seen it correct, this is scheduled for the 3.0 release). So it only secures the transport, but everyone will be able to connect to the HornetQ Server then?
2.) The Role Base Security has 7 Privileges one can grant. My question is. Is this regarded to be secure, if I revoke all rights? If someone connects without any of these rights (and the default user has no privilages/roles assigned/all revoked), will HornetQ be secure? Or is this strongly discouraged, as it still provides a deep access into the system?
3.) Performance. In case 2.) is secure. Someone attacking my System with “unauthenticated” messages. Is the Role-Based Security Model implemented on a very High level (so not consuming a lot of resources) or will this make a DOS very easy as it will have to get deeply into the server with a lot of processing (and also provide a lot more attack vectors as an attacker will deeply get into the system…)
Thank you very much!!
Markus
1) yes, there’s a feature request.
2) You should be secured if you make the correct configuration.
3) Performance should be fine
However, I’m not sure any system will be fine with some sort of massive attack.. you will probably need other types of measures besides basic security.
As with any other software there may be possible improvements. As a project developer/lead of HornetQ, we are always open to any suggestions, and we will fix any breach and bugs found and submitted accordingly.