Hi,

I dont find out until I run the script.....its a bit late.  I then have to 
raise more change controls and wait.  Also for any application deployment I 
have to do a [security] design and say what is opened,  why and if any 
sensitive data is transmitted, so I really need this info before I touch a 
server at all.  For instance a user id and password is classed as sensitive, so 
it has to be encrypted.....by some acceptable standard method and it has to be 
adequately encrypted....   So the security portion of the design can take weeks 
to get signed off.....if I've missed anything serious I may have to re-write 
and submit.. We end up doing this frequently.....sometimes we even reject a 
vendor's product because we find it has a fundamental security flaw....like its 
transmitting plain text passwords or even storing/caching them locally in plain 
text....not that un-common....

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 23 November 2011 9:04 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling 
pls.

On 11/22/2011 02:58 PM, Steven Jones wrote:
> Hi,
>
> 2.1.3.4 page 10 lists ports but not what happens with them...
>
> For instance I am now in a very secure environment and find when I do a 
> ipa-client-install the client connects to port 80 and retrieves a 
> ca.crt........now I have to wait 3 days to get port 80 opened up...to the IPA 
> server(s).
>
> If I had better docs then I can make the request before hand....
>
> This of course is the first failure.....if say I find that the 
> ipa-client-install script uses 443 next I will have to wait another 3 
> days......if I find there are 4 un-documented port calls to get an client 
> install to work......well its a week to 2 weeks wait....
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
When you install IPA the output of the installation lists all the ports
that you need to open and for what service: DNS, Kerberos, LDAP etc.
Is this not enough? What level of details you are looking for?

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to