Hi,

I suppose we can break this down into sections based on the components.

For instance the inter-IPA server port communication is covered off well....it 
needs 7389 for day to day communication, but needs ports 9443 to 9445 for the 
setup....So I can do a task for that aspect, (which I did).  However that isnt 
on page 10...its deeper into the doc. I dont like repeating info in a doc 
multiple times so I'd suggest page 10 mentions the above and tells you where to 
look. 

I would suggest that something similar is needed for client to server.......for 
instance is 9446? as well as 80 and 443? needed? What actual ports will a IPA 
enabled client use to talk to IPA?   ie does it need 389, 636 and 88 and 464?  
or does it just use 636 and 464? (say)  Non-IPA client what do they use? So if 
Im RedHat only IPA enabled only I open up less ports......the second I want 
Ubuntu and Mac I have to open up more.

Looks like we have or can imply enough info for server to external 
services/communications....so we need DNS and NTP to be open....from page 10

Admin use.....so ssh, and 443, 80?.......when you run kinit admin that talks 
over what ports?  88? and 464?   Is 9445 used for admin?

It maybe better to have a "visio" diagram(s). A protocal diagram is in the 
asbuilt I sent you section 4.1.

NB I also write a IPTABLES ruleset before I build the server/workstation and 
that gets carried over via Kickstart/Satellitte and activated on build.  So 
once its built I then find that oh I missed one..... I use subversion to hold 
each server's iptables firewall, I have to go back and edit that file so in a 
DR or OR situation its all up to date....

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 23 November 2011 9:49 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling 
pls.

On 11/22/2011 03:24 PM, Steven Jones wrote:
> Hi,
>
> I dont find out until I run the script.....its a bit late.  I then have to 
> raise more change controls and wait.  Also for any application deployment I 
> have to do a [security] design and say what is opened,  why and if any 
> sensitive data is transmitted, so I really need this info before I touch a 
> server at all.  For instance a user id and password is classed as sensitive, 
> so it has to be encrypted.....by some acceptable standard method and it has 
> to be adequately encrypted....   So the security portion of the design can 
> take weeks to get signed off.....if I've missed anything serious I may have 
> to re-write and submit.. We end up doing this frequently.....sometimes we 
> even reject a vendor's product because we find it has a fundamental security 
> flaw....

What would be helpful is to turn this into Q&A. Can you formulate a set
of questions a little bit more granular than "Which ports I need to open
when and why"?


> like its transmitting plain text passwords or even storing/caching them 
> locally in plain text....not that un-common....
>

True. But we do not do that except AFAIK one case - password for the CA
DS instance which is stored locally in the config file available to root
only.
But I may be wrong. Is there anything else? Anyone knows?

> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Dmitri Pal [d...@redhat.com]
> Sent: Wednesday, 23 November 2011 9:04 a.m.
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Improvement to documentaion needed for 
> firewalling pls.
>
> On 11/22/2011 02:58 PM, Steven Jones wrote:
>> Hi,
>>
>> 2.1.3.4 page 10 lists ports but not what happens with them...
>>
>> For instance I am now in a very secure environment and find when I do a 
>> ipa-client-install the client connects to port 80 and retrieves a 
>> ca.crt........now I have to wait 3 days to get port 80 opened up...to the 
>> IPA server(s).
>>
>> If I had better docs then I can make the request before hand....
>>
>> This of course is the first failure.....if say I find that the 
>> ipa-client-install script uses 443 next I will have to wait another 3 
>> days......if I find there are 4 un-documented port calls to get an client 
>> install to work......well its a week to 2 weeks wait....
>>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> When you install IPA the output of the installation lists all the ports
> that you need to open and for what service: DNS, Kerberos, LDAP etc.
> Is this not enough? What level of details you are looking for?
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to