On Fri, Apr 1, 2016 at 2:57 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Jeremy Utley wrote:
>
>> Hello all on the list.
>>
>> First off, if this is documented somewhere I'm not aware of, I apologize
>> for the noise.  I've spent a couple of hours google searching google
>> without success, so pointers to any documentation I've missed would be
>> greatly appreciated!
>>
>> We're in the process of setting up a FreeIPA system within our
>> ultra-secure PCI zone.  It's currently working well, and we are very
>> happy with it.  However, we know that come our next audit, we're going
>> to get hit on a few things, so I would like to ask about blocking off
>> some additional ports (specifically 80, 389, 53).  53 I think will be
>> safe to block off, as all our clients actually use a dedicated caching
>> DNS system with unbound, which has been configured to forward all
>> queries for the zone "ipa.domain.com <http://ipa.domain.com>" to the
>> FreeIPA servers, so we should be able to block 53 from everywhere but
>> the unbound servers without breakage.
>>
>> However, port 80 and 389 I'm not so sure about.  I know most things that
>> hit port 80 get redirected to 443, and 389 provides STARTTLS
>> functionality, but in theory, these ports can provide unencrypted
>> communications, and therefore our auditors will ask that they be closed
>> off.  However, in my research so far, I have not been able to find out
>> what the ramifications would be to blocking these ports for the IPA
>> system itself (would it fall back to using SSL on 636? Would API calls
>> fail if port 80 is closed?).
>>
>> I also know that the ipa-client-install script will check to ensure
>> these ports are open - temporarily opening them for the client setup
>> will not be an issue, if we can close it back down after that.  We do
>> not add systems within this zone very often, so this is a minor issue.
>>
>> Thanks for any advice you can give!
>>
>> Jeremy
>>
>>
>>
> See this thread from earlier this week,
> https://www.redhat.com/archives/freeipa-users/2016-March/msg00295.html
>
> rob
>

Thank you, Rob!  I think that will answer my questions, and hopefully the
auditors!

Jeremy
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to