[Freeipa-users] Improvement to documentaion needed for firewalling pls.

Dmitri Pal dpal at redhat.com
Tue Nov 22 22:05:46 UTC 2011 

On 11/22/2011 04:24 PM, Steven Jones wrote:
> Hi,
>
> I suppose we can break this down into sections based on the components.
>
> For instance the inter-IPA server port communication is covered off well....it needs 7389 for day to day communication, but needs ports 9443 to 9445 for the setup....So I can do a task for that aspect, (which I did).  However that isnt on page 10...its deeper into the doc. I dont like repeating info in a doc multiple times so I'd suggest page 10 mentions the above and tells you where to look. 
>
> I would suggest that something similar is needed for client to server.......for instance is 9446? as well as 80 and 443? needed? What actual ports will a IPA enabled client use to talk to IPA?   ie does it need 389, 636 and 88 and 464?  or does it just use 636 and 464? (say)  Non-IPA client what do they use? So if Im RedHat only IPA enabled only I open up less ports......the second I want Ubuntu and Mac I have to open up more.
>
> Looks like we have or can imply enough info for server to external services/communications....so we need DNS and NTP to be open....from page 10
>
> Admin use.....so ssh, and 443, 80?.......when you run kinit admin that talks over what ports?  88? and 464?   Is 9445 used for admin?
>
> It maybe better to have a "visio" diagram(s). A protocal diagram is in the asbuilt I sent you section 4.1.
>
> NB I also write a IPTABLES ruleset before I build the server/workstation and that gets carried over via Kickstart/Satellitte and activated on build.  So once its built I then find that oh I missed one..... I use subversion to hold each server's iptables firewall, I have to go back and edit that file so in a DR or OR situation its all up to date....
>

Added pointer to your mail to the bug.

> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Wednesday, 23 November 2011 9:49 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls.
>
> On 11/22/2011 03:24 PM, Steven Jones wrote:
>> Hi,
>>
>> I dont find out until I run the script.....its a bit late.  I then have to raise more change controls and wait.  Also for any application deployment I have to do a [security] design and say what is opened,  why and if any sensitive data is transmitted, so I really need this info before I touch a server at all.  For instance a user id and password is classed as sensitive, so it has to be encrypted.....by some acceptable standard method and it has to be adequately encrypted....   So the security portion of the design can take weeks to get signed off.....if I've missed anything serious I may have to re-write and submit.. We end up doing this frequently.....sometimes we even reject a vendor's product because we find it has a fundamental security flaw....
> What would be helpful is to turn this into Q&A. Can you formulate a set
> of questions a little bit more granular than "Which ports I need to open
> when and why"?
>
>
>> like its transmitting plain text passwords or even storing/caching them locally in plain text....not that un-common....
>>
> True. But we do not do that except AFAIK one case - password for the CA
> DS instance which is stored locally in the config file available to root
> only.
> But I may be wrong. Is there anything else? Anyone knows?
>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
>> Sent: Wednesday, 23 November 2011 9:04 a.m.
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls.
>>
>> On 11/22/2011 02:58 PM, Steven Jones wrote:
>>> Hi,
>>>
>>> 2.1.3.4 page 10 lists ports but not what happens with them...
>>>
>>> For instance I am now in a very secure environment and find when I do a ipa-client-install the client connects to port 80 and retrieves a ca.crt........now I have to wait 3 days to get port 80 opened up...to the IPA server(s).
>>>
>>> If I had better docs then I can make the request before hand....
>>>
>>> This of course is the first failure.....if say I find that the ipa-client-install script uses 443 next I will have to wait another 3 days......if I find there are 4 un-documented port calls to get an client install to work......well its a week to 2 weeks wait....
>>>
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> When you install IPA the output of the installation lists all the ports
>> that you need to open and for what service: DNS, Kerberos, LDAP etc.
>> Is this not enough? What level of details you are looking for?
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list