[Freeipa-users] Improvement to documentaion needed for firewalling pls.
Steven Jones
Steven.Jones at vuw.ac.nz
Tue Nov 22 20:35:51 UTC 2011
Now the ipa-client-install script is on 443 and I have no firewall engineer today....and maybe not until Monday....
:(
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Wednesday, 23 November 2011 9:24 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls.
Hi,
I dont find out until I run the script.....its a bit late. I then have to raise more change controls and wait. Also for any application deployment I have to do a [security] design and say what is opened, why and if any sensitive data is transmitted, so I really need this info before I touch a server at all. For instance a user id and password is classed as sensitive, so it has to be encrypted.....by some acceptable standard method and it has to be adequately encrypted.... So the security portion of the design can take weeks to get signed off.....if I've missed anything serious I may have to re-write and submit.. We end up doing this frequently.....sometimes we even reject a vendor's product because we find it has a fundamental security flaw....like its transmitting plain text passwords or even storing/caching them locally in plain text....not that un-common....
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Wednesday, 23 November 2011 9:04 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls.
On 11/22/2011 02:58 PM, Steven Jones wrote:
> Hi,
>
> 2.1.3.4 page 10 lists ports but not what happens with them...
>
> For instance I am now in a very secure environment and find when I do a ipa-client-install the client connects to port 80 and retrieves a ca.crt........now I have to wait 3 days to get port 80 opened up...to the IPA server(s).
>
> If I had better docs then I can make the request before hand....
>
> This of course is the first failure.....if say I find that the ipa-client-install script uses 443 next I will have to wait another 3 days......if I find there are 4 un-documented port calls to get an client install to work......well its a week to 2 weeks wait....
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
When you install IPA the output of the installation lists all the ports
that you need to open and for what service: DNS, Kerberos, LDAP etc.
Is this not enough? What level of details you are looking for?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list