On 11/22/2011 03:24 PM, Steven Jones wrote: > Hi, > > I dont find out until I run the script.....its a bit late. I then have to > raise more change controls and wait. Also for any application deployment I > have to do a [security] design and say what is opened, why and if any > sensitive data is transmitted, so I really need this info before I touch a > server at all. For instance a user id and password is classed as sensitive, > so it has to be encrypted.....by some acceptable standard method and it has > to be adequately encrypted.... So the security portion of the design can > take weeks to get signed off.....if I've missed anything serious I may have > to re-write and submit.. We end up doing this frequently.....sometimes we > even reject a vendor's product because we find it has a fundamental security > flaw....
What would be helpful is to turn this into Q&A. Can you formulate a set of questions a little bit more granular than "Which ports I need to open when and why"? > like its transmitting plain text passwords or even storing/caching them > locally in plain text....not that un-common.... > True. But we do not do that except AFAIK one case - password for the CA DS instance which is stored locally in the config file available to root only. But I may be wrong. Is there anything else? Anyone knows? > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: [email protected] [[email protected]] on > behalf of Dmitri Pal [[email protected]] > Sent: Wednesday, 23 November 2011 9:04 a.m. > To: [email protected] > Subject: Re: [Freeipa-users] Improvement to documentaion needed for > firewalling pls. > > On 11/22/2011 02:58 PM, Steven Jones wrote: >> Hi, >> >> 2.1.3.4 page 10 lists ports but not what happens with them... >> >> For instance I am now in a very secure environment and find when I do a >> ipa-client-install the client connects to port 80 and retrieves a >> ca.crt........now I have to wait 3 days to get port 80 opened up...to the >> IPA server(s). >> >> If I had better docs then I can make the request before hand.... >> >> This of course is the first failure.....if say I find that the >> ipa-client-install script uses 443 next I will have to wait another 3 >> days......if I find there are 4 un-documented port calls to get an client >> install to work......well its a week to 2 weeks wait.... >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > When you install IPA the output of the installation lists all the ports > that you need to open and for what service: DNS, Kerberos, LDAP etc. > Is this not enough? What level of details you are looking for? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
