RE: Minimum Protocol Rules by Service Type List
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 30 Nov 2005 09:16:54 -0600
Also, for the Firewall clients located on Networks that aren't part of
the default Internal Network, look at the authentication traffic they
generate.
ISA and NetMon go hand in hand. Its great fun, esp when trying to
corrrelate with what you see in the ISA firewall logs -- which always
don't make so much sense. :) Check out Stefaan Pouseele's article on
this over at www.isaserver.org he makes some excellent observations on
this topic.
Next week,
GMT
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Wednesday, November 30, 2005 12:28 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
>
> http://www.ISAserver.org
>
> That's odd... I push-installed *your* MOM agent without any
> problems. <bfg>
>
> But on a serious note, it is surprising to see how much
> NetBIOS/CIFS traffic
> is requested, even in the presence of a current Kerberos
> ticket - that and
> RPC traffic to the DC's (like when you are in Outlook 2003,
> requesting a
> concurrent SQL connection under different creds, etc.)
>
> It's quite interesting to correlate local NetMon dumps to the
> ISA logs--
> I've been staring at them for the last several hours, and
> have discerned
> what I think is an "affinity" of ISA to not display logged
> traffic. For
> instance, if I make an integrated authentication connection
> to a SQL server
> after all connections have been closed, ISA logs the Kerberos
> traffic on
> reconnect (as does local NetMon.) However, if I disconnect
> and reconnect
> within a few seconds, I can see that the client's ticket is
> checked in
> NetMon, though ISA does not show the connection request to the DC as
> accepted and/or established. Kind of odd, but I have not
> fully explored why
> yet.
>
> I'll keep on it, though I know I'll have more NetMon/ISA sex
> dreams tonight.
> Don't ask.
>
> t
>
>
> ----- Original Message -----
> From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Tuesday, November 29, 2005 10:10 PM
> Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
>
>
> > http://www.ISAserver.org
> >
> > Mos' definitely!
> >
> > For instance, I had an opportunity to answer the question
> of "why does
> > SCM work remotely against ISA when WMI calls don't?"
> >
> > The answer (via judicious use of NetMon) is that SCM uses
> NetBIOS calls,
> > and WMI uses DCOM.
> > NetBIOS can be handled easily by ISA policies, but DCOM can't.
> > Come to think of it, this is probably the main reason Raji can't
> > push-install the MOM agent.
> >
> > -----Original Message-----
> > From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx]
> > Sent: Tuesday, November 29, 2005 9:26 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
> >
> > http://www.ISAserver.org
> >
> > Thor
> >
> > Let me jump on Tom's shoulders here and say, "what he said"
> Ive often
> > thought of doing it in a larger, more funner environment,
> but never had
> > the real time or authority to be able to do it. Its
> definately a cool
> > process and we do do it to some degree in smaller
> environments where we
> > are able to. Let me know if you need help for anything as
> Toms said, i'd
> > be willing to jump on board if you hit a snag and havent
> got the skillz
> > to finish something :p... or just want a scenario tested...
> >
> > Greg Mulholland
> >
> > ________________________________
> >
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Wed 30/11/2005 4:13 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
> >
> >
> >
> > http://www.ISAserver.org
> >
> > Hey Tim,
> >
> > This would be REALLY COOL. As far as I know, there's
> nothing like this
> > out there. I have lot of articles covering specific
> scenarios, but none
> > of them include SQL or backup agents, because A. I don't know squat
> > about SQL and B. the herterogenrous backup agent evironment makes me
> > avoidant because I know it'll generate requests for all the other
> > vendors.
> >
> > However, you're younger, smarter and stronger than me, so
> you might be
> > able to handle it -- or since your kids are still young,
> you're better
> > able to resist requests for MORE.
> >
> > I've often thought of doing the same thing with my network, which is
> > production full tilt for us. Four multihomed ISA firewall's serving
> > three Internet links, three domains, Exchange 2003 (no cluster),
> > SharePoint Portal Server, IIS sites, MOM, spam whackers, LCS, VoIP,
> > Windows Media Services, blah blah blah. Lots of whacky POC
> stuff that
> > I've never written about, but worked pretty neat, so I
> decided to keep
> > it. Maybe I'll like yours so much I'll show mine too :)
> >
> > So, count me in as thinking this is a great idea. You'll
> introduce a ton
> > of good stuff that's not out there yet! Let me know if want
> any help,
> > comment, or whatever for this project. If its too long for
> the venues
> > you usually publish in, you're welcome to put it up at
> ISAserver.org and
> > use as many words, graphics and whatever you want. Maybe
> after that, I
> > can suck you into becoming a regular author for the site
> :-))) We need
> > a mensa kinda guy for the site, since we lost ours to
> Microsoft LCA. :(
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> >> -----Original Message-----
> >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >> Sent: Tuesday, November 29, 2005 10:58 PM
> >> To: [ISAserver.org Discussion List]
> >> Subject: [isalist] Minimum Protocol Rules by Service Type List
> >>
> >> http://www.ISAserver.org
> >>
> >> Yo.
> >>
> >> In staying true to the concepts of least privilege and
> >> security in depth, I
> >> have been testing the minimum allowed protocols required to
> >> support various
> >> client-server services. The data I am collecting comes from
> >> bottom-up,
> >> step-by-step live protocol analysis-- this for two reasons:
> >> I've not seen a
> >> comprehensive list of "this is what you have to allow for X,"
> >> and of the
> >> documentation I have seen, most of it includes catch-all protocol
> >> recommendations rather than the minimum rules necessary.
> >>
> >> The reason I bring this up is to get a consensus from the
> >> group on whether
> >> or not I should document my findings in such a way as to
> publish the
> >> results-- If something like this already exists, I don't want
> >> to re-invent
> >> the wheel. If not, I should heavily document my findings
> in order to
> >> provide a comprehensive list.
> >>
> >> For instance- SQL authentication using "mixed mode
> >> authentication" simply
> >> requires a single "SQL Sever TCP 1433 Outbound" from the
> >> client set to the
> >> individual server. Integrated authentication via a standard
> >> library client
> >> (such as Query Analyzer) not only requires "SQL Server TCP
> >> 1433 Outbound" to
> >> the SQL host, but it also requires at least "Kerberos-Sec
> >> (UDP)" (UDP 88
> >> Send Receive) and "LDAP (UDP)" (UDP 389 Send Receive) from
> >> the client to the
> >> domain controller set. More "robust" clients, such as MS
> >> Access using a SQL
> >> Library require a full LDAP (TCP 389) connection from the
> >> client to the
> >> domain controller set. While "LDAP (UDP)" may be forced,
> >> projects digitally
> >> signed with a certificate require the TCP connection based on
> >> my testing.
> >> This is the type of data I'm considering collecting for
> publication.
> >>
> >> The primary reason I am doing this is because my network
> >> admin (John Wilson)
> >> and I have decided to rebuild our entire infrastructure in a
> >> *true* least
> >> privilege environment. We will completely separate our
> entire server
> >> infrastructure from all clients with an *internal* ISA 2004
> >> configured to
> >> only allow the minimum protocols through on a host-by-host,
> >> service-by-service, user-group by user-group basis. This
> >> will not be a
> >> test-- this will be in a total Microsoft production
> >> environment: clustered
> >> SQL servers, clustered Exchange servers, multiple domain
> >> controllers ( group
> >> policy deployments, certificate services, etc) NAS devices,
> >> shared printers,
> >> web services, backup agents, custom application
> >> developments... the Full
> >> Monty. I've never seen this done in a production environment
> >> (though I've
> >> heard many people postulate about it) so I'm kind of excited
> >> about all of
> >> this.
> >>
> >> So, the main question is: Does a resource like this already
> >> exist somewhere?
> >> I figga that if anyone would know, it would be the folks
> on this list.
> >>
> >> t
> >>
> >>
> >> ------------------------------------------------------
> >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> You are currently subscribed to this ISAserver.org Discussion
> >> List as: tshinder@xxxxxxxxxxxxxxxxxx
> >> To unsubscribe visit
> >> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > greg@xxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > thor@xxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
