RE: Minimum Protocol Rules by Service Type List

• From: "JosephK" <josephk@xxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 1 Dec 2005 01:18:54 -0800

Well, I have data tables already created to handle applications,
vendors, various configurations for core application installs, NetBIOS
codes, startup apps and all  that good stuff.  Just have to figure out
when I'll have time
now that I work up north for Jims boss

Joseph

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
Sent: Wednesday, November 30, 2005 8:43 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Minimum Protocol Rules by Service Type List

http://www.ISAserver.org

I still need to figure out how to properly archive this data-- I don't
think 
the standard Word doc is going to cut it-- it may, though.   I'm
thinking 
something more like a database where you can pull up a product/service
and 
see all the different types of configurations supported, each with its
own 
protocol listing.  For instance, regarding SQL, I haven't even gotten to
the 
MultiProtocol or Named Pipes libraries...

I'll handle all the standard Microsoft stuff... If anyone wants to
tackle 
other stuff (Like Cisco VPN, etc) that's cool.

t


-----
"And yet, even if one person finds his way... that means
there is a Way.  Even if I personally fail to reach it."

Mr. Nobusuke Tagomi
Top Place, Ranking Imperial Trade Mission
Pacific States of America
----- Original Message ----- 
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, November 30, 2005 7:12 AM
Subject: [isalist] RE: Minimum Protocol Rules by Service Type List


http://www.ISAserver.org

I figured you were about 35. So that makes you about 50 years younger
than me.

Its would be fantastic to get this kind of contribution on the
ISAserver.org and we would be forever in your debt for it. I might have
to send you a case of Sambuca or something like that, or maybe I'll send
that to Jim and send you the Cisco and Night Train.

If you're gonna do this in word docs, just use the Normal template using
the Normal View and paste the screen shots into the word doc directly.
I've got a method to batch convert all the imbedded graphics so no
problem there.

Let me know if there's any non-SQL POC stuff you want me to test out :)

Thanks!
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**



> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Tuesday, November 29, 2005 11:40 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
>
> http://www.ISAserver.org
>
> Heh... I'm younger anyway-- and not by much ;)
>
> Cool then... I'll make sure to not only document in a verbose
> manner, but to
> test each service in isolation (meaning, I won't test Exchange RPC
> requirements while having the SQL Authentication rules in place.)
>
> Yours, of course, would be the venue to publish-- you have
> established your
> site as the standard for ISA information-- no reason to work
> outside of
> that.  Even if there was a reason, I still wouldn't do it ;)
>
> [pulling in Greg's post]
>
> Thanks dude-- this could get complex quickly, so I may need
> some help.  I
> think a db-based "solutions bank" would make sense-- a main
> heading of the
> service, with sub-categories of access type (NTLM, Kerberos,
> Basic, etc) and
> stuff like that.  This will be fun.
>
> So, I'm on it... Most of this will come from the actual
> deployment, which
> will be in the next couple of weeks after we rebuild our DMZ
> this coming
> weekend.
>
> Thanks guys. (And any nurturing females on the list)
>
> t
>
> -----
> "And yet, even if one person finds his way... that means
> there is a Way.  Even if I personally fail to reach it."
> Mr. Nobusuke Tagomi - Top Place, Ranking Imperial Trade
> Mission - Pacific
> States of America
>
>
>
>
> ----- Original Message ----- 
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Tuesday, November 29, 2005 9:13 PM
> Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
>
>
> http://www.ISAserver.org
>
> Hey Tim,
>
> This would be REALLY COOL. As far as I know, there's nothing like this
> out there. I have lot of articles covering specific
> scenarios, but none
> of them include SQL or backup agents, because A. I don't know squat
> about SQL and B. the herterogenrous backup agent evironment makes me
> avoidant because I know it'll generate requests for all the other
> vendors.
>
> However, you're younger, smarter and stronger than me, so you might be
> able to handle it -- or since your kids are still young, you're better
> able to resist requests for MORE.
>
> I've often thought of doing the same thing with my network, which is
> production full tilt for us. Four multihomed ISA firewall's serving
> three Internet links, three domains, Exchange 2003 (no cluster),
> SharePoint Portal Server, IIS sites, MOM, spam whackers, LCS, VoIP,
> Windows Media Services, blah blah blah. Lots of whacky POC stuff that
> I've never written about, but worked pretty neat, so I decided to keep
> it. Maybe I'll like yours so much I'll show mine too :)
>
> So, count me in as thinking this is a great idea. You'll
> introduce a ton
> of good stuff that's not out there yet! Let me know if want any help,
> comment, or whatever for this project. If its too long for the venues
> you usually publish in, you're welcome to put it up at
> ISAserver.org and
> use as many words, graphics and whatever you want. Maybe after that, I
> can suck you into becoming a regular author for the site
> :-)))  We need
> a mensa kinda guy for the site, since we lost ours to
> Microsoft LCA. :(
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Tuesday, November 29, 2005 10:58 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Minimum Protocol Rules by Service Type List
> >
> > http://www.ISAserver.org
> >
> > Yo.
> >
> > In staying true to the concepts of least privilege and
> > security in depth, I
> > have been testing the minimum allowed protocols required to
> > support various
> > client-server services.  The data I am collecting comes from
> > bottom-up,
> > step-by-step live protocol analysis-- this for two reasons:
> > I've not seen a
> > comprehensive list of "this is what you have to allow for X,"
> > and of the
> > documentation I have seen, most of it includes catch-all protocol
> > recommendations rather than the minimum rules necessary.
> >
> > The reason I bring this up is to get a consensus from the
> > group on whether
> > or not I should document my findings in such a way as to publish the
> > results-- If something like this already exists, I don't want
> > to re-invent
> > the wheel.  If not, I should heavily document my findings
> in order to
> > provide a comprehensive list.
> >
> > For instance- SQL authentication using "mixed mode
> > authentication" simply
> > requires a single "SQL Sever TCP 1433 Outbound" from the
> > client set to the
> > individual server.  Integrated authentication via a standard
> > library client
> > (such as Query Analyzer) not only requires "SQL Server TCP
> > 1433 Outbound" to
> > the SQL host, but it also requires at least "Kerberos-Sec
> > (UDP)" (UDP 88
> > Send Receive) and "LDAP (UDP)" (UDP 389 Send Receive) from
> > the client to the
> > domain controller set.  More "robust" clients, such as MS
> > Access using a SQL
> > Library require a full LDAP (TCP 389) connection from the
> > client to the
> > domain controller set.  While "LDAP (UDP)" may be forced,
> > projects digitally
> > signed with a certificate require the TCP connection based on
> > my testing.
> > This is the type of data I'm considering collecting for publication.
> >
> > The primary reason I am doing this is because my network
> > admin (John Wilson)
> > and I have decided to rebuild our entire infrastructure in a
> > *true* least
> > privilege environment.  We will completely separate our
> entire server
> > infrastructure from all clients with an *internal* ISA 2004
> > configured to
> > only allow the minimum protocols through on a host-by-host,
> > service-by-service, user-group by user-group basis.  This
> > will not be a
> > test-- this will be in a total Microsoft production
> > environment: clustered
> > SQL servers, clustered Exchange servers, multiple domain
> > controllers ( group
> > policy deployments, certificate services, etc) NAS devices,
> > shared printers,
> > web services, backup agents, custom application
> > developments... the Full
> > Monty.  I've never seen this done in a production environment
> > (though I've
> > heard many people postulate about it) so I'm kind of excited
> > about all of
> > this.
> >
> > So, the main question is: Does a resource like this already
> > exist somewhere?
> > I figga that if anyone would know, it would be the folks on
> this list.
> >
> > t
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List
• » RE: Minimum Protocol Rules by Service Type List

1. Home
2. isalist
3. Archive
4. 12-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---