RE: Minimum Protocol Rules by Service Type List
- From: "Greg Mulholland" <greg@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 30 Nov 2005 18:40:18 +1100
Disturbing!
Greg Mulholland
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Wednesday, November 30, 2005 5:28 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
http://www.ISAserver.org
That's odd... I push-installed *your* MOM agent without any problems.
<bfg>
But on a serious note, it is surprising to see how much NetBIOS/CIFS
traffic
is requested, even in the presence of a current Kerberos ticket - that
and
RPC traffic to the DC's (like when you are in Outlook 2003, requesting a
concurrent SQL connection under different creds, etc.)
It's quite interesting to correlate local NetMon dumps to the ISA logs--
I've been staring at them for the last several hours, and have discerned
what I think is an "affinity" of ISA to not display logged traffic. For
instance, if I make an integrated authentication connection to a SQL
server
after all connections have been closed, ISA logs the Kerberos traffic on
reconnect (as does local NetMon.) However, if I disconnect and
reconnect
within a few seconds, I can see that the client's ticket is checked in
NetMon, though ISA does not show the connection request to the DC as
accepted and/or established. Kind of odd, but I have not fully explored
why
yet.
I'll keep on it, though I know I'll have more NetMon/ISA sex dreams
tonight.
Don't ask.
t
----- Original Message -----
From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, November 29, 2005 10:10 PM
Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
> http://www.ISAserver.org
>
> Mos' definitely!
>
> For instance, I had an opportunity to answer the question of "why does
> SCM work remotely against ISA when WMI calls don't?"
>
> The answer (via judicious use of NetMon) is that SCM uses NetBIOS
calls,
> and WMI uses DCOM.
> NetBIOS can be handled easily by ISA policies, but DCOM can't.
> Come to think of it, this is probably the main reason Raji can't
> push-install the MOM agent.
>
> -----Original Message-----
> From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx]
> Sent: Tuesday, November 29, 2005 9:26 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
>
> http://www.ISAserver.org
>
> Thor
>
> Let me jump on Tom's shoulders here and say, "what he said" Ive often
> thought of doing it in a larger, more funner environment, but never
had
> the real time or authority to be able to do it. Its definately a cool
> process and we do do it to some degree in smaller environments where
we
> are able to. Let me know if you need help for anything as Toms said,
i'd
> be willing to jump on board if you hit a snag and havent got the
skillz
> to finish something :p... or just want a scenario tested...
>
> Greg Mulholland
>
> ________________________________
>
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wed 30/11/2005 4:13 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
>
>
>
> http://www.ISAserver.org
>
> Hey Tim,
>
> This would be REALLY COOL. As far as I know, there's nothing like this
> out there. I have lot of articles covering specific scenarios, but
none
> of them include SQL or backup agents, because A. I don't know squat
> about SQL and B. the herterogenrous backup agent evironment makes me
> avoidant because I know it'll generate requests for all the other
> vendors.
>
> However, you're younger, smarter and stronger than me, so you might be
> able to handle it -- or since your kids are still young, you're better
> able to resist requests for MORE.
>
> I've often thought of doing the same thing with my network, which is
> production full tilt for us. Four multihomed ISA firewall's serving
> three Internet links, three domains, Exchange 2003 (no cluster),
> SharePoint Portal Server, IIS sites, MOM, spam whackers, LCS, VoIP,
> Windows Media Services, blah blah blah. Lots of whacky POC stuff that
> I've never written about, but worked pretty neat, so I decided to keep
> it. Maybe I'll like yours so much I'll show mine too :)
>
> So, count me in as thinking this is a great idea. You'll introduce a
ton
> of good stuff that's not out there yet! Let me know if want any help,
> comment, or whatever for this project. If its too long for the venues
> you usually publish in, you're welcome to put it up at ISAserver.org
and
> use as many words, graphics and whatever you want. Maybe after that, I
> can suck you into becoming a regular author for the site :-))) We
need
> a mensa kinda guy for the site, since we lost ours to Microsoft LCA.
:(
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
>> -----Original Message-----
>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>> Sent: Tuesday, November 29, 2005 10:58 PM
>> To: [ISAserver.org Discussion List]
>> Subject: [isalist] Minimum Protocol Rules by Service Type List
>>
>> http://www.ISAserver.org
>>
>> Yo.
>>
>> In staying true to the concepts of least privilege and
>> security in depth, I
>> have been testing the minimum allowed protocols required to
>> support various
>> client-server services. The data I am collecting comes from
>> bottom-up,
>> step-by-step live protocol analysis-- this for two reasons:
>> I've not seen a
>> comprehensive list of "this is what you have to allow for X,"
>> and of the
>> documentation I have seen, most of it includes catch-all protocol
>> recommendations rather than the minimum rules necessary.
>>
>> The reason I bring this up is to get a consensus from the
>> group on whether
>> or not I should document my findings in such a way as to publish the
>> results-- If something like this already exists, I don't want
>> to re-invent
>> the wheel. If not, I should heavily document my findings in order to
>> provide a comprehensive list.
>>
>> For instance- SQL authentication using "mixed mode
>> authentication" simply
>> requires a single "SQL Sever TCP 1433 Outbound" from the
>> client set to the
>> individual server. Integrated authentication via a standard
>> library client
>> (such as Query Analyzer) not only requires "SQL Server TCP
>> 1433 Outbound" to
>> the SQL host, but it also requires at least "Kerberos-Sec
>> (UDP)" (UDP 88
>> Send Receive) and "LDAP (UDP)" (UDP 389 Send Receive) from
>> the client to the
>> domain controller set. More "robust" clients, such as MS
>> Access using a SQL
>> Library require a full LDAP (TCP 389) connection from the
>> client to the
>> domain controller set. While "LDAP (UDP)" may be forced,
>> projects digitally
>> signed with a certificate require the TCP connection based on
>> my testing.
>> This is the type of data I'm considering collecting for publication.
>>
>> The primary reason I am doing this is because my network
>> admin (John Wilson)
>> and I have decided to rebuild our entire infrastructure in a
>> *true* least
>> privilege environment. We will completely separate our entire server
>> infrastructure from all clients with an *internal* ISA 2004
>> configured to
>> only allow the minimum protocols through on a host-by-host,
>> service-by-service, user-group by user-group basis. This
>> will not be a
>> test-- this will be in a total Microsoft production
>> environment: clustered
>> SQL servers, clustered Exchange servers, multiple domain
>> controllers ( group
>> policy deployments, certificate services, etc) NAS devices,
>> shared printers,
>> web services, backup agents, custom application
>> developments... the Full
>> Monty. I've never seen this done in a production environment
>> (though I've
>> heard many people postulate about it) so I'm kind of excited
>> about all of
>> this.
>>
>> So, the main question is: Does a resource like this already
>> exist somewhere?
>> I figga that if anyone would know, it would be the folks on this
list.
>>
>> t
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion
>> List as: tshinder@xxxxxxxxxxxxxxxxxx
>> To unsubscribe visit
>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> greg@xxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
