RE: Minimum Protocol Rules by Service Type List
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 30 Nov 2005 07:06:11 -0800
But of course...
That's like telling your 2-yr-old not to touch the stove - they just
gotta do it...
:-)
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Tuesday, November 29, 2005 10:32 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
http://www.ISAserver.org
You know I'm going to check it anyway, right? :)
----- Original Message -----
From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, November 29, 2005 10:11 PM
Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
> http://www.ISAserver.org
>
> BTW, don't bother trying to check FWC authentication for SMB traffic.
> The MS Client service doesn't use Winsock, so the FWC never sees the
> traffic.
>
> We discovered this from a customer query...
>
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Tuesday, November 29, 2005 9:40 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
>
> http://www.ISAserver.org
>
> Heh... I'm younger anyway-- and not by much ;)
>
> Cool then... I'll make sure to not only document in a verbose manner,
> but to
> test each service in isolation (meaning, I won't test Exchange RPC
> requirements while having the SQL Authentication rules in place.)
>
> Yours, of course, would be the venue to publish-- you have established
> your
> site as the standard for ISA information-- no reason to work outside
of
> that. Even if there was a reason, I still wouldn't do it ;)
>
> [pulling in Greg's post]
>
> Thanks dude-- this could get complex quickly, so I may need some help.
> I
> think a db-based "solutions bank" would make sense-- a main heading of
> the
> service, with sub-categories of access type (NTLM, Kerberos, Basic,
etc)
> and
> stuff like that. This will be fun.
>
> So, I'm on it... Most of this will come from the actual deployment,
> which
> will be in the next couple of weeks after we rebuild our DMZ this
coming
>
> weekend.
>
> Thanks guys. (And any nurturing females on the list)
>
> t
>
> -----
> "And yet, even if one person finds his way... that means
> there is a Way. Even if I personally fail to reach it."
> Mr. Nobusuke Tagomi - Top Place, Ranking Imperial Trade Mission -
> Pacific
> States of America
>
>
>
>
> ----- Original Message -----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Tuesday, November 29, 2005 9:13 PM
> Subject: [isalist] RE: Minimum Protocol Rules by Service Type List
>
>
> http://www.ISAserver.org
>
> Hey Tim,
>
> This would be REALLY COOL. As far as I know, there's nothing like this
> out there. I have lot of articles covering specific scenarios, but
none
> of them include SQL or backup agents, because A. I don't know squat
> about SQL and B. the herterogenrous backup agent evironment makes me
> avoidant because I know it'll generate requests for all the other
> vendors.
>
> However, you're younger, smarter and stronger than me, so you might be
> able to handle it -- or since your kids are still young, you're better
> able to resist requests for MORE.
>
> I've often thought of doing the same thing with my network, which is
> production full tilt for us. Four multihomed ISA firewall's serving
> three Internet links, three domains, Exchange 2003 (no cluster),
> SharePoint Portal Server, IIS sites, MOM, spam whackers, LCS, VoIP,
> Windows Media Services, blah blah blah. Lots of whacky POC stuff that
> I've never written about, but worked pretty neat, so I decided to keep
> it. Maybe I'll like yours so much I'll show mine too :)
>
> So, count me in as thinking this is a great idea. You'll introduce a
ton
> of good stuff that's not out there yet! Let me know if want any help,
> comment, or whatever for this project. If its too long for the venues
> you usually publish in, you're welcome to put it up at ISAserver.org
and
> use as many words, graphics and whatever you want. Maybe after that, I
> can suck you into becoming a regular author for the site :-))) We
need
> a mensa kinda guy for the site, since we lost ours to Microsoft LCA.
:(
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
>> -----Original Message-----
>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>> Sent: Tuesday, November 29, 2005 10:58 PM
>> To: [ISAserver.org Discussion List]
>> Subject: [isalist] Minimum Protocol Rules by Service Type List
>>
>> http://www.ISAserver.org
>>
>> Yo.
>>
>> In staying true to the concepts of least privilege and
>> security in depth, I
>> have been testing the minimum allowed protocols required to
>> support various
>> client-server services. The data I am collecting comes from
>> bottom-up,
>> step-by-step live protocol analysis-- this for two reasons:
>> I've not seen a
>> comprehensive list of "this is what you have to allow for X,"
>> and of the
>> documentation I have seen, most of it includes catch-all protocol
>> recommendations rather than the minimum rules necessary.
>>
>> The reason I bring this up is to get a consensus from the
>> group on whether
>> or not I should document my findings in such a way as to publish the
>> results-- If something like this already exists, I don't want
>> to re-invent
>> the wheel. If not, I should heavily document my findings in order to
>> provide a comprehensive list.
>>
>> For instance- SQL authentication using "mixed mode
>> authentication" simply
>> requires a single "SQL Sever TCP 1433 Outbound" from the
>> client set to the
>> individual server. Integrated authentication via a standard
>> library client
>> (such as Query Analyzer) not only requires "SQL Server TCP
>> 1433 Outbound" to
>> the SQL host, but it also requires at least "Kerberos-Sec
>> (UDP)" (UDP 88
>> Send Receive) and "LDAP (UDP)" (UDP 389 Send Receive) from
>> the client to the
>> domain controller set. More "robust" clients, such as MS
>> Access using a SQL
>> Library require a full LDAP (TCP 389) connection from the
>> client to the
>> domain controller set. While "LDAP (UDP)" may be forced,
>> projects digitally
>> signed with a certificate require the TCP connection based on
>> my testing.
>> This is the type of data I'm considering collecting for publication.
>>
>> The primary reason I am doing this is because my network
>> admin (John Wilson)
>> and I have decided to rebuild our entire infrastructure in a
>> *true* least
>> privilege environment. We will completely separate our entire server
>> infrastructure from all clients with an *internal* ISA 2004
>> configured to
>> only allow the minimum protocols through on a host-by-host,
>> service-by-service, user-group by user-group basis. This
>> will not be a
>> test-- this will be in a total Microsoft production
>> environment: clustered
>> SQL servers, clustered Exchange servers, multiple domain
>> controllers ( group
>> policy deployments, certificate services, etc) NAS devices,
>> shared printers,
>> web services, backup agents, custom application
>> developments... the Full
>> Monty. I've never seen this done in a production environment
>> (though I've
>> heard many people postulate about it) so I'm kind of excited
>> about all of
>> this.
>>
>> So, the main question is: Does a resource like this already
>> exist somewhere?
>> I figga that if anyone would know, it would be the folks on this
list.
>>
>> t
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion
>> List as: tshinder@xxxxxxxxxxxxxxxxxx
>> To unsubscribe visit
>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
