Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ISA + Iptables

from [Volker Tanger] Network Security [Permanent Link]
Subject: Re: ISA + Iptables
Date: Wed, 16 Mar 2005 23:32:26 +0100 
Greetings!

On Tue, 15 Mar 2005 17:49:43 -0300
Pablo Gietz <pablo.gietz@nuevobersa.com.ar> wrote:


I need to configure a internal firewall with Iptables to filter
traffic to a isa server acting as a proxy and authentication server
with AD. which ports do i have to open to permit proxy and auth?
 
Internet <-> pix <->  ISA <-> iptables <-> internal network



You'll need unproxied tcp/80 (plain tcp, *not* HTTP) between ISA and all
clients. MS invented its own HTTPish version of the protocol using
tcp/80 for NTLM authentication. So replacing the IPTABLES with a Pix and
switching the fixups is a bad idea if you want the MS authentication...

Depending on your ISA version you might need to open additional ports
between ISA and the AD server(s), and maybe and all clients too.

Candidates are the NetBIOS (tcp/udp 137-139) and/or SMB stuff (tcp/445)
plus full MS-RPCs between ISA and DC if the ISA is supposed to run on a
backup DC (though I am not sure wether this applies with all ISAs). I am
not sure wether current versions can be restricted to use LDAP, though.

So I'd suggest to start with tcp/80 only and run a tight log to get a
grap on which additions you need - if you're using a system not yet in
production. If you need to replace a running config start with
everything above open and tighten security slowly.

Maybe you can give a brief writeup if you managed to strip the list down
to minimum requirements?

Thanks

Volker

-- 

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@wyae.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

--------------------------------------------------------------------------
FREE Download - The Future in Desktop Firewalls is Available Now
 
NEW NetOp Desktop Firewall, the world's first driver-centric 
firewall software - protecting your laptops and corporate PCs at  
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back 
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_firewalls_050315
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: PIX 501 Port forwarding, mbeck
Next by Date:  RE: PIX 501 Port forwarding, Brad Davenport
Previous by Thread:  ISA + Iptables, Pablo Gietz
Next by Thread:  Re: ISA + Iptables, blindhorizon
Indexes:  [Date] [Thread] [Top] [All Lists]