|
Jeff S. et al: > Boy this is a whole a different >issue than I saw on yesterdays post. If >I am now reading this correctly there is > a setup routine that is executing in the > CA install early enough in the process > that it is not SSL aware. From your > experience it is running once and only > once, per system ? Yes -- It appears to hit 8476 only once and stores the IP Address and version number in the registry. If the version number is already there, then it doesn't touch 8476. > So my first question, would be are you > comfortable enough with the Daemon handling this > initialization request that you would allow it to > except connections if the port is secure or even > unsecure ? What's in the conversation anyway ? > The users actual password, or a dummy user that > is only usable for CA installation, with very > limited access, or is it in the form of a system > management MIB just exchanging only some connectivity data I'm not sure without a trace. HOWEVER --> I need to assure the client that all user identifiers and passwords are encrypted. Here's a supporting argument why...(1 -- I logged all denied access attempts with NETBEUI ports and HTTP port 80. 2 -- Turns out I am getting about 5 attempts per second. 3 -- The NETBEUI attempts appear to come from a PC at the ISP...I certainly don't want user ids and/or passwords to show up with some kid's sniffer.) > My second question, are you sure this link is not > used to allow you distribute updates, and ptfs to > the individual system ? Or are you disabling this > feature so it does not matter ? Distribution of updates can be done via NETBEUI...which we don't want because (a) see supporting argument above and (b) NETBEUI does not use encryption. Updates to the HOST go through a different connection. Updates to the dealer will probably be done with a CD ROM distribution on an as needed basis. > My third question, is this connection only to the > Managing system, or once to each "host" system >(IP Address) you connect with ? Not sure...appears only on a first connect basis fo any environment. Presumably this would affect a Managing Connection if it was just setup. However the 8476 toggle is clearly bypassed when the configuration is restored or the environment is flagged to indicate version 4. > Based on the answers, which I readily admit I do > not have. You might look at configuring a secondary > IP for the system that will only accept connections > on port 8476. Either through IP Filter rules and/or > Firewall NAT mapping to a private IP. Then if the > daemon is trusted and the password if used is only > valid for this process you should tight ? Actually I could have made the initial connection with a "poison user profile" that can't don anything but trigger off security violations with the exit programs. >On the other hand, I like using GHOST to build a >system that has already been setup, or adding the >registry fix as both seem cleaner, except >that you may have more help desks calls when the >connections failure ?? I agree -- of course we don't know about the DSL reliability. Thanks for your thoughts... Steve Glanstein mic@aloha.com
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
