Jeff S. et al:

>        Boy this is a whole a different
>issue than I saw on yesterdays post. If
>I am now reading this correctly there is
> a setup routine that is executing in the
> CA install early enough in the process
> that it is not SSL aware.  From your
> experience it is running once and only
> once, per system ?

Yes -- It appears to hit 8476 only once and stores the IP Address and
version number in the registry. If the version number is already there, then
it doesn't touch 8476.


> So my first question, would be are you
> comfortable enough with the Daemon handling this
> initialization request that you would allow it to
> except connections if the port is secure or even
> unsecure ?  What's in the conversation anyway ?
> The users actual password, or a dummy user that
> is only usable for CA installation, with very
> limited access, or is it in the form of a system
> management MIB just exchanging only some connectivity data

I'm not sure without a trace. HOWEVER --> I need to assure the client that
all user identifiers and passwords are encrypted.

Here's a supporting argument why...(1 -- I logged all denied access attempts
with NETBEUI ports and HTTP port 80. 2 -- Turns out I am getting about 5
attempts per second. 3 -- The NETBEUI attempts appear to come from a PC at
the ISP...I certainly don't want user ids and/or passwords to show up with
some kid's sniffer.)

> My second question, are you sure this link is not
> used to allow you distribute updates, and ptfs to
> the individual system ?  Or are you disabling this
> feature so it does not matter ?

Distribution of updates can be done via NETBEUI...which we don't want
because (a) see supporting argument above and (b) NETBEUI does not use
encryption.

Updates to the HOST go through a different connection. Updates to the dealer
will probably be done with a CD ROM distribution on an as needed basis.

> My third question, is this connection only to the
> Managing system, or once to each "host" system
>(IP Address) you connect with ?

Not sure...appears only on a first connect basis fo any environment.
Presumably this would affect a Managing Connection if it was just setup.
However the 8476 toggle is clearly bypassed when the configuration is
restored or the environment is flagged to indicate version 4.


> Based on the answers, which I readily admit I do
> not have.  You might look at configuring a secondary
> IP for the system that will only accept  connections
> on port 8476.  Either through IP Filter rules and/or
> Firewall NAT mapping to a private IP.   Then if the
> daemon is trusted and the password if used is only
> valid for this process you should tight ?

Actually I could have made the initial connection with a "poison user
profile" that can't don anything but trigger off security violations with
the exit programs.

>On the other hand, I like using GHOST to build a
>system that has already been setup, or adding the
>registry fix as both seem cleaner, except
>that you may have more help desks calls when the
>connections failure ??

I agree -- of course we don't know about the DSL reliability.

Thanks for your thoughts...

Steve Glanstein
mic@aloha.com



As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.