LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

August 2004

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS August 2004

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: logging options
From:	Gary Flynn <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Mon, 23 Aug 2004 18:46:40 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (53 lines)

Hague, Jeff wrote:

> I have heard a vicious rumor that it might be possible to get the
> Perfigo system to log user information to an external database of some
> sort or to access the Perfigo database externally. It would be nice to
> be able to capture data like username, MAC address and IP address to a
> database that is searchable. Am I dreaming or is this possible?
> FYI - once I finally got the last few bugs worked out (thanks - Atif,
> Doug and the rest of Perfigo support!), the system has been running very
> well. We have had a lot fewer calls than I expected. So far the only
> "issue" we have found is that apparently some XP boxes don't get the
> registry key that SmartEnforcer is looking for when you install SP1 - it
> just cropped up on a few machines today so we haven't had a chance to
> look too deep. Anyone else seen this?
> Thanks!

I've been planning the same thing. I haven't tried it yet and
when I asked, the Perfigo folks said it wasn't supported because
it wasn't "secure", but the thing is running Postgres and the way
to make a Postgres database available outside the box is
documented here:

http://securitypronews.com/securitypronews-24-20020521Authenticating-PostgreSQL-Clients.html

I think it will be fine if access is limited to the port with
router acls and it will make it a much more useful product
for external reporting.

The other important thing I want to be able to do is to
send the Perfigo a command from a remote system to force
a particular IP address to re-register so it goes through
the scan/SmartEnforcer process. This command would be sent
from an event correlator that would get its data from
a variety of places that indicate a client needs help:

a) mail server virus logs
b) IDP/IDS
c) router log analysis scripts

Using that, when a client gets infected due to a download,
mistake, or exploit, it automatically gets placed into
quarantine in real time. Obviously, you'd only want to use
events that have no false positives. :)

Combined with the remote reporting capability, support
organizations could get a real-time look at infected
systems as the events occur.

--
Gary Flynn
Security Engineer
James Madison University

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU