Subject: | |
From: | |
Reply To: | |
Date: | Mon, 23 Aug 2004 18:46:40 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hague, Jeff wrote:
> I have heard a vicious rumor that it might be possible to get the
> Perfigo system to log user information to an external database of some
> sort or to access the Perfigo database externally. It would be nice to
> be able to capture data like username, MAC address and IP address to a
> database that is searchable. Am I dreaming or is this possible?
> FYI - once I finally got the last few bugs worked out (thanks - Atif,
> Doug and the rest of Perfigo support!), the system has been running very
> well. We have had a lot fewer calls than I expected. So far the only
> "issue" we have found is that apparently some XP boxes don't get the
> registry key that SmartEnforcer is looking for when you install SP1 - it
> just cropped up on a few machines today so we haven't had a chance to
> look too deep. Anyone else seen this?
> Thanks!
I've been planning the same thing. I haven't tried it yet and
when I asked, the Perfigo folks said it wasn't supported because
it wasn't "secure", but the thing is running Postgres and the way
to make a Postgres database available outside the box is
documented here:
http://securitypronews.com/securitypronews-24-20020521Authenticating-PostgreSQL-Clients.html
I think it will be fine if access is limited to the port with
router acls and it will make it a much more useful product
for external reporting.
The other important thing I want to be able to do is to
send the Perfigo a command from a remote system to force
a particular IP address to re-register so it goes through
the scan/SmartEnforcer process. This command would be sent
from an event correlator that would get its data from
a variety of places that indicate a client needs help:
a) mail server virus logs
b) IDP/IDS
c) router log analysis scripts
Using that, when a client gets infected due to a download,
mistake, or exploit, it automatically gets placed into
quarantine in real time. Obviously, you'd only want to use
events that have no false positives. :)
Combined with the remote reporting capability, support
organizations could get a real-time look at infected
systems as the events occur.
--
Gary Flynn
Security Engineer
James Madison University
|
|
|