LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

October 2005

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS October 2005

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	CCA Metrics and Reporting (was Re: WGA validation incomplete)
From:	Michael Grinnell <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Thu, 13 Oct 2005 00:39:30 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (216 lines)

Rajesh,

I'm having trouble understanding your reasoning here.  Most MIBs have  
large sections of read-only data.  A good example that corresponds to  
the online users table is IP-MIB::ipNetToMediaPhysAddress.  Making  
this type of OID read-write is meaningless.  In any case, merely  
having metrics on the numbers of devices in a specific role available  
via SNMP would be a big, very useful, step.  Here is a list of  
metrics that I am currently pulling out of the database:
Certified Users by Role
Online Users by Role
Online Users by Server
Online Users by Operating System
Online Users by VLAN

Metrics that I think would also be good to collect are:
Online Users by Access Point
Online Users by Switch (OOB)

These metrics are comparable to standard interface counters used by  
countless administrators with tools like MRTG and Cricket.  I would  
strongly argue that SNMP is the proper way to expose this data  
because of this.  Exposing this data via the API would be nice, but  
it shouldn't be the only way that you make it available, because  
querying the API requires some programming/scripting to get the data  
out.

Regarding your worries about pushing large amounts of data through  
SNMP, if you can do it for ARP tables  on routers (OID above), then I  
don't see why you can't do it for CCA.

Thank you for taking the time to ask us about these issues.
Regards,

Michael Grinnell
Network Security Administrator
The American University
e-mail: [log in to unmask]

On Oct 12, 2005, at 8:49 PM, Rajesh Nair (rajnair) wrote:

> John,
>
> There has been a reluctance in general to open up any information via
> SNMP because the read/write permission feature request usually follow
> the read request, if you know what I mean.  And it would worry us to
> open up any kind of write through SNMP.
>
> One other thing I am also worried about is that SNMP is good for  
> smaller
> pieces of data but if we try pushing large pieces of data through it
> (e.g. user lists such as online user list, certified devices list,
> etc.), it may not be very reliable.
>
> Thoughts?
>
> I have an alternate suggestion - let me know what your thoughts  
> are.  If
> we can extend the API (https://<cam-adress-or-name>/admin/ 
> cisco_api.jsp)
> with these additional data gathering functions, would that satisfy  
> your
> needs?  Output this data as XML or CSV?
>
> -Rajesh.
>
> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List
> [mailto:[log in to unmask]] On Behalf Of John Stauffacher
> Sent: Wednesday, October 12, 2005 5:15 PM
> To: [log in to unmask]
> Subject: Re: WGA validation incomplete
>
> Rajesh,
>
> Why not -- as a stop gap, open up more of the data via snmpd. Create
> some custom scripts to pull data out of the pgsql databases and feed
> back through snmpd so we can query with our own NMS systems and get
> stuff like "Users in Quarentine Role", "Users in Temporary Role".  
> These
> are the most common things I look at on a daily basis and I just  
> wish I
> could integrate into my NMS which I am already staring at far too long
> during the day. Obviously if your Temporary or Qtine roles are  
> climbing
> exponentially over time, you can predict there might be an issue at
> hand, thats usually when I start calling users in their rooms and ask
> them if they are having issues (it spooks a few of them, but most like
> the 'proactive' approach).
>
> Rajesh Nair (rajnair) wrote:
>
>
>> Mike,
>>
>> Yes, it would be good to have but at this point, it will not make it
>> into the 3.6 release.  We have already begun the testing cycle and  
>> only
>>
>
>
>> minor enhancements can be made at this stage...
>>
>> But yes, we are strongly considering reporting for the following
>> release.  One approach we are thinking of taking is that of a set of
>> canned reports.  While probably not as useful as a full-fledged
>> reporting package, if we can hit the 80-20 rule, i.e. provide canned
>> reports that satisfy 80% of the requirements, we would consider it a
>> success.  It would be interesting to hear from people as to types of
>> reports you would like to see.
>>
>> Regards,
>> -Rajesh.
>>
>> P.S. Please don't expect immediate turnaround though.  Please  
>> remember
>> that this will not make it into 3.6 and I am requesting input for the
>> following release.  Thanks.
>>
>> -----Original Message-----
>> From: Perfigo SecureSmart and CleanMachines Discussion List
>> [mailto:[log in to unmask]] On Behalf Of King, Michael
>> Sent: Wednesday, October 12, 2005 4:38 PM
>> To: [log in to unmask]
>> Subject: Re: WGA validation incomplete
>>
>> Hey Bob,
>>
>> How'd you make the nifty graphic?  (High level overview, But I'm sure
>> We'll want the nitty gritty later.)
>>
>> Hey Rajash, this would be a great feature to put into 3.6, Reports!
>>
>> ________________________________
>>
>> From: Perfigo SecureSmart and CleanMachines Discussion List on behalf
>> of Bob Black
>> Sent: Wed 10/12/2005 7:11 PM
>> To: [log in to unmask]
>> Subject: Re: WGA validation incomplete
>>
>>
>>
>> Hi Marilee,
>>
>> It looks like you picked a tough week to roll this out.
>>
>> We're having the same problem with the newest round of windows  
>> updates.
>> It appears to be a problem on their end. It's possible it's
>> malware/borked-IE related. I'm sure that information will calm the
>> frustrated student masses.
>>
>> I've attached a graphic of our "Quarantine role" since yesterday
>> afternoon.
>> X-axis is time in hours. Y-Axis is the number of unique machines
>> failing one or more CCA rules.
>>
>> If this is your first roll-out, you might want to consider setting  
>> the
>> windows update rule you have to not enforce while MS fixes the issues
>> on their end.
>>
>> Hope this helps,
>>
>> Bob
>>
>>
>>
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: Perfigo SecureSmart and CleanMachines Discussion List
>>> [mailto:[log in to unmask]] On Behalf Of Marilee Collins
>>> Sent: Wednesday, October 12, 2005 3:47 PM
>>> To: [log in to unmask]
>>> Subject: WGA validation incomplete
>>>
>>> We're attempting to roll out the Clean Access agent, but many of the
>>> students are unable to validate Windows.
>>>
>>> They get "Validation Incomplete: Unable to Perform Validation." We
>>> have checked that the system time/zone is correct.They say they're
>>> installing ActiveX, but the installation period reported to me is so
>>> quick I wonder if it's really installed.
>>>
>>> I've got all the Microsoft hosts allowed from the lists that were
>>> posted earlier this year.
>>>
>>> We're running CAS 3.5.3.1 with the 3.5.3 agent.
>>>
>>> Has anyone else seen this?  Anyone have some suggestions?
>>>
>>> Thanks!
>>>
>>> Marilee Collins
>>> Information Technology Services
>>> Northern Arizona University
>>>
>>>
>>>
>
>
> --
> John Stauffacher, CISSP
> Network Administrator
> Chapman University
> [log in to unmask]
> ph: 714.628.7249
> "It's amazing how much you take for granted when you already know what
> you are doing."
> "there is no /usr/local on my C:\ drive!"
>

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU