Ryan,
Yes, that is what we are using on the CAM.
-Rajesh.
-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Ryan Dorman
Sent: Friday, October 14, 2005 7:26 AM
To: [log in to unmask]
Subject: Re: CCA Metrics and Reporting (was Re: WGA validation
incomplete)
Sums up my thoughts.
Point 3 is a good one.. Get the data out first.. Add graphing/fancy
reports later.
Point 1... Just so you know (although I'm sure you do if anyone does)..
There is an SNMPD package already in the Linux distro on the CAS. I
have is cranked up to provide basic machine info using the generic
UCD/Net calls. I realize that it still needs to be "plugged in"
--
Ryan Dorman, CCNP
Network Engineering Specialist
Millersville University
717.871.5883
On 10/13/05 9:32 PM, "Rajesh Nair (rajnair)" <[log in to unmask]> wrote:
> Thanks for all the feedback... Summarizing below:
>
> 1) Exposing this info via SNMP would require us to put SNMP on the
CASs
> where it doesn't exist today. Shouldn't be a problem in itself but
> would require some effort on our end to make sure that we only expose
> the appropriate information.
>
> 2) 2 kinds of reporting data in the system that you care about (this
is
> a coarse division): a) networking metrics in the CAS (i.e. interface
> info, click info, pptp/l2tp/ipsec info, nating info) and b) system
> metrics in the CAM (user info, certified device info, role info, etc.)
>
> 3) Less interested in pretty graphs, more interested in the data
(format
> is less important - CSV or XML should be fine).
>
> 4) SNMP is preferred. API is welcome but not necessary.
>
> Does that cover everything?
>
> -Rajesh.
>
> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List
> [mailto:[log in to unmask]] On Behalf Of Jason Richardson
> Sent: Thursday, October 13, 2005 7:43 AM
> To: [log in to unmask]
> Subject: Re: CCA Metrics and Reporting (was Re: WGA validation
> incomplete)
>
> Agreed. As Ryan said, these aren't just app servers, they are core
> routers for our Res Hall network and they can't continue to be black
> boxes to us any more than we could afford to allow that for our other
> network equipment. The data is there with industry standard, and
> securable, methods available for accessing it and we need to be able
to
> do so without going off the reservation where we can no longer rely on
> support from Cisco.
>
> Thanks,
>
> ---
> Jason Richardson
> Manager, IT Security and Client Development Enterprise Systems Support
> Northern Illinois University
>
>>>> [log in to unmask] 10/13/2005 8:59:07 AM >>>
> Rajesh-
>
> I agree with Michael. While I realize that read/write access to CCA
> with snmp is a security risk (although couldn't' you use SNMP v3
> authPriv?) getting read only access to attributes within CCA I think
> should be a priority. I would really like to plug this into one of my
> graphing systems in order to provide data for monthly statistics and
> reports. In addition to the user based data that Michael requested,
> providing traffic data for what is going on inside the click daemon
> would be helpful. Since this is essentially a "core router" for our
> ResNet I need to be able to view better traffic statistics through it
> beyond just hacking the SNMP daemon on it to provide in/out stats on
the
> physical interfaces.
>
> --
> Ryan Dorman, CCNP
> Network Engineering Specialist
> Millersville University
> 717.871.5883
>
>
> On 10/13/05 12:39 AM, "Michael Grinnell" <[log in to unmask]>
> wrote:
>
>> Rajesh,
>>
>> I'm having trouble understanding your reasoning here. Most MIBs
> have
>> large sections of read-only data. A good example that corresponds
> to
>> the online users table is IP-MIB::ipNetToMediaPhysAddress. Making
>> this type of OID read-write is meaningless. In any case, merely
>> having metrics on the numbers of devices in a specific role
> available
>> via SNMP would be a big, very useful, step. Here is a list of
>> metrics that I am currently pulling out of the database:
>> Certified Users by Role
>> Online Users by Role
>> Online Users by Server
>> Online Users by Operating System
>> Online Users by VLAN
>>
>> Metrics that I think would also be good to collect are:
>> Online Users by Access Point
>> Online Users by Switch (OOB)
>>
>> These metrics are comparable to standard interface counters used by
>> countless administrators with tools like MRTG and Cricket. I would
>> strongly argue that SNMP is the proper way to expose this data
>> because of this. Exposing this data via the API would be nice, but
>> it shouldn't be the only way that you make it available, because
>> querying the API requires some programming/scripting to get the data
>> out.
>>
>> Regarding your worries about pushing large amounts of data through
>> SNMP, if you can do it for ARP tables on routers (OID above), then
> I
>> don't see why you can't do it for CCA.
>>
>> Thank you for taking the time to ask us about these issues.
>> Regards,
>>
>> Michael Grinnell
>> Network Security Administrator
>> The American University
>> e-mail: [log in to unmask]
>>
>> On Oct 12, 2005, at 8:49 PM, Rajesh Nair (rajnair) wrote:
>>
>>> John,
>>>
>>> There has been a reluctance in general to open up any information
> via
>>> SNMP because the read/write permission feature request usually
> follow
>>> the read request, if you know what I mean. And it would worry us
> to
>>> open up any kind of write through SNMP.
>>>
>>> One other thing I am also worried about is that SNMP is good for
>>> smaller
>>> pieces of data but if we try pushing large pieces of data through
> it
>>> (e.g. user lists such as online user list, certified devices list,
>>> etc.), it may not be very reliable.
>>>
>>> Thoughts?
>>>
>>> I have an alternate suggestion - let me know what your thoughts
>>> are. If
>>> we can extend the API (https://<cam-adress-or-name>/admin/
>>> cisco_api.jsp)
>>> with these additional data gathering functions, would that satisfy
>>> your
>>> needs? Output this data as XML or CSV?
>>>
>>> -Rajesh.
>>>
>>> -----Original Message-----
>>> From: Perfigo SecureSmart and CleanMachines Discussion List
>>> [mailto:[log in to unmask]] On Behalf Of John Stauffacher
>>> Sent: Wednesday, October 12, 2005 5:15 PM
>>> To: [log in to unmask]
>>> Subject: Re: WGA validation incomplete
>>>
>>> Rajesh,
>>>
>>> Why not -- as a stop gap, open up more of the data via snmpd.
> Create
>>> some custom scripts to pull data out of the pgsql databases and
> feed
>>> back through snmpd so we can query with our own NMS systems and get
>>> stuff like "Users in Quarentine Role", "Users in Temporary Role".
>>> These
>>> are the most common things I look at on a daily basis and I just
>>> wish I
>>> could integrate into my NMS which I am already staring at far too
> long
>>> during the day. Obviously if your Temporary or Qtine roles are
>>> climbing
>>> exponentially over time, you can predict there might be an issue at
>>> hand, thats usually when I start calling users in their rooms and
> ask
>>> them if they are having issues (it spooks a few of them, but most
> like
>>> the 'proactive' approach).
>>>
>>> Rajesh Nair (rajnair) wrote:
>>>
>>>
>>>> Mike,
>>>>
>>>> Yes, it would be good to have but at this point, it will not make
> it
>>>> into the 3.6 release. We have already begun the testing cycle and
>>>> only
>>>>
>>>
>>>
>>>> minor enhancements can be made at this stage...
>>>>
>>>> But yes, we are strongly considering reporting for the following
>>>> release. One approach we are thinking of taking is that of a set
> of
>>>> canned reports. While probably not as useful as a full-fledged
>>>> reporting package, if we can hit the 80-20 rule, i.e. provide
> canned
>>>> reports that satisfy 80% of the requirements, we would consider it
> a
>>>> success. It would be interesting to hear from people as to types
> of
>>>> reports you would like to see.
>>>>
>>>> Regards,
>>>> -Rajesh.
>>>>
>>>> P.S. Please don't expect immediate turnaround though. Please
>>>> remember
>>>> that this will not make it into 3.6 and I am requesting input for
> the
>>>> following release. Thanks.
>>>>
>>>> -----Original Message-----
>>>> From: Perfigo SecureSmart and CleanMachines Discussion List
>>>> [mailto:[log in to unmask]] On Behalf Of King, Michael
>>>> Sent: Wednesday, October 12, 2005 4:38 PM
>>>> To: [log in to unmask]
>>>> Subject: Re: WGA validation incomplete
>>>>
>>>> Hey Bob,
>>>>
>>>> How'd you make the nifty graphic? (High level overview, But I'm
> sure
>>>> We'll want the nitty gritty later.)
>>>>
>>>> Hey Rajash, this would be a great feature to put into 3.6,
> Reports!
>>>>
>>>> ________________________________
>>>>
>>>> From: Perfigo SecureSmart and CleanMachines Discussion List on
> behalf
>>>> of Bob Black
>>>> Sent: Wed 10/12/2005 7:11 PM
>>>> To: [log in to unmask]
>>>> Subject: Re: WGA validation incomplete
>>>>
>>>>
>>>>
>>>> Hi Marilee,
>>>>
>>>> It looks like you picked a tough week to roll this out.
>>>>
>>>> We're having the same problem with the newest round of windows
>>>> updates.
>>>> It appears to be a problem on their end. It's possible it's
>>>> malware/borked-IE related. I'm sure that information will calm the
>>>> frustrated student masses.
>>>>
>>>> I've attached a graphic of our "Quarantine role" since yesterday
>>>> afternoon.
>>>> X-axis is time in hours. Y-Axis is the number of unique machines
>>>> failing one or more CCA rules.
>>>>
>>>> If this is your first roll-out, you might want to consider setting
>>>> the
>>>> windows update rule you have to not enforce while MS fixes the
> issues
>>>> on their end.
>>>>
>>>> Hope this helps,
>>>>
>>>> Bob
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Perfigo SecureSmart and CleanMachines Discussion List
>>>>> [mailto:[log in to unmask]] On Behalf Of Marilee Collins
>>>>> Sent: Wednesday, October 12, 2005 3:47 PM
>>>>> To: [log in to unmask]
>>>>> Subject: WGA validation incomplete
>>>>>
>>>>> We're attempting to roll out the Clean Access agent, but many of
> the
>>>>> students are unable to validate Windows.
>>>>>
>>>>> They get "Validation Incomplete: Unable to Perform Validation."
> We
>>>>> have checked that the system time/zone is correct.They say
> they're
>>>>> installing ActiveX, but the installation period reported to me is
> so
>>>>> quick I wonder if it's really installed.
>>>>>
>>>>> I've got all the Microsoft hosts allowed from the lists that were
>>>>> posted earlier this year.
>>>>>
>>>>> We're running CAS 3.5.3.1 with the 3.5.3 agent.
>>>>>
>>>>> Has anyone else seen this? Anyone have some suggestions?
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Marilee Collins
>>>>> Information Technology Services
>>>>> Northern Arizona University
>>>>>
>>>>>
>>>>>
>>>
>>>
>>> --
>>> John Stauffacher, CISSP
>>> Network Administrator
>>> Chapman University
>>> [log in to unmask]
>>> ph: 714.628.7249
>>> "It's amazing how much you take for granted when you already know
> what
>>> you are doing."
>>> "there is no /usr/local on my C:\ drive!"
>>>
|