CLEANACCESS Archives

October 2005

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: CCA Metrics and Reporting (was Re: WGA validation incomplete)
From:
"Rajesh Nair (rajnair)" <[log in to unmask]>
Reply To:
Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:
Fri, 14 Oct 2005 11:31:47 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (353 lines) 
Ryan,

Yes, that is what we are using on the CAM.  

-Rajesh.  

-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Ryan Dorman
Sent: Friday, October 14, 2005 7:26 AM
To: [log in to unmask]
Subject: Re: CCA Metrics and Reporting (was Re: WGA validation
incomplete)

Sums up my thoughts.

Point 3 is a good one.. Get the data out first.. Add graphing/fancy
reports later.

Point 1... Just so you know (although I'm sure you do if anyone does)..
There is an SNMPD package already in the Linux distro on the CAS.  I
have is cranked up to provide basic machine info using the generic
UCD/Net calls. I realize that it still needs to be "plugged in"


--
Ryan Dorman, CCNP
Network Engineering Specialist
Millersville University
717.871.5883



On 10/13/05 9:32 PM, "Rajesh Nair (rajnair)" <[log in to unmask]> wrote:

> Thanks for all the feedback... Summarizing below:
> 
> 1) Exposing this info via SNMP would require us to put SNMP on the
CASs
> where it doesn't exist today.  Shouldn't be a problem in itself but
> would require some effort on our end to make sure that we only expose
> the appropriate information.
> 
> 2) 2 kinds of reporting data in the system that you care about (this
is
> a coarse division):  a) networking metrics in the CAS (i.e. interface
> info, click info, pptp/l2tp/ipsec info, nating info) and b) system
> metrics in the CAM (user info, certified device info, role info, etc.)
> 
> 3) Less interested in pretty graphs, more interested in the data
(format
> is less important - CSV or XML should be fine).
> 
> 4) SNMP is preferred.  API is welcome but not necessary.
> 
> Does that cover everything?
> 
> -Rajesh.
> 
> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List
> [mailto:[log in to unmask]] On Behalf Of Jason Richardson
> Sent: Thursday, October 13, 2005 7:43 AM
> To: [log in to unmask]
> Subject: Re: CCA Metrics and Reporting (was Re: WGA validation
> incomplete)
> 
> Agreed.  As Ryan said, these aren't just app servers, they are core
> routers for our Res Hall network and they can't continue to be black
> boxes to us any more than we could afford to allow that for our other
> network equipment.  The data is there with industry standard, and
> securable, methods available for accessing it and we need to be able
to
> do so without going off the reservation where we can no longer rely on
> support from Cisco.
> 
> Thanks,
> 
> ---
> Jason Richardson
> Manager, IT Security and Client Development Enterprise Systems Support
> Northern Illinois University
> 
>>>> [log in to unmask] 10/13/2005 8:59:07 AM >>>
> Rajesh-
> 
> I agree with Michael.  While I realize that read/write access to CCA
> with snmp is a security risk (although couldn't' you use SNMP v3
> authPriv?) getting read only access to attributes within CCA I think
> should be a priority.  I would really like to plug this into one of my
> graphing systems in order to provide data for monthly statistics and
> reports.  In addition to the user based data that Michael requested,
> providing traffic data for what is going on inside the click daemon
> would be helpful.  Since this is essentially a "core router" for our
> ResNet I need to be able to view better traffic statistics through it
> beyond just hacking the SNMP daemon on it to provide in/out stats on
the
> physical interfaces.
> 
> --
> Ryan Dorman, CCNP
> Network Engineering Specialist
> Millersville University
> 717.871.5883
> 
> 
> On 10/13/05 12:39 AM, "Michael Grinnell" <[log in to unmask]>
> wrote:
> 
>> Rajesh,
>> 
>> I'm having trouble understanding your reasoning here.  Most MIBs
> have
>> large sections of read-only data.  A good example that corresponds
> to
>> the online users table is IP-MIB::ipNetToMediaPhysAddress.  Making
>> this type of OID read-write is meaningless.  In any case, merely
>> having metrics on the numbers of devices in a specific role
> available
>> via SNMP would be a big, very useful, step.  Here is a list of
>> metrics that I am currently pulling out of the database:
>> Certified Users by Role
>> Online Users by Role
>> Online Users by Server
>> Online Users by Operating System
>> Online Users by VLAN
>> 
>> Metrics that I think would also be good to collect are:
>> Online Users by Access Point
>> Online Users by Switch (OOB)
>> 
>> These metrics are comparable to standard interface counters used by
>> countless administrators with tools like MRTG and Cricket.  I would
>> strongly argue that SNMP is the proper way to expose this data
>> because of this.  Exposing this data via the API would be nice, but
>> it shouldn't be the only way that you make it available, because
>> querying the API requires some programming/scripting to get the data
>> out.
>> 
>> Regarding your worries about pushing large amounts of data through
>> SNMP, if you can do it for ARP tables  on routers (OID above), then
> I
>> don't see why you can't do it for CCA.
>> 
>> Thank you for taking the time to ask us about these issues.
>> Regards,
>> 
>> Michael Grinnell
>> Network Security Administrator
>> The American University
>> e-mail: [log in to unmask]
>> 
>> On Oct 12, 2005, at 8:49 PM, Rajesh Nair (rajnair) wrote:
>> 
>>> John,
>>> 
>>> There has been a reluctance in general to open up any information
> via
>>> SNMP because the read/write permission feature request usually
> follow
>>> the read request, if you know what I mean.  And it would worry us
> to
>>> open up any kind of write through SNMP.
>>> 
>>> One other thing I am also worried about is that SNMP is good for
>>> smaller
>>> pieces of data but if we try pushing large pieces of data through
> it
>>> (e.g. user lists such as online user list, certified devices list,
>>> etc.), it may not be very reliable.
>>> 
>>> Thoughts?
>>> 
>>> I have an alternate suggestion - let me know what your thoughts
>>> are.  If
>>> we can extend the API (https://<cam-adress-or-name>/admin/
>>> cisco_api.jsp)
>>> with these additional data gathering functions, would that satisfy
>>> your
>>> needs?  Output this data as XML or CSV?
>>> 
>>> -Rajesh.
>>> 
>>> -----Original Message-----
>>> From: Perfigo SecureSmart and CleanMachines Discussion List
>>> [mailto:[log in to unmask]] On Behalf Of John Stauffacher
>>> Sent: Wednesday, October 12, 2005 5:15 PM
>>> To: [log in to unmask]
>>> Subject: Re: WGA validation incomplete
>>> 
>>> Rajesh,
>>> 
>>> Why not -- as a stop gap, open up more of the data via snmpd.
> Create
>>> some custom scripts to pull data out of the pgsql databases and
> feed
>>> back through snmpd so we can query with our own NMS systems and get
>>> stuff like "Users in Quarentine Role", "Users in Temporary Role".
>>> These
>>> are the most common things I look at on a daily basis and I just
>>> wish I
>>> could integrate into my NMS which I am already staring at far too
> long
>>> during the day. Obviously if your Temporary or Qtine roles are
>>> climbing
>>> exponentially over time, you can predict there might be an issue at
>>> hand, thats usually when I start calling users in their rooms and
> ask
>>> them if they are having issues (it spooks a few of them, but most
> like
>>> the 'proactive' approach).
>>> 
>>> Rajesh Nair (rajnair) wrote:
>>> 
>>> 
>>>> Mike,
>>>> 
>>>> Yes, it would be good to have but at this point, it will not make
> it
>>>> into the 3.6 release.  We have already begun the testing cycle and
>>>> only
>>>> 
>>> 
>>> 
>>>> minor enhancements can be made at this stage...
>>>> 
>>>> But yes, we are strongly considering reporting for the following
>>>> release.  One approach we are thinking of taking is that of a set
> of
>>>> canned reports.  While probably not as useful as a full-fledged
>>>> reporting package, if we can hit the 80-20 rule, i.e. provide
> canned
>>>> reports that satisfy 80% of the requirements, we would consider it
> a
>>>> success.  It would be interesting to hear from people as to types
> of
>>>> reports you would like to see.
>>>> 
>>>> Regards,
>>>> -Rajesh.
>>>> 
>>>> P.S. Please don't expect immediate turnaround though.  Please
>>>> remember
>>>> that this will not make it into 3.6 and I am requesting input for
> the
>>>> following release.  Thanks.
>>>> 
>>>> -----Original Message-----
>>>> From: Perfigo SecureSmart and CleanMachines Discussion List
>>>> [mailto:[log in to unmask]] On Behalf Of King, Michael
>>>> Sent: Wednesday, October 12, 2005 4:38 PM
>>>> To: [log in to unmask]
>>>> Subject: Re: WGA validation incomplete
>>>> 
>>>> Hey Bob,
>>>> 
>>>> How'd you make the nifty graphic?  (High level overview, But I'm
> sure
>>>> We'll want the nitty gritty later.)
>>>> 
>>>> Hey Rajash, this would be a great feature to put into 3.6,
> Reports!
>>>> 
>>>> ________________________________
>>>> 
>>>> From: Perfigo SecureSmart and CleanMachines Discussion List on
> behalf
>>>> of Bob Black
>>>> Sent: Wed 10/12/2005 7:11 PM
>>>> To: [log in to unmask]
>>>> Subject: Re: WGA validation incomplete
>>>> 
>>>> 
>>>> 
>>>> Hi Marilee,
>>>> 
>>>> It looks like you picked a tough week to roll this out.
>>>> 
>>>> We're having the same problem with the newest round of windows
>>>> updates.
>>>> It appears to be a problem on their end. It's possible it's
>>>> malware/borked-IE related. I'm sure that information will calm the
>>>> frustrated student masses.
>>>> 
>>>> I've attached a graphic of our "Quarantine role" since yesterday
>>>> afternoon.
>>>> X-axis is time in hours. Y-Axis is the number of unique machines
>>>> failing one or more CCA rules.
>>>> 
>>>> If this is your first roll-out, you might want to consider setting
>>>> the
>>>> windows update rule you have to not enforce while MS fixes the
> issues
>>>> on their end.
>>>> 
>>>> Hope this helps,
>>>> 
>>>> Bob
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> -----Original Message-----
>>>>> From: Perfigo SecureSmart and CleanMachines Discussion List
>>>>> [mailto:[log in to unmask]] On Behalf Of Marilee Collins
>>>>> Sent: Wednesday, October 12, 2005 3:47 PM
>>>>> To: [log in to unmask]
>>>>> Subject: WGA validation incomplete
>>>>> 
>>>>> We're attempting to roll out the Clean Access agent, but many of
> the
>>>>> students are unable to validate Windows.
>>>>> 
>>>>> They get "Validation Incomplete: Unable to Perform Validation."
> We
>>>>> have checked that the system time/zone is correct.They say
> they're
>>>>> installing ActiveX, but the installation period reported to me is
> so
>>>>> quick I wonder if it's really installed.
>>>>> 
>>>>> I've got all the Microsoft hosts allowed from the lists that were
>>>>> posted earlier this year.
>>>>> 
>>>>> We're running CAS 3.5.3.1 with the 3.5.3 agent.
>>>>> 
>>>>> Has anyone else seen this?  Anyone have some suggestions?
>>>>> 
>>>>> Thanks!
>>>>> 
>>>>> Marilee Collins
>>>>> Information Technology Services
>>>>> Northern Arizona University
>>>>> 
>>>>> 
>>>>> 
>>> 
>>> 
>>> --
>>> John Stauffacher, CISSP
>>> Network Administrator
>>> Chapman University
>>> [log in to unmask]
>>> ph: 714.628.7249
>>> "It's amazing how much you take for granted when you already know
> what
>>> you are doing."
>>> "there is no /usr/local on my C:\ drive!"
>>>

ATOM RSS1 RSS2