We do a role with 

Redirect all blocked pages to this URL

and put the users MAC address in this role
The role only has access to our email servers (and the webserver the
page is hosted on)

Then we try to contact the student, but usually they call us first.

> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List 
> [mailto:[log in to unmask]] On Behalf Of Joyce, Todd N
> Sent: Thursday, February 23, 2006 7:46 AM
> To: [log in to unmask]
> Subject: Re: postgres changes
> 
> I would love to see what you have done.  I was thinking of 
> creating a role that just allowed access to inside servers.  
> Cutting off Instant Messaging has worked well for us in the 
> past in getting kids to call.
> 
> 
> 
> Todd Joyce
> Network Services
> Radford University - The Smart Choice
> [log in to unmask]
> (540) 831-7777
>  
> Keep your boots and ChapStick and ice hotels.
> Give me shorts and sandals and a thirty-blocker.
> 
> Temperance Brennan - Monday Mourning
> 
> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List 
> [mailto:[log in to unmask]] On Behalf Of Michael Grinnell
> Sent: Thursday, February 23, 2006 12:21 AM
> To: [log in to unmask]
> Subject: Re: postgres changes
> 
> Alex,
> 
> I'll go ahead and throw this out there in case you' or 
> anybody else is interested.  I have a script that I'm working 
> on that we use to block users on CCA by putting them in a 
> specific role, and then sends an email to out incident 
> tracking system, which then creates a ticket for them.  It's 
> still a little rough around the edges, but I'd be happy to 
> share it if you want to take a look at it.  It won't address 
> your concerns directly, but it works well for us because when 
> a student calls the help desk, they go to create a ticket, 
> and the system notifies the help desk personnel that the user 
> already has a ticket open.  This allows the help desk to 
> avoid creating duplicate tickets, and to respond to the users 
> with additional info about the block.  I find that the 
> advantage of using roles for virus, bandwidth, dmca, etc. 
> blocks (vs. "Block" filters) is that you can create a page 
> that the user sees whenever they try and browse the web.  
> This page can include links for self remediation, or simply, 
> "You've been blocked because ___, please call the help desk 
> at ___ for more information and to remove the block."
> 
> Michael Grinnell
> Network Security Administrator
> The American University
> e-mail: [log in to unmask]
> 
> 
> On Feb 22, 2006, at 10:09 PM, Alex Lanstein wrote:
> 
> > 9:31 PM EST response?  You must not be in the US!
> > Yes, I mean mac addresses with a filter is what I'm looking for.   
> > We dont make explicit roles for xboxes and PS2s, our campus 
> is very  
> > small (~1500 students), so we just throw in a filter for them.   
> > Similarly, if users are found to be 'doing wrong', either a 
> virus that 
> > isnt picked up by CCA or weird traffic or something else abnormal, 
> > they get an explicit block on their mac address as a 
> filter.  It works 
> > well from the sysadmin team, but, often times there isn't 
> > communication with the helpdesk staff.  This can be very 
> frustrating 
> > for a help desk student trying to get a computer to login 
> when it just 
> > 'doesnt work'.
> > I'm building an interface for our help desk that will show, in real 
> > time, the users who have blocks in CCA and for what reason (the 
> > description field), as well as some information about our 
> switches.  I 
> > would never try to write to the database directly, I don't 
> understand 
> > enough of how CCA works to do that.  We were fully briefed by our 
> > original reps that while we have root access to the box, if 
> we screw 
> > something up, the vendor response is going to be to format 
> and start 
> > over.
> > As an aside, I'd also like to say what a ridiculous 
> resource you are.  
> > I've never seen any product for any major vendor that has 
> 'someone on 
> > the inside' active on the listserv.  I hope more companies 
> adopt this 
> > sort of communication in the future.
> >
> > Thanks,
> > Alex
> >
> >
> > Rajesh Nair (rajnair) wrote:
> >
> >> Alex,
> >>
> >> Yes, this is not a forum for feature requests. Ideally, 
> you would do 
> >> that through Cisco's PERS system that tracks enhancements 
> (similar to 
> >> CDETS tracking bugs). But, it doesn't hurt for me to 
> understand what 
> >> it is that you are trying to do.  This forum has been great about 
> >> telling us what is wrong with the product and what can be improved 
> >> and while we cannot do everything that is asked of us, we 
> try to keep 
> >> adding things as much as possible.
> >> Few things:
> >>
> >> 1) "Show all users that have an explicit allow/block" - what does 
> >> this mean?  Currently, only devices (MAC addresses) can have an 
> >> explicit allow/block (Filters -> Devices).  Do you mean these or 
> >> something else?
> >> If you mean Filters->Devices entries, then the entries in the 
> >> database are the static entries - i.e. it does not tell you who is 
> >> currently sending traffic on the network.
> >> 2) We currently do not allow any remote communication to 
> postgres.  
> >> Only communication possible is local.  If you have 
> compromised access 
> >> to the box (root access), then all is lost anyways.  But yes, we 
> >> should add authentication especially if users intend to open up 
> >> remote access.
> >>
> >> -Rajesh.
> >>
> >> -----Original Message-----
> >> From: Perfigo SecureSmart and CleanMachines Discussion List 
> >> [mailto:[log in to unmask]] On Behalf Of Alex Lanstein
> >> Sent: Wednesday, February 22, 2006 6:02 PM
> >> To: [log in to unmask]
> >> Subject: Re: postgres changes
> >>
> >> Sure, I wasn't aware that this is a proper forum for feature 
> >> requests.  As you can see from my prior posts, I definately would 
> >> perfer using the vendor supplied API whenever possible.  I am not 
> >> doing any writes to the database, only reads.
> >>
> >> The functions I was looking to implement where:
> >> Show all users that have an explicit allow Show all users 
> that have 
> >> an explicit block Show all users in X role Pull up a 
> history of user 
> >> logins and outs.
> >>
> >> Also, I must say it's fairly ridiculous that the controlsmartdb is 
> >> using any sort of authentication.  It is not beyond any reasonable 
> >> doubt that there will be a remote vulnerability that requires an 
> >> account, but can spoof the source.  Please add some sort 
> of password 
> >> to that account in one of the later releases!
> >>
> >> Keep up the good work.
> >>
> >> Regards,
> >> Alex Lanstein
> >>
> >> Rajesh Nair (rajnair) wrote:
> >>
> >>
> >>> Folks,
> >>>
> >>> I have to say this - please avoid modifying the DB or 
> access to the 
> >>> DB.
> >>> There are some remote threats that Postgres is vulnerable to that 
> >>> might
> >>>
> >>
> >>
> >>> affect you.  You could affect the functioning of the DB and the 
> >>> perfigo
> >>>
> >>
> >>
> >>> service negatively.  And most importantly, TAC will not 
> support you 
> >>> if they know that access to DB or the DB itself have been 
> modified 
> >>> in some
> >>>
> >>
> >>
> >>> way.
> >>>
> >>> I had to recently work with a customer who had installed a  
> >>> Postgres admin utility which broke the DB syncing and failover.   
> >>> And TAC was not
> >>>
> >>
> >>
> >>> supportive at all of this.  And to be fair to them, they 
> have very 
> >>> good
> >>>
> >>
> >>
> >>> reasons to take that approach.  They were working with 
> this customer 
> >>> for quite a while before realizing (or before being
> >>> told) that the customer had tried to install a utility.
> >>>
> >>> That said, can you explain what is lacking in the API - 
> please make 
> >>> feature requests w.r.t. the API.  We will slowly but surely add 
> >>> additional APIs.  In this specific case, are you looking 
> for all MAC 
> >>> addresses that belong to a particular role?  Are you looking for 
> >>> Online
> >>>
> >>
> >>
> >>> Users in the Temporary Role or Quarantine role?  What is the 
> >>> specific thing you are trying to do?
> >>>
> >>> -Rajesh.
> >>> -----Original Message-----
> >>> From: Perfigo SecureSmart and CleanMachines Discussion List 
> >>> [mailto:[log in to unmask]] On Behalf Of Joyce, Todd N
> >>> Sent: Wednesday, February 22, 2006 12:52 PM
> >>> To: [log in to unmask]
> >>> Subject: Re: postgres changes
> >>>
> >>> ps -ae | grep post
> >>> 748 ?        00:00:00 postmaster
> >>> 750 ?        00:00:00 postmaster
> >>>
> >>> kill -1 748
> >>>
> >>> Todd Joyce
> >>> Network Services
> >>> Radford University - The Smart Choice [log in to unmask]
> >>> (540) 831-7777
> >>>
> >>> Keep your boots and ChapStick and ice hotels.
> >>> Give me shorts and sandals and a thirty-blocker.
> >>>
> >>> Temperance Brennan - Monday Mourning -----Original Message-----
> >>> From: Perfigo SecureSmart and CleanMachines Discussion List 
> >>> [mailto:[log in to unmask]] On Behalf Of Lanstein, Alex C
> >>> Sent: Wednesday, February 22, 2006 12:33 PM
> >>> To: [log in to unmask]
> >>> Subject: postgres changes
> >>>
> >>> Well, I've found the API to be inadequate for what I'm 
> trying to do 
> >>> (make a page where our help desk can see what users are 
> blocked).  
> >>> So, I'm going to query the database directly.  I know I 
> need to make 
> >>> the permission changes in pg_hba.conf, and to do that I 
> have to edit 
> >>> the make-pg_hba_conf.pl script.  I
> >>>
> >>> I did that, but I know I have to restart the perfigo 
> service.  Tom, 
> >>> from this list, said he just did a /etc/init.d perfigo 
> restart and 
> >>> his
> >>
> >>> changes took effect, but when I did that something didn't 
> start up 
> >>> properly and it was throwing license errors like mad.  I 
> didn't have 
> >>> a chance to look into it, since I had just taken down the dorm's 
> >>> abilities to login temporarily, so I had to restart it 
> quickly.  My 
> >>> changes took effect once I rebooted, but I'd like to know 
> just how 
> >>> to restart the postgres service (the 'perfigo way'... 
> /sbin/service 
> >>> postgres restart borked it too) without rebooting.  I set 
> a fairly 
> >>> unrestrictive set of mapping rules to the db and I'd like 
> to lock it 
> >>> down a little more with the ident stuff postgres does as well.
> >>>
> >>> Any thoughts?
> >>>
> >>> Thanks in advance,
> >>>
> >>> Alex Lanstein
> >>>
> >>>
>