Netsight Management/ NAC upgrade

I recently attempted to upgrade our network equipment to the newest version 4.2. In doing so, I received several errors that the servers were out of space and could not be upgraded. After a call to Enterasys support, we identified some files are locations that could be safely removed to free up space for the install.
The following instructions and locations are for the virtual images running in VMware.

DISCLAIMER: Before trying any of the following, if you are unsure about this please consult support to ensure you will not damage your system, or at very least make a snapshot you can revert back to.

1. Step was upgrade Wireless Advanced Services if you have it.
2. On Console go to the folder /usr/local/Enterasys_Networks/NetSight if there is a folder called .installer, this should be able to be deleted. Next if you go to /usr/local/Enterasys_Networks/NetSight/appdata/logs, it should be safe to delete some of the older log files to free up space.
3. On the NAC systems, a lack of space was because of the file stats.out located at /opt/nac/server. It is safe to delete this file and it is probably quite large take up the majority of the space on that partition.

With these done, chmod 777 the installer files and install them, and hopefully everything will go well.

Good Luck

PGP Universal Gateway Server

We are in the process of deploying a PGP Universal server to allow encrypted messages to be sent to people from on-campus. The way the licensing works for PGP, there are a couple of different setup methods that have different implications.

1. You purchase the system based on the number of Desktop clients that will have PGP desktop installed.
2. To do desktop encryption, that client will need a Desktop license and have it installed
3. To send encrypted email between internal users uses will need a desktop license and to have it installed
4. To send encrypted emails externally - ultimately only 1 desktop license is needed for unlimited users

During implementation of the external gateway, we have experienced a couple of errors. One error in particular is receiving warnings that our ticket is not trusted even though we purchased the certificate from Entrust. Luckily we found a post by Ian Kirk who had already solved it the problem.  This article will be going through his steps and adding screenshots for internal documentation purposes.

Step 2

Step 1

1. Log into the PGP universal server as an admin and go to Keys > Trusted Keys.
2. Scroll to the bottom of that page and select Add Trusted Key. 
3. Paste the public root key from entrust  and choose Trust key for verifying SSL/TLS and Trust key for verifying mail.
4. Do the same for the Intermediate key.
5. Go to Services > Web Messenger and Disable and Re-enable the Service.

Step 3.

This seems to have resolved the prompts that the site and keys were trusted. That said, more setup needs to occur because mail is not being encrypted when sent yet based on tests.

Creating a Campus Online Directory

At Mount one of the projects we did was to create an accurate up to date online directory. This would expose directory data in an easily searchable format.  It was required to be able to search via Name, Title or Department. It was also required that we had 2 versions:

• One for Internal Audiences that includes student information, Fac/Staff Home addresses and Phones
• One for External Audiences that  includes Campus Phone, Address, Titles, Departments, and Email
• Additional Request was to ensure Exchange was updated with the latest information

The key aspect of this project was to figure out how the information would flow to ensure it was up to date particularly given the delay of information transmission between various departments internally. The systems and people involved in the process were as follows.

• Powercampus (Our ERP) this is supposed to be the master database that is most correct and where all data comes from
• Active Directory - In order to get exchange updated the information need to end up here. We also decided that the information displayed on the web should come from here to ensure our directory is current for security purposes.
• Human Resources - Responsible for making changes of Fac/Staff info and generating ID information in powercampus
• IT - responsible for running the import/export of data and creating new network accounts based on information from HR

Below is the Data Flow Diagram of the 3 functions of that would occur in the online directory process.

How to Bypass Wikipedia Blackout

Today is January 18th, and to fight the current proposed legislation PIPA and SOPA which would restrict online freedom of information by giving the government the ability to break portions of the internet under the guise of stopping piracy many large websites are blacking out their information. Wikipedia is among these and I fully support and encourage you to call your representatives or sign any of the petitions to fight this legislation including the one at https://www.google.com/landing/takeaction/.

That being said, if you need to bypass the blackout for today to use wikipedia, it appears fairly easy to do so since it is only using Java to redirect. Here are directions for 3 browsers(Internet Explorers experience will be the cumbersome):

Chrome + NotScript

1.Chrome - Install an extension called Notscripts and block wikipedia from running as shown .
2. Firefox Install the Addon called NoScript and again block wikipedia from running
3. Internet Explorer - Go to Internet Options > Security > Internet Zone > Click Custom Level. Scroll down the list until you find Scripting > Active Scripting. Set this to prompt or Disable. Now when you go to the Wikipedia page don't let it run scripts.

Please note that allow scripts to run is required for many of the features on many pages to work as intended. So you may have to allow or block sites from running scripts as needed. The major benefit of this is it will prevent the majority of malware attacks on you because those bad things usually now require scripting to work correctly so this is more secure. As typical though if you are normal visiting known good sites there is that trade off of usability so you may want to use Chrome or firefox and just allow scripting on those known sites.

EDIT: Also found from Wikipedia itself the following bypass methods

Are there ways to circumvent the read blackout?

The community has asked us to preserve emergency access options. The following methods will remain available to access content:

• Disabling JavaScript in your browser
• Using bookmarklets or other tools to unhide the content
• Visiting the mobile site at http://en.m.wikipedia.org/
• Accessing site content via the API
• Appending ?banner=none to the end of page URLs.

As noted above, the mobile site will be available, but will display a banner pointing people to ways to protest SOPA/PIPA.

Preparing for a new network

Here at Mount we are at the beginning stages of gearing up for a new network. The last upgrade for us was fundamentally performed in 2004. At that time we had our FDDI ring 10meg hub network replaced with a Ethernet network with 10gig link between cores and 1000meg to most of the desktop. At that time wireless was in its infancy so a small wireless install was added to the residence halls as a supplement to the wired network. Since then, additional buildings have been added with newer electronics installed during building as well as additional wireless upgrades as funding was available.

We are currently faced with the dilemma that our core electronics will not support IPv6 routing preventing us from being able to deploy IPv6 natively. We are also facing the end of support on the majority of our current electronics.

All of this brings us to the current point in time where we are starting to get the specs and pricing for upgrading the current network. Some of the key points we are looking at are:

• transition to having the wireless network be the primary ingress point for end users.
• reduce the year to year maintenance costs
• reduce the number of wired ports in many buildings to reduce up front purchase costs

To do this we are using the management system of our current vendor Enterasys. The starting point was to use their Inventory Manager product to get a list of the port usage used on all devices over the past several months giving us accurate usage.

Our plan is to take this number and increase the current usage number by 25% to anticipate increased wireless and systems ports needed.

I am hoping to keep this blog a bit more updated as we go through this process.