This document is under construction.
This document will give you information about how Arnold works and how to use and configure it. A FAQ-section will be added as questions are received.
Arnold is a system that blocks or changes vlan on (from now on referred to as a “detention”) switch-ports by using SNMP-set commands. It does this based one or more ip or mac-addresses given as input on runtime. Based on the address it uses the NAV-database to locate the correct switch-port to detain, and attempts to detain it using SNMP.
NB: It is important that the write-community is set in the NAV-database, otherwise Arnold will not be able to detain or enable ports on the switch. You specifiy write community when you add or edit a new netbox in the edit database tool.
Arnold does not scan or in any other way detect or judge mischievers, it leaves that to the persons or scripts giving it input. It is like the executioner getting the “Chop”-signal, happily blocking away doing its job.
The main addition to arnold in version 2 is the ability to change vlans on ports instead of just blocking them. This is done so that if you have available quarantine vlans defined on your network, you can put computers on those vlans instead of blocking them. Putting computers in a quarantine vlan is more helpful and convenient for the user of the computer than suddenly losing the internet connection, which often leads to frustration and helpdesk calls. The action of changing a vlan on a port with the help of Arnold is called a quarantine.
Other new features:
Arnold consists of a couple of scripts (including a arnold-module), a web-interface and a database. For basic use you will never have to touch the scripts, just use the web-interface to disable and enable ports. Arnold should be ready to use without any fuzz as long as the NAV-database is up to date. Some of the features requires some editing in config-files, which is documented later in this document.
To access the web-interface, use the Toolbox and locate the Arnold subsystem there. The first page is the list of currently detained ports. Above the list you will see a number of links which you can use to access more of Arnolds functionality. Here is the list:
As the functionality of these pages are more or less self-explaining, I will not document all of them. But there are a page that demands som explaining, which hereby follows:
A predefined detention lets you specify parameters for a detention before the detention is carried out. Why use it?
So, hit the “Add new predefined detention”-link and lets start!
How to use a predefined detention
The only way to use a predefined detention is by using the
start_arnold.pl-script. When you have defined a predefined detention you should make a cron-job or some other way of running
start_arnold.pl automatically whenever you want. See section about start_arnold.py.
Arnold consists of four scripts, which all are located in the
This used to be the workhorse of the system. This is no longer the case as the python module 'arnold' now does all the work. This script is used now for basic use of arnold via a shell. You can run
arnold.py -h to get a list of options.
autoenable.py is run by cron and should not need to be run by any other user. All it does is fetch all disabled ports with an autoenable-value and enable that port if the time is due. Running it manually does the same thing.
start_arnold.py should be used in conjunction with a predefined detention. This is first defined using the webinterface with name, options and so on. When it is defined you can use
start_arnold.py to run a detention. Confusing? Yes. It was made for ease of use from other computers which had large lists of ip-addresses to be detained. Lets make a scenario:
We want to scan our network for malicious computers. We have our own scanning-computer that has more-than-normal access to the whole network, and this is not the computer NAV is installed on. How do we deliver the list from the scanning-computer to arnold for detentions? Well, first we make a predefined detention with the options we want, using the webinterface. We give the scanning-computer a public-key tuple on the NAV-server. Then we do some scanning which gives us a list of computers we don't want on the network anymore. We transfer the list like this (the -i option is the id of the predefined detention):
[prompt]# cat scanresult.txt | ssh email@example.com:nav/bin/start_arnold_py -i 1
This will ensure a clean and tidy run of arnold and some detained ports. Of course you can also use
start_arnold.py to just pipe a local list of addresses in, quick and easy. The main advantage is that all options are set and you have an easy way to “feed” Arnold.
This script is run by cron. It fetches all detained ports from the database and starts checking if the mac-address which was behind that port is active any other place in the network. If it is, it enforces the detention on that port aswell. Depending on options given at detention-time it will either enable the old port or just leave it. Needless to say this does not detain the new port immediately after a detained computer has moved to it as it takes some time before the mac-address is discovered, but it is as good as it gets (for now).
The following configuration files are used by Arnold.
nav/etc/arnold/arnold.conf is divided into three sections.
nav/etc/arnold/nonblock.conf is not really a config-file but an exception list. Some computers (ip-addresses) does not want to be detained. If you want to grant them their wish, enter their ip-address in this file. The format is cleary defined in the file, and is quite flexible. You also have the possibility to define equipment-types that you don't want to block. This is a rather depricated option, but some switches that does not support snmp-set are included by default.
If you make a predefined detention you will notice a textfield called “Path to mailfile”. Arnold may send mail to those listed as responsible for the address it tries to detain. Who is responsible is fetched from the NAV-database (the contact address defined for an organisation). But Arnold does not know what you want to tell these people, so you have to write the general format of the mail yourself. This template is what you write and place in the mailtemplates-folder, and the name of the file you make (which contains your template) is placed in the “Path to mailfile”-textfield. A description on how to make a template is in the
README-file located in the
The arnold scripts logs to individual files stored in
nav/var/log/arnold. The webinterface logs to the default webfront log, usually
nav/var/log/webfront.log. The loglevel used for each script is defined in arnold.conf.