This is an old revision of the document!
This document is under construction.
Arnold is a subsystem to NAV-v3, first released in NAV-v3.1. Arnold is a port-blocker, and now vlan changer, and was originally made to be able to easier remove mischievers from the campus-internet.
This document will give you information about how Arnold works and how to use and configure it. A FAQ-section will be added as questions are received.
The main addition to arnold in version 2 is the ability to change vlans on ports instead of just blocking them. This is done so that if you have available quarantine vlans defined on your network, you can put computers on those vlans instead of blocking them. Putting computers in a quarantine vlan is more helpful and convenient for the user of the computer than suddenly losing the internet connection, which often leads to frustration and helpdesk calls. The action of changing a vlan on a port with the help of Arnold is called a quarantine.
Other new features:
Arnold is a system that blocks or changes vlan on (from now on referred to as a “detention”) switch-ports by using SNMP-set commands. It does this based one or more ip or mac-addresses given as input on runtime. Based on the address it uses the NAV-database to locate the correct switch-port to detain, and attempts to detain it using SNMP.
NB: It is important that the write-community is set in the NAV-database, otherwise Arnold will not be able to detain or enable ports on the switch. You specifiy write community when you add or edit a new netbox in the edit database tool.
Arnold does not scan or in any other way detect or judge mischievers, it leaves that to the persons or scripts giving it input. It is like the executioner getting the “Chop”-signal, happily blocking away doing its job.
Arnold consists of a couple of scripts (including a arnold-module), a web-interface and a database. For basic use you will never have to touch the scripts, just use the web-interface to disable and enable ports. Arnold should be ready to use without any fuzz as long as the NAV-database is up to date. Some of the features requires some editing in config-files, which is documented later in this document.
To access the web-interface, use the Toolbox and locate the Arnold subsystem there. The first page is the list of currently detained ports. Above the list you will see a number of links which you can use to access more of Arnolds functionality. Here is the list:
As the functionality of these pages are more or less self-explaining, I will not document all of them. But there are a page that demands som explaining, which hereby follows:
A predefined detention lets you specify parameters for a detention before the detention is carried out. Why use it?
So, hit the “Add new predefined detention”-link and lets start!
How to use a predefined detention
The only way to use a predefined detention is by using the start_arnold.pl
-script. When you have defined a predefined detention you should make a cron-job or some other way of running start_arnold.pl
automatically whenever you want.
Examples:
Create some examples here.
Arnold consists of four scripts, which all are located in the nav/bin
directory.
This is the workhorse of the system. You can run arnold.pl -h
to get a huge list of options. It always demands the -x parameter to be set, other than that it is all dependent on what you want to do. I do not recommend “pushing all the buttons to see what happens”. I will throw in some examples for basic use.
NB: All information listed here is from our test-install, thus the information may seem a little immature. This indicates a healthy working environment.
Disabling a port
If you, for some reason, want to disable a port using the script and not using the web-interface, this is the way to do it.
1: Locate the victim - i.e. an ip-address.
2: List all reasons:
[prompt]# ./arnold.pl -l Reasons for blocking currently in the database: 1: Vi sperrer porter fordi det er gøy. 2: Next reason 3: Lav sko
3: Determine time for auto enable (how many days before enabling of port happens automatically). not specified = forever.
4: Run the script:
[prompt]# ./arnold.pl -x disable -a 129.241.xxx.xxx -r2 -t2 129.241.xxx.xxx (connected to nett-ans-xxx-h.ntnu.no 1:8) disabled successfully.
Now we have disabled port 8 in module 1 on the switch nett-ans-xxx-h.ntnu.no (which is where 129.241.xxx.xxx is located). It will stay disabled for two days or until we manually enable it.
Enabling a port
Enabling of a port should really only be done by the web-interface. If you are very stubborn, find the id of the block in the database, and run this command:
[bredal@isbre bin]$ ./arnold.pl -x enable -i 7 129.241.xxx.xxx (connected to nett-ans-xxx-h.ntnu.no 1:8) enabled successfully.
Other options
More to come.
autoenable.pl
is run by cron and should not need to be run by any other user. All it does is fetch all disabled ports with an autoenable-value and enable that port if the time is due. Running it manually does the same thing.
start_arnold.pl
should be used in conjunction with a blocktype. A blocktype is first defined on the web-interface with name, options and so on. When a blocktype is defined you can use start_arnold.pl
to run a block by that blocktype. Confusing? Yes. It was made for ease of use from other computers which had large lists of ip-addresses to be blocked. Lets make a scenario:
We want to scan our network for malicious computers. We have our own scanning-computer that has more-than-normal access to the whole network, and this is not the computer NAV is installed on. How do we deliver the list from the scanning-computer to arnold for blocking? Well, first we make a blocktype with the options we want. This is done by using the web-interface. We give the scanning-computer a public-key tuple on the NAV-server. Then we do some scanning which gives us a list of computers we don't want on the network anymore. We transfer the list like this (the -i option is the id of the blocktype):
[prompt]# cat scanresult.txt | ssh scanner@navinstall.network.com:nav/bin/start_arnold_pl -i 1
This will ensure a clean and tidy run of arnold and some blocked ports. Of course you can also use start_arnold.pl
to just pipe a local list of ip-addresses in, quick and easy. The main advantage is that all options are set by defining a blocktype and you have an easy way to “feed” Arnold.
This script is run by cron. It fetches all blocked ports from the database and starts checking if the mac-address which was behind that port is active any other place in the network. If it is, it blocks that port. Depending on options given at block-time it will either open the old closed port or just leave it closed. Needless to say this does not block the new port immediately after a blocked computer has moved to it, but it is as good as it gets (for now).
Arnold has two config-files, which both are quite small.
nav/etc/arnold/arnold.cfg
has three options. You specify the mail-program Arnold uses to send mail, the from-address Arnold identifies itself by, and a recipient which Arnold uses to send mail if something went wrong. All these are marked clearly in the file.
nav/etc/arnold/nonblock.cfg
is not really a config-file but an exception list. Some computers (ip-addresses) does not want to be blocked. If you want to grant them their wish, enter their ip-address in this file. The format is cleary defined in the file, and is quite flexible. You also have the possibility to define equipment-types that you don't want to block. This is a rather depricated option, but some switches that does not support snmp-set are included by default.
In addition we have these:
nav/etc/arnold/mailtemplates/*
If you make a Blocktype you will notice a textfield called “Path to mailfile”. Arnold may send mail to those listed as responsible for the ip-address it tries to block. Who is responsible is fetched from the NAV-database. But Arnold does not know what you want to tell these people, so you have to write the general format of the mail yourself. This template is what you write and place in the mailtemplates-folder, and the name of the file you make (which contains your template) is placed in the “Path to mailfile”-textfield. A description on how to make a template is in the README
-file located in the mailtemplates/
-folder.
More to come.
More details.
Logs of arnold-activity are stored in nav/var/log/arnold
.
The story.