headers
Christopher Mangiarelli | 1 Sep 2009 20:13
Picon

Re: password change web utility - CIFS only clients

You can use iManager for password changes.  For small environments this
works fairly well.

On Mon, Aug 31, 2009 at 12:19 PM, Bill Brush <bbrush <at> gmail.com> wrote:

> FWIW, I would set up IDM to sync them, or Domain services.  Everything
> happens in the background and there's only one place to change your
> password.  The IDM AD driver is pretty robust and setting it up can be
> done in an afternoon.
>
> Bill
> _______________________________________________
> Novell mailing list
> Novell <at> netlab1.oucs.ox.ac.uk
> http://netlab1.usu.edu/mailman/listinfo/novell
>

--

-- 
Christopher Mangiarelli
cmangiarelli <at> gmail.com
Permalink | Reply | 0 comments |
headers
Brian Hatchell | 2 Sep 2009 19:38
Favicon

Need some advice on security practices

Folks: (non-Novell related)

Right now we are allowing ssh on non-standard port 5555 to leave our
network.  I suspect that this is being used for tunneled browsing in
order to bypass legal and HR requirements for content, not to mention
the risk of the tunnel being open into our network.

The story that the department is giving is that they need students to
access their home computers through ssh.  My firewall (Fortinet
Fortiguard 620b) of course cannot man-in-the middle this protocol to
ensure policy is being enforced.

My main question is that is there a way I can provide remote access to
desktops off-campus with a protocol that can be monitored by my
firewall.  We need to present them with an alternative so we can close
this security hole.

Can someone give me some advice?

 
Brian Hatchell
Network Manager
Victor Valley College
760 245-4271 x2792

 For a successful technology, reality must take precedence over public
relations, for Nature cannot be fooled –Richard P. Feynman

Twitter: <at> vvcit or http://twitter.com/vvcit
Check my Blog at
(Continue reading)

Permalink | Reply | 5 comments |
headers
Randy Grein | 2 Sep 2009 23:15

Re: Need some advice on security practices

I'm surprised - I was not aware there were HR and legal requirements for
students that would trump their privacy rights. They are, after all not
employees (HR should not be involved) and any way you look at it they
are independent entities with data they may be accessing you have no
rights to. Other than the possibility of data leakage which is likely
better solved by putting students in a DMZ separate from administration
I can't see a security hole here. Are you SURE you need to monitor
student traffic at this level? As in, a command by management; I
wouldn't want to take responsibility for this if you can avoid it - or
talk to legal counsel first.

Randy Grein
Sr. Network Engineer
(253)798-6443

>>> "Brian Hatchell" <Hatchellb <at> vvc.edu> 9/2/2009 10:38 AM >>>
Folks: (non-Novell related)

Right now we are allowing ssh on non-standard port 5555 to leave our
network.  I suspect that this is being used for tunneled browsing in
order to bypass legal and HR requirements for content, not to mention
the risk of the tunnel being open into our network.

The story that the department is giving is that they need students to
access their home computers through ssh.  My firewall (Fortinet
Fortiguard 620b) of course cannot man-in-the middle this protocol to
ensure policy is being enforced.

My main question is that is there a way I can provide remote access to
desktops off-campus with a protocol that can be monitored by my
(Continue reading)

Permalink | Reply | 4 comments |
headers
Peter Van Lone | 2 Sep 2009 23:24
Picon

Re: Need some advice on security practices

I completely concur with Randy -- this kind of content monitoring is
offensive at best and very likely illegal in some contexts -- an
academic situation is NOT the same as a corporate one.

If it were me I would insist, if required by my job to perform these
functions, that I get a signed statement indicating that I have no
personal responsibility for it. I would very likely speak to a lawyer
to be sure before doing anything more.

Ick ....

------------------------------------------------------------
"I like flaws and feel more comfortable around people who have them. I
myself am made entirely of flaws, stitched together with good
intentions." Augusten Burroughs

http://www.the-brights.net
http://xkcd.com/167

On Wed, Sep 2, 2009 at 4:15 PM, Randy Grein<RGrein <at> tpchd.org> wrote:
> I'm surprised - I was not aware there were HR and legal requirements for
> students that would trump their privacy rights. They are, after all not
> employees (HR should not be involved) and any way you look at it they
> are independent entities with data they may be accessing you have no
> rights to. Other than the possibility of data leakage which is likely
> better solved by putting students in a DMZ separate from administration
> I can't see a security hole here. Are you SURE you need to monitor
> student traffic at this level? As in, a command by management; I
> wouldn't want to take responsibility for this if you can avoid it - or
> talk to legal counsel first.
(Continue reading)

Permalink | Reply | 3 comments |
headers
Brian Hatchell | 2 Sep 2009 23:29
Favicon

Re: Need some advice on security practices

You should read the Higher Education Act of 2008 HR 4137.  It REQUIRES
filtering in order to receive title funds.  I only wish that I had the
luxury of separating my educational from the admin networks here.

Brian Hatchell
Network Manager
Victor Valley College
760 245-4271 x2792

 For a successful technology, reality must take precedence over public
relations, for Nature cannot be fooled –Richard P. Feynman

Twitter: <at> vvcit or http://twitter.com/vvcit
Check my Blog at
http://gwcal.vvc.edu/mplusextranet/scp.dll/blog?user=hatchellb

>>> On 9/2/2009 at 2:24 PM, in message
<68b791330909021424q7dc2e7ebj6ed9aca066ff3376 <at> mail.gmail.com>, Peter Van
Lone <petervl <at> gmail.com> wrote:

I completely concur with Randy -- this kind of content monitoring is
offensive at best and very likely illegal in some contexts -- an
academic situation is NOT the same as a corporate one.

If it were me I would insist, if required by my job to perform these
functions, that I get a signed statement indicating that I have no
personal responsibility for it. I would very likely speak to a lawyer
to be sure before doing anything more.

Ick ....
(Continue reading)

Permalink | Reply | 2 comments |
headers
Randy Grein | 2 Sep 2009 23:45

Re: Need some advice on security practices

I feel for you. I haven't read the act so I'll assume you're correct
about the filtering requirement; hard to mistake something like that.
I'm not sure how this act affects things like TOR networks - if you're
required to monitor all channels and you don't control the workstations
(I assume you have students bringing their laptops in) it's a losing
proposition. In that case I'd block SSH and SSL communications from
students and let them know your hands are tied. Shouldn't take too long
to amend the act if it's as pervasive as all that.

Randy Grein
Sr. Network Engineer
(253)798-6443

>>> "Brian Hatchell" <Hatchellb <at> vvc.edu> 9/2/2009 2:29 PM >>>
You should read the Higher Education Act of 2008 HR 4137.  It REQUIRES
filtering in order to receive title funds.  I only wish that I had the
luxury of separating my educational from the admin networks here.

Brian Hatchell
Network Manager
Victor Valley College
760 245-4271 x2792

For a successful technology, reality must take precedence over public
relations, for Nature cannot be fooled –Richard P. Feynman

Twitter: <at> vvcit or http://twitter.com/vvcit
Check my Blog at
http://gwcal.vvc.edu/mplusextranet/scp.dll/blog?user=hatchellb
(Continue reading)

Permalink | Reply | 0 comments |
headers
Cal Frye | 2 Sep 2009 23:50
Picon
Favicon

Re: Need some advice on security practices


Brian Hatchell wrote:
> You should read the Higher Education Act of 2008 HR 4137.  It REQUIRES
> filtering in order to receive title funds.  I only wish that I had the
> luxury of separating my educational from the admin networks here.
>  

Educause has several good resources on the HEOA. The bulk concern is on
illegal distribution of copyrighted materials, or P2P file-sharing. From
an Educause summary:

" Report language that accompanies the law explicitly states that
technology-based deterrents
include “bandwidth shaping” and “traffic monitoring to identify the
largest bandwidth users,” and
indicates that certain education and enforcement programs will also
qualify.  The report language
explicitly notes that institutions are not required to adopt any
particular type of technology-based
deterrent, recognizing that even institutions that “prohibit content
monitoring” retain the authority to
determine their own plans."

IANAL, nor do I play one on TV. Of course you need to follow the advice
of your own legal counsel, as they're going to be the ones defending you
should it come to court. But Educause suggests we have options.

--
Celebrating the 150th anniversary of the publication of the Origin of
Species.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Allen | 3 Sep 2009 02:17
Picon

hba tuning for SLES 10 SP2 NCS

Hi All
I am currently working on a project to build a 6way SLES 10 SP2 clustered
environment for a Groupwise migration.  I am using two Qlogic qle2460 HBAs
in each node and FC connection to a StorageTek SAN.

I have loaded the Sun StorageTek RDAC Multipath Failover Driver to manage
multipath issues.

I have read the the install guide for this driver and it replaces the
qla2xxx driver from Qlogic and all tuning settings are then set by the
mpp.conf...super !

Anyway, when I check the status of the kernel it reports its is tainted 2

checking the kernel.txt, tainted 2 reports:

2 - A module was force loaded by insmod -f.
      Set by modutils >= 2.4.9 and module-init-tools.

How can I check for which driver or module was force loaded ?

cheers
Paul

--

-- 
He who can no longer pause to wonder and stand rapt in awe, is as good as
dead; his eyes are closed.
Albert Einstein
Permalink | Reply | 0 comments |
headers
Toomas Aas | 3 Sep 2009 13:10
Picon
Favicon

ntp as client to timesync

Hello!

I installed a SLES10 SP2 server and configured ntp to get time from Netware 
6.5 server running TIMESYNC (which should be possible according to the docs).

Time 'appears' to be in sync, and ntp.log ends with:

3 Sep 10:55:23 ntpd[3736]: synchronized to 192.168.1.3, stratum 5

(this is timestamped few hours ago, when I set up the server).

However, running ntptrace on the SLES box gives this:
# ntptrace
localhost: stratum 6, offset 0.008646, synch distance 0.013765
192.168.1.3: timed out, nothing received
***Request timed out

Is this just an incompatibility b/w timesync and ntptrace, or does it 
indicate real trouble?

--

-- 
Toomas Aas
Permalink | Reply | 2 comments |
headers
Joe Doupnik | 3 Sep 2009 13:12
Picon
Picon
Favicon

Re: ntp as client to timesync

Toomas Aas wrote:
> Hello!
> 
> I installed a SLES10 SP2 server and configured ntp to get time from Netware 
> 6.5 server running TIMESYNC (which should be possible according to the docs).
> 
> Time 'appears' to be in sync, and ntp.log ends with:
> 
> 3 Sep 10:55:23 ntpd[3736]: synchronized to 192.168.1.3, stratum 5
> 
> (this is timestamped few hours ago, when I set up the server).
> 
> However, running ntptrace on the SLES box gives this:
> # ntptrace
> localhost: stratum 6, offset 0.008646, synch distance 0.013765
> 192.168.1.3: timed out, nothing received
> ***Request timed out
> 
> Is this just an incompatibility b/w timesync and ntptrace, or does it 
> indicate real trouble?
> 
----------------
	It indicates the very simple NTP capabilities of timesync.nlm.
You have xntpd.nlm, why not use it instead?
	Joe D.
Permalink | Reply | 1 comment |

Gmane