Contents 1 Automagic Registration System v2.0 1.1 What is ARS? 1.2 Preface 1.3 Technology Overview 1.4 Footnotes 1.5 More Information

Automagic Registration System v2.0

What is ARS?

Briefly, the Automagic Registration System (ARS) is a modular application framework that:

1. Enables network/system administrators to deploy appliances that gate access through the network border to only authorized systems (by ethernet address, IP address, or the pairing of both) and users (via an authenticated registration process)
2. Provides a means of "capturing" the web browser sessions of unregistered systems, and by using DNS redirection, force them to view and use the Registration APPlication (RAPP)
3. Empowers network/system administrators and user-support technicians with a browser-based user-interface to view, query and manage the registration and access data associated with systems
4. Encourages and supports the use of security scanners such as Nessus or eEye's Retina to scan systems for vulnerabilities before they register, and to help aid in the detection and remediation of vulnerable systems after registration
5. Allows for first-rate network visibility, that maps user-systems to edge switch ports, and provides a real-time view of what IP address a system is using, as well as a historical view of all of the addresses a system has used

Preface

ARS started life during the Spring of 1999 as SPARS (SUNY Potsdam Automagic Registration System), as it was designed explicitly for Residential Network registration at that institution. Immediately after it was developed, the benefit was obvious and the thought of open-sourcing the application was immediately considered... And shelved. The time, energy and commitment necessary to release in-house developed software in a state that is usable to other people is quite intense, and throwing that energy into SPARS was not an option at the time. Laziness: 1, Open Source: 0.

After a couple of conceptual upgrades, and the urging of some colleagues at other institutions, one of the major design goals of SPARS version 2, was to author and document it in such a way that it could be used by anyone who wanted a mature, scalable user/system registration environment. As such, with the close of development on SPARS2, ARS2.0- freely available under the terms of the GNU Public License- was born. Laziness: 1, Open Source: 1.

Technology Overview

The edge appliances (yes, you can have as many as you have distinct networks/subnetworks) are all running some version of the GNU/Linux operating system with its in-kernel packet filtering software, Netfilter; BIND ^[1]

v4 or greater; DHCPD v2 or greater; Perl v5.8 or greater; and the Apache HTTP server version 1.3 or greater. Additionally, either a separate system or one of the appliances (or all of the appliances, if you so choose) run the MySQL[2]

database server.

The DHCP server publishes its address information the same way as you would on any other DHCP-maintained network, with the exception that the first DNS server listed, is the DNS server listening on the appliance. This DNS server is configured to redirect all resolution requests to the IP address of the HTTP server listening on the appliance, and presto- The user is intelligently presented with the Registration APPlication (RAPP).

After registering and authenticating, the system is [optionally] scanned using a vulnerability scanner such as Nessus or eEye's Retina and if there are vulnerabilities detected, the user is [optionally] instructed how to self-rectify the problem if possible and registration is denied. Within an admin-configurable amount of time after a successful registration, the Netfilter rules on the appliance are updated to allow the system to send traffic accross the border, and denied the ability to query the DNS redirector again.

At this point, the average user who keeps their system up-to-date will hopefully never come in contact with ARS again (unless optional registration expirations are used). Admins can optionally configure vulnerability scans to be run at arbitrary times, or on-demand, and in the event a previously "clean" system appears to be vulnerable either the user can be e-mailed or the system can be "unregistered" until the system is clean.

Additionally, the web-based ARS Management Interface (AMI) is designed to empower admins and technicians with the ability to mine data, manage registrations, and locate systems and users based on flexible criteria.

Footnotes

1. ↑ Any DNS server that supports wild-card entries will work.
2. ↑ Any SQL server that has Perl DBI support will work splendidly, although only MySQL has been tested. All code written is SQL-server agnostic, I believe.

More Information

• ARS2.0 Overview Presentation (HTML, Flash, PDF, Impress)
• AMI Screenshots: Stats, Search tool, VLAN tool, Report tool w/ pretty graph
• Configuration Documentation
• Download ARS2.0 - Being packaged