Educause Security Discussion mailing list archives
Re: Replacing NetReg with ?
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Wed, 19 Feb 2014 17:21:11 -0500
On 2/19/2014 4:53 PM, Barros, Jacob wrote:
We are a long time Bradford customer, having moved to them directly from NetReg. While I have always been a fan of the Impulse product (in theory anyway), Bradford fits us better. It is not simply a NAC but also a network management tool, if you choose it to be. Bradford is highly customizable.
We went NetReg => Perfigo => CleanAccess => Bradford. The CCA direction required a major upgrade/repurchase for the version that supported Vista, plus would have required a pretty major forklift of our older switches (which were no longer supported by the new version). I agree wholeheartedly that Bradford is primarily a network management and security tool. We do "very minimal" policy posturing and have stopped the "forced remediation" captive portal, while we do still use quarantine for security/virus/infection issues. We do role-based security as well and no longer have to manually configure switchports for special cases, we just register devices and let it handle the rest. We had some capacity issues as we are running "more than the recommended number" of switchports and registered devices, but we virtualized the Bradford appliances on a rather beefy ESXi cluster configuration and things have calmed down considerably :)
NAC solutions vary greatly. In my opinion, once you make a list of exactly what you want, your desired solution will stand out from the rest.
Agreed again, and your focus may "evolve". We got into NAC for ResNet, with emphasis on patching and antivirus. That is a minimal concern today (with drive-by zero-days being commonplace, the emphasis has been on IDS/IPS to identify problem hosts and quarantining them... and Bradford helps the old "whack-a-mole" game of shutting down switchports, only to have them move elsewhere or go wireless). Not to mention connection tracking and accountability -- having IP / MAC / switchport / userID / connect / disconnect times is *priceless* after trying to piece together the whole picture for years beforehand.
I am glad to go into more details if you wish.
Likewise :) Jeff
Current thread:
- Re: Replacing NetReg with ?, (continued)
- Re: Replacing NetReg with ? Michael Sinatra (Feb 19)
- Re: Replacing NetReg with ? Ben Parker (Feb 19)
- Re: Replacing NetReg with ? Roger A Safian (Feb 19)
- Re: Replacing NetReg with ? Thomas Carter (Feb 19)
- Re: Replacing NetReg with ? Hall, Rand (Feb 19)
- Re: Replacing NetReg with ? Pardonek, Jim (Feb 19)
- Re: Replacing NetReg with ? Hall, Rand (Feb 19)
- Re: Replacing NetReg with ? Hanson, Mike (Feb 19)
- Re: Replacing NetReg with ? Entwistle, Bruce (Feb 19)
- Re: Replacing NetReg with ? Keller, Alex (Feb 19)
- Re: Replacing NetReg with ? Barros, Jacob (Feb 19)
- Re: Replacing NetReg with ? Jeff Kell (Feb 19)
- Re: Replacing NetReg with ? Hall, Rand (Feb 20)
- Re: Replacing NetReg with ? Keller, Alex (Feb 20)
- Re: Replacing NetReg with ? Barros, Jacob (Feb 19)
- Re: Replacing NetReg with ? Barros, Jacob (Feb 19)
- Re: Replacing NetReg with ? Joe St Sauver (Feb 19)