Educause Security Discussion mailing list archives

Re: Replacing NetReg with ?

From: Jeff Kell <jeff-kell () UTC EDU>
Date: Wed, 19 Feb 2014 17:21:11 -0500

On 2/19/2014 4:53 PM, Barros, Jacob wrote:

We are a long time Bradford customer, having moved to them directly
from NetReg.  While I have always been a fan of the Impulse product
(in theory anyway), Bradford fits us better.  It is not simply a NAC
but also a network management tool, if you choose it to be.  Bradford
is highly customizable.


We went NetReg => Perfigo => CleanAccess => Bradford.  The CCA direction
required a major upgrade/repurchase for the version that supported
Vista, plus would have required a pretty major forklift of our older
switches (which were no longer supported by the new version).

I agree wholeheartedly that Bradford is primarily a network management
and security tool.  We do "very minimal" policy posturing and have
stopped the "forced remediation" captive portal, while we do still use
quarantine for security/virus/infection issues.  We do role-based
security as well and no longer have to manually configure switchports
for special cases, we just register devices and let it handle the rest.

We had some capacity issues as we are running "more than the recommended
number" of switchports and registered devices, but we virtualized the
Bradford appliances on a rather beefy ESXi cluster configuration and
things have calmed down considerably :)

NAC solutions vary greatly.  In my opinion, once you make a list of
exactly what you want, your desired solution will stand out from the
rest.


Agreed again, and your focus may "evolve".  We got into NAC for ResNet,
with emphasis on patching and antivirus.  That is a minimal concern
today (with drive-by zero-days being commonplace, the emphasis has been
on IDS/IPS to identify problem hosts and quarantining them... and
Bradford helps the old "whack-a-mole" game of shutting down switchports,
only to have them move elsewhere or go wireless).

Not to mention connection tracking and accountability -- having IP / MAC
/ switchport / userID / connect / disconnect times is *priceless* after
trying to piece together the whole picture for years beforehand.

I am glad to go into more details if you wish.


Likewise :)


Jeff

Current thread:

Re: Replacing NetReg with ?, (continued)
- - - Re: Replacing NetReg with ? Michael Sinatra (Feb 19)
  - Re: Replacing NetReg with ? Ben Parker (Feb 19)
- Re: Replacing NetReg with ? Roger A Safian (Feb 19)
- Re: Replacing NetReg with ? Thomas Carter (Feb 19)
  - Re: Replacing NetReg with ? Hall, Rand (Feb 19)
    - Re: Replacing NetReg with ? Pardonek, Jim (Feb 19)
- Re: Replacing NetReg with ? Hanson, Mike (Feb 19)
- Re: Replacing NetReg with ? Entwistle, Bruce (Feb 19)
- Re: Replacing NetReg with ? Keller, Alex (Feb 19)
  - Re: Replacing NetReg with ? Barros, Jacob (Feb 19)
    - Re: Replacing NetReg with ? Jeff Kell (Feb 19)
  - Re: Replacing NetReg with ? Hall, Rand (Feb 20)
    - Re: Replacing NetReg with ? Keller, Alex (Feb 20)
- Re: Replacing NetReg with ? Barros, Jacob (Feb 19)
- Re: Replacing NetReg with ? Joe St Sauver (Feb 19)