Educause Security Discussion mailing list archives
Re: Cisco Clean Access & Impulse Point...
From: John Stauffacher <stauffacher () CHAPMAN EDU>
Date: Fri, 26 Aug 2005 13:24:54 -0700
George, et all: I have to disagree with the "over priced" statement. The functionality and piece of mind given (esp. during weeks like this when students are moving in to dorms), are priceless. Perfigo was a POA to get installed the first time -- I'll admit it, it doesnt play nice with alot of things (i.e. non cisco gear), but it will work. Atif has gone far beyond what he should and he and his team have developed some great tools and documentation to help you get over the 'learning' curve AND provide communication to the students. I never really liked perfigo -- even though we purchased it, and implemented it -- the support from perfigo seeemed like they were scurrying to patch and fix and didnt have a clear roadmap. Cisco has provided this roadmap AND given time to foster the development of some great features. Some things I would like to see in CCA: 1. Customized client look and feel that can be "branded". I don't like the idea of advertising to students that we are using a "cisco" (or any other vendor per say) application. They tend to target that and try to find ways around it -- a few even caught on to the UserAgent trick and I have gotten a few emails about it. 2. OOB with non cisco switches. Probably my biggest complaint was the use of proprietary SNMP / (CDP??) commands to do OOB. I really wish Cisco had used a more standard approach. Their requirement to either forklift upgrade or upgrade the IOS (which in some cases is a forklift upgrade as well), is quite unfeasible for MANY instittutions out there. Colleges and Universities are not money pits, we just can "buy buy buy"...most of what we (if i am speaking for people -- I apologize ) have is not heterogenious and Id rather see cisco be the bigger person and cast a wide net and get their products into campuses rather than exploit their Microsoftian rule over the industry. 3. Lack of an official/unofficial support forum. Perfigo had its boards which is where univeristies could post up their own hacks/patches/scans/rules etc. It was helpfull, intuitive and had (still does) a lot of GOOD information. Alot of the info was not found in the docs, nor could easily be explained over the phone to someone not well versed in the inner workings of Perfigo. I believe we need this -- the cisco provided board is not the forum for it, as the interface is unintuitive and is filled with CSA and all the other "security" stuff. Maybe it will just take Perfigo/CCA campuses to organize amongst themselves and create a board to post and help eachother on. I'd really be interested in other schools using it -- Ive asked the question to cisco -- only to get very hush hush answers, and the feeling they tend not to disclose. 4. Macintosh (Linux/BSD?) client. Was promised by Sept. last year. Never came. Promised again this year, will it come? What is the story behind this illusive piece of software? Are people beta testing it? Can institutions test it? I'm sure you'd get a laundry list of people ready to sign up. With that being said -- we have been working inband for over 2 years now. At first it was rough and rocky and we had alot of issues (55% technical, 45% communication, 10% user error [yes i know thats 110%]). Subsequently we changed our topology a bit -- upgraded some hardware (we are still using extreme and 3com -- but due to a unique configuration and lack of appropriate capital we had to make do with what we had). Currently with the Freshman/Transfer movein week winding down our student related work orders are tapering off and almost every freshman with a computer in the dorms now is patched, has antivirus and is up to date. Something I couldnt say with certainly last year, nor the years before. In my mind, money well spent. But there are others, Juniper makes a great product as well -- and a few other companys. In some sense anything can be a whole lot better than nothing. Just my 2 cents... -- John Stauffacher, CISSP Network Administrator Chapman University stauffacher () chapman edu "It's amazing how much you take for granted when you already know what you are doing." "there is no /usr/local on my C:\ drive!" George wrote:
Atif, Your product is over priced for the market especially since it is proprietary, and not well supported in the past. George ------------------------------------------------------------------------ *From:* Atif Azim (atif) [mailto:atif () CISCO COM] *Sent:* Monday, July 18, 2005 11:45 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Cisco Clean Access & Impulse Point... Here at the Cisco Clean Access team, we were concerned to hear recent comments on functionality, perceived longevity of the Clean Access product (formerly Perfigo CleanMachines) and Cisco’s maintenance fees. Cisco Clean Access (CCA), also known as the NAC Appliance, is an integral part of the Cisco Network Admission Control (NAC) initiative and we will continue to expand the options and choices available to our customers. **New Features** Since the acquisition, we’ve introduced the out-of-band deployment option, Layer 3 support, VPN/remote user support, and special licensing for smaller deployments. We have also added support for over 50 anti-virus products (and growing) in the preconfigured Clean Access checks to address multi- AV product requirements in campuses. http://newsroom.cisco.com/dlls/2005/prod_042505.html http://newsroom.cisco.com/dlls/2005/prod_071105.html **Upcoming Features** This fall, we will introduce an appliance offering that enhances our existing software product line. We will also be adding built-in support for spyware blockers and personal firewalls similar to the existing AV support. **Maintenance and Support** We understand your concerns, support hours are now priced for 7 * 24 access and additionally you will see a program that addresses the increase in maintenance costs for contracts that pre-date the acquisition. Please know that we’re continuing to work for you, and we value your feedback. Regards, Atif Azim Cisco Clean Access ------------------------------------------------------------------------ *From:* Dave Koontz [mailto:dkoontz () MBC EDU] *Sent:* Sunday, July 17, 2005 12:27 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Cisco Clean Access & Impulse Point... I am also curious about their pricing model as well. Since Cisco took over Perfigo, our annual maintenance fee went up over 400%! To add salt to the wound, they also completely removed the VPN client and functionality from the device in favor of their own VPN Concentrator... at of course significantly higher fees. We used this feature for our Wireless clients. I believe Cisco only purchased Perfigo because of their market penetration. In the several talks with our Cisco sales and tech reps, it seems pretty clear that Cisco has no real vision of this product in their future, it is only a stepping stone to get everyone converted to their more costly NCA product line... which is not only more expensive but also requires Cisco switches end-to-end. We looked at Cisco's Security Agent before purchasing Perfigo... not only did it not do everything we needed, but had a cost of over $80 per student. Their purchase of Perfigo seems only to be a way for Cisco to come back and force colleges to pay their outrageous fees and to squash any cheaper competition... ala Microsoft tactics. We have now resigned ourselves to find another solution.. .and perhaps Impulse or another vendor is our ticket. If anyone has other solutions they are using, please let me know. ------------------------------------------------------------------------ *From:* Schmitt, Dianne [mailto:dschmitt () JJC EDU] *Sent:* Friday, July 15, 2005 5:43 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Cisco Clean Access & Impulse Point... What pricing do they offer, better than Clean Access? *Dianne Schmitt*** Assoc VP Information Technology Joliet Junior College 1215 Houbolt Rd. Joliet, IL 60431-8938 Phone: 815.280.6641 Fax: 815.280.2668 ------------------------------------------------------------------------ *From:* Gibbs, Aaron M. [mailto:AMGibbs () ST-AUG EDU] *Sent:* Thursday, July 14, 2005 4:49 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Cisco Clean Access & Impulse Point... We're looking at implementing Impulses device. We looked at the Bradford Campus Manager, which has great functionality. However, Impulse Point also has great functionality that is similar to the Campus Manager coupled with a good price point. I'd be interested also in knowing others experiences with Impulse Point. */Aaron M Gibbs/* */Interim Vice President/CIO /* */Center for Information Technology/* */St. Augustine's College/* */919-516-4379 (Office)/* */919-516-4382 (Fax)/* */amgibbs () st-aug edu /* */www.st-aug.edu/* -----Original Message----- *From:* Michael Cole [mailto:mcole () CLARKU EDU] *Sent:* Thursday, July 14, 2005 3:58 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Cisco Clean Access & Impulse Point... FYI for the list: We've been using a product called Campus Manager to the past few years from Bradford networks, www.bradfordnetworks.com <http://www.bradfordnetworks.com> they're a small start up in NH but they've been growing and have an awesome product that sits off line and is very flexible in what it can do based on what you want/need. It does both network registration and remediation/quarantine functions. It's worth looking into if your looking for a solution. We've been very happy with it. Mike Michael A. Cole Network Engineer, Information Technology Services Clark University, Worcester MA 01610 508.793.7772 Mcole () clarku edu -----Original Message----- *From:* Mark Staples [mailto:mstaples () MAIL MCG EDU] *Sent:* Thursday, July 14, 2005 3:41 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Cisco Clean Access & Impulse Point... Anyone pilot both CCA and Impulse Point (http://www.impulse.com/)? Impulse Point was designed for higher ed and is priced very attractively. So far, we've only seen presentations and nothing live. Any feedback would be great. Mark ----- Mark Staples Director of Information Security/Chief Information Security Officer IT Research Liaison Medical College of Georgia Office: 706-721-1577 mstaples () mcg edu <mailto:mstaples () mcg edu> -------- All information in the communication, including attachments, is strictly confidential and intended solely for delivery to the addressee(s) identified above (ie, To/cc/bc), and may contain privileged, confidential, proprietary and /or intellectual property entitled to protection from disclosure under applicable law. If you are not the intended recipient, please take note that any use, distribution or copying of this communication is unauthorized and may be unlawful. If you have received this communication in error, please notify the sender, delete this correspondence from your computer, and destroy any printed copies of this communication.franklin () TXSTATE EDU 07/14/05 3:13 PM >>>This is a response from our network lead who implemented CCA a month or so ago: I got tired of trying to keep up with the IP's used for windows update. Using the host names is much better, but even then it's a moving target. Microsoft sometimes adds new sub domains and in the latest version of the update page it's a url under microsoft.com. We are allowing traffic to everything ending in microsoft.com and g.msn.com. That way the updates always work (so far) and students can search for and download patches manually. There are cases when windows update claims that a machine is fully patched but it is still missing something. The helpdesk can tell what's missing from the reports and the student can search for KBxxxx and download and install it manually. Anders Engle Systems Programmer I Texas State University -----Original Message----- From: Flagg, Martin D. [mailto:FlaggMD () HIRAM EDU] <mailto:FlaggMD () HIRAM EDU%5d> Sent: Thursday, July 14, 2005 1:13 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Windows Updates and Cisco Clean Access We are implementing Cisco Clean Access (formally Perfigo). It has gone really well but we keep coming up with problems with Windows Update, it fails because CCA is blocking the IP. When this happens, I use a sniffer and add the new IP address that Microsoft is using and then it works, until they change address's again. Cisco says use the Host setting allowing requests that end in "update.microsoft.com". This does not always work. I am really at a loss because it works for 95% of the machines but I can not afford to have 5% of the students in my office when they get back from the summer. Any Ideas? Martin Flagg Hiram College
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Cisco Clean Access & Impulse Point..., (continued)
- Re: Cisco Clean Access & Impulse Point... chad.mcdonald () gcsu edu (Jul 17)
- Re: Cisco Clean Access & Impulse Point... Michael Grinnell (Jul 18)
- Re: Cisco Clean Access & Impulse Point... Atif Azim (atif) (Jul 18)
- Re: Cisco Clean Access & Impulse Point... Gibbs, Aaron M. (Jul 19)
- Re: Cisco Clean Access & Impulse Point... Dave Koontz (Jul 19)
- Re: Cisco Clean Access & Impulse Point... Doug Sandford (Jul 19)
- Re: Cisco Clean Access & Impulse Point... Lee Weers (Jul 19)
- Re: Cisco Clean Access & Impulse Point... Chad McDonald (Jul 19)
- Re: Cisco Clean Access & Impulse Point... WILLIAM I. ARNOLD (Jul 20)
- Re: Cisco Clean Access & Impulse Point... George (Jul 20)
- Re: Cisco Clean Access & Impulse Point... John Stauffacher (Aug 26)