Re: Cisco Clean Access & Impulse Point...

[John Stauffacher <stauffacher () CHAPMAN EDU>]

George, et all:

I have to disagree with the "over priced" statement. The functionality
and piece of mind given (esp. during weeks like this when students are
moving in to dorms), are priceless. Perfigo was a POA to get installed
the first time -- I'll admit it, it doesnt play nice with alot of things
(i.e. non cisco gear), but it will work. Atif has gone far beyond what
he should and he and his team have developed some great tools and
documentation to help you get over the 'learning' curve AND provide
communication to the students. I never really liked perfigo -- even
though we purchased it, and implemented it -- the support from perfigo
seeemed like they were scurrying to patch and fix and didnt have a clear
roadmap. Cisco has provided this roadmap AND given time to foster the
development of some great features. Some things I would like to see in CCA:

1. Customized client look and feel that can be "branded". I don't like
the idea of advertising to students that we are using a "cisco" (or any
other vendor per say) application. They tend to target that and try to
find ways around it -- a few even caught on to the UserAgent trick and I
have gotten a few emails about it.

2. OOB with non cisco switches. Probably my biggest complaint was the
use of proprietary SNMP / (CDP??) commands to do OOB. I really wish
Cisco had used a more standard approach. Their requirement to either
forklift upgrade or upgrade the IOS (which in some cases is a forklift
upgrade as well), is quite unfeasible for MANY instittutions out there.
Colleges and Universities are not money pits, we just can "buy buy
buy"...most of what we (if i am speaking for people -- I apologize )
have is not heterogenious and Id rather see cisco be the bigger person
and cast a wide net and get their products into campuses rather than
exploit their Microsoftian rule over the industry.

3. Lack of an official/unofficial support forum. Perfigo had its boards
which is where univeristies could post up their own
hacks/patches/scans/rules etc. It was helpfull, intuitive and had (still
does) a lot of GOOD information. Alot of the info was not found in the
docs, nor could easily be explained over the phone to someone not well
versed in the inner workings of Perfigo. I believe we need this -- the
cisco provided board is not the forum for it, as the interface is
unintuitive and is filled with CSA and all the other "security" stuff.
Maybe it will just take Perfigo/CCA campuses to organize amongst
themselves and create a board to post and help eachother on. I'd really
be interested in other schools using it -- Ive asked the question to
cisco -- only to get very hush hush answers, and the feeling they tend
not to disclose.

4. Macintosh (Linux/BSD?) client. Was promised by Sept. last year. Never
came. Promised again this year, will it come? What is the story behind
this illusive piece of software? Are people beta testing it? Can
institutions test it? I'm sure you'd get a laundry list of people ready
to sign up.

With that being said -- we have been working inband for over 2 years
now. At first it was rough and rocky and we had alot of issues (55%
technical, 45% communication, 10% user error [yes i know thats 110%]).
Subsequently we changed our topology a bit -- upgraded some hardware (we
are still using extreme and 3com -- but due to a unique configuration
and lack of appropriate capital we had to make do with what we had).
Currently with the Freshman/Transfer movein week winding down our
student related work orders are tapering off and almost every freshman
with a computer in the dorms now is patched, has antivirus and is up to
date. Something I couldnt say with certainly last year, nor the years
before.

In my mind, money well spent. But there are others, Juniper makes a
great product as well -- and a few other companys. In some sense
anything can be a whole lot better than nothing.

Just my 2 cents...

--
John Stauffacher, CISSP
Network Administrator
Chapman University
stauffacher () chapman edu
"It's amazing how much you take for granted when you already know what you are doing."
"there is no /usr/local on my C:\ drive!"



George wrote:

> Atif, Your product is over priced for the market especially since it
> is proprietary, and not well supported in the past.
>
> George
>
> ------------------------------------------------------------------------
>
> *From:* Atif Azim (atif) [mailto:atif () CISCO COM]
> *Sent:* Monday, July 18, 2005 11:45 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Cisco Clean Access & Impulse Point...
>
> Here at the Cisco Clean Access team, we were concerned to hear recent
> comments on functionality, perceived longevity of the Clean Access
> product (formerly Perfigo CleanMachines) and Cisco’s maintenance fees.
>
> Cisco Clean Access (CCA), also known as the NAC Appliance, is an
> integral part of the Cisco Network Admission Control (NAC) initiative
> and we will continue to expand the options and choices available to
> our customers.
>
> **New Features**
>
> Since the acquisition, we’ve introduced the out-of-band deployment
> option, Layer 3 support, VPN/remote user support, and special
> licensing for smaller deployments. We have also added support for over
> 50 anti-virus products (and growing) in the preconfigured Clean Access
> checks to address multi- AV product requirements in campuses.
>
> http://newsroom.cisco.com/dlls/2005/prod_042505.html
>
> http://newsroom.cisco.com/dlls/2005/prod_071105.html
>
> **Upcoming Features**
>
> This fall, we will introduce an appliance offering that enhances our
> existing software product line. We will also be adding built-in
> support for spyware blockers and personal firewalls similar to the
> existing AV support.
>
> **Maintenance and Support**
>
> We understand your concerns, support hours are now priced for 7 * 24
> access and additionally you will see a program that addresses the
> increase in maintenance costs for contracts that pre-date the
> acquisition.
>
> Please know that we’re continuing to work for you, and we value your
> feedback.
>
> Regards,
>
> Atif Azim
>
> Cisco Clean Access
>
> ------------------------------------------------------------------------
>
> *From:* Dave Koontz [mailto:dkoontz () MBC EDU]
> *Sent:* Sunday, July 17, 2005 12:27 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Cisco Clean Access & Impulse Point...
>
> I am also curious about their pricing model as well.
>
> Since Cisco took over Perfigo, our annual maintenance fee went up over
> 400%! To add salt to the wound, they also completely removed the VPN
> client and functionality from the device in favor of their own VPN
> Concentrator... at of course significantly higher fees. We used this
> feature for our Wireless clients.
>
> I believe Cisco only purchased Perfigo because of their market
> penetration. In the several talks with our Cisco sales and tech reps,
> it seems pretty clear that Cisco has no real vision of this product in
> their future, it is only a stepping stone to get everyone converted to
> their more costly NCA product line... which is not only more expensive
> but also requires Cisco switches end-to-end. We looked at Cisco's
> Security Agent before purchasing Perfigo... not only did it not do
> everything we needed, but had a cost of over $80 per student. Their
> purchase of Perfigo seems only to be a way for Cisco to come back and
> force colleges to pay their outrageous fees and to squash any cheaper
> competition... ala Microsoft tactics.
>
> We have now resigned ourselves to find another solution.. .and perhaps
> Impulse or another vendor is our ticket. If anyone has other solutions
> they are using, please let me know.
>
> ------------------------------------------------------------------------
>
> *From:* Schmitt, Dianne [mailto:dschmitt () JJC EDU]
> *Sent:* Friday, July 15, 2005 5:43 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Cisco Clean Access & Impulse Point...
>
> What pricing do they offer, better than Clean Access?
>
> *Dianne Schmitt***
>
> Assoc VP Information Technology
>
> Joliet Junior College
>
> 1215 Houbolt Rd.
>
> Joliet, IL 60431-8938
>
> Phone: 815.280.6641
>
> Fax: 815.280.2668
>
> ------------------------------------------------------------------------
>
> *From:* Gibbs, Aaron M. [mailto:AMGibbs () ST-AUG EDU]
> *Sent:* Thursday, July 14, 2005 4:49 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Cisco Clean Access & Impulse Point...
>
> We're looking at implementing Impulses device. We looked at the
> Bradford Campus Manager, which has great functionality. However,
> Impulse Point also has great functionality that is similar to the
> Campus Manager coupled with a good price point. I'd be interested also
> in knowing others experiences with Impulse Point.
>
> */Aaron M Gibbs/*
> */Interim Vice President/CIO /*
> */Center for Information Technology/*
> */St. Augustine's College/*
> */919-516-4379 (Office)/*
> */919-516-4382 (Fax)/*
> */amgibbs () st-aug edu /*
> */www.st-aug.edu/*
>
>     -----Original Message-----
>     *From:* Michael Cole [mailto:mcole () CLARKU EDU]
>     *Sent:* Thursday, July 14, 2005 3:58 PM
>     *To:* SECURITY () LISTSERV EDUCAUSE EDU
>     *Subject:* Re: [SECURITY] Cisco Clean Access & Impulse Point...
>
>     FYI for the list:
>
>     We've been using a product called Campus Manager to the past few
>     years from Bradford networks, www.bradfordnetworks.com
>     <http://www.bradfordnetworks.com> they're a small start up in NH
>     but they've been growing and have an awesome product that sits off
>     line and is very flexible in what it can do based on what you
>     want/need. It does both network registration and
>     remediation/quarantine functions. It's worth looking into if your
>     looking for a solution. We've been very happy with it.
>
>     Mike
>
>     Michael A. Cole
>     Network Engineer, Information Technology Services
>     Clark University, Worcester MA 01610
>     508.793.7772
>     Mcole () clarku edu
>
>         -----Original Message-----
>         *From:* Mark Staples [mailto:mstaples () MAIL MCG EDU]
>         *Sent:* Thursday, July 14, 2005 3:41 PM
>         *To:* SECURITY () LISTSERV EDUCAUSE EDU
>         *Subject:* [SECURITY] Cisco Clean Access & Impulse Point...
>
>         Anyone pilot both CCA and Impulse Point
>         (http://www.impulse.com/)? Impulse Point was designed for
>         higher ed and is priced very attractively. So far, we've only
>         seen presentations and nothing live.
>
>         Any feedback would be great.
>
>         Mark
>
>         -----
>         Mark Staples
>         Director of Information Security/Chief Information Security
>         Officer
>         IT Research Liaison
>         Medical College of Georgia
>         Office: 706-721-1577
>         mstaples () mcg edu <mailto:mstaples () mcg edu>
>
>         --------
>
>         All information in the communication, including attachments,
>         is strictly confidential and intended solely for delivery to
>         the addressee(s) identified above (ie, To/cc/bc), and may
>         contain privileged, confidential, proprietary and /or
>         intellectual property entitled to protection from disclosure
>         under applicable law. If you are not the intended recipient,
>         please take note that any use, distribution or copying of this
>         communication is unauthorized and may be unlawful. If you have
>         received this communication in error, please notify the
>         sender, delete this correspondence from your computer, and
>         destroy any printed copies of this communication.
>
>
> > > > franklin () TXSTATE EDU 07/14/05 3:13 PM >>>
>
>         This is a response from our network lead who implemented CCA a
>         month or
>         so ago:
>
>         I got tired of trying to keep up with the IP's used for
>         windows update.
>         Using the host names is much better, but even then it's a
>         moving target.
>         Microsoft sometimes adds new sub domains and in the latest
>         version of
>         the update page it's a url under microsoft.com.
>
>         We are allowing traffic to everything ending in microsoft.com and
>         g.msn.com. That way the updates always work (so far) and
>         students can
>         search for and download patches manually. There are cases when
>         windows
>         update claims that a machine is fully patched but it is still
>         missing
>         something. The helpdesk can tell what's missing from the
>         reports and the
>         student can search for KBxxxx and download and install it
>         manually.
>
>         Anders Engle
>         Systems Programmer I
>         Texas State University
>
>         -----Original Message-----
>         From: Flagg, Martin D. [mailto:FlaggMD () HIRAM EDU]
>         <mailto:FlaggMD () HIRAM EDU%5d>
>         Sent: Thursday, July 14, 2005 1:13 PM
>         To: SECURITY () LISTSERV EDUCAUSE EDU
>         Subject: [SECURITY] Windows Updates and Cisco Clean Access
>
>
>         We are implementing Cisco Clean Access (formally Perfigo). It
>         has gone
>         really well but we keep coming up with problems with Windows
>         Update, it
>         fails because CCA is blocking the IP. When this happens, I use a
>         sniffer and add the new IP address that Microsoft is using and
>         then it
>         works, until they change address's again. Cisco says use the Host
>         setting allowing requests that end in "update.microsoft.com".
>         This does
>         not always work.
>
>         I am really at a loss because it works for 95% of the machines
>         but I can
>         not afford to have 5% of the students in my office when they
>         get back
>         from the summer.
>
>         Any Ideas?
>
>         Martin Flagg
>         Hiram College

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature