Re: Windows Updates and Cisco Clean Access

[Information Security <infosecurity () UTPA EDU>]

Charlie Prothero wrote:

> Martin,
>
> We have the same product, and I think we got around this by allowing 8
> minutes of network access for machines that fail scanning.  This gives
> enough time to download OS & AV updates before the system kills the
> connection, necessitating a reboot or re-login (sorry, I can't recall
> the specifics).

Wow.  8 minutes.  That's about half the time it takes for a virus to
spread around
the entire world.  Given the likelihood that a machine which failed
scanning is already
infected, that's more of a risk than I would be willing to take.  I hope
at least that
the only facilities you open to them during that window are
(ftp|http(s)) or whatever it is
that M$ uses to send their patches over.

So how is CCS working out for people?  We tried it under the Perfigo
incarnation
a couple of years ago and it had so many rough edges that our conclusion
was that
it was alpha software that only existed in order to make Perfigo an
aquisition target
for a larger company ;-)  Be interesting to see if Cisco have added any
polish to it.
The sort of giveaway indication that told me the product was not quite
there yet
were things like how their main process ran in a busy/wait loop rather
than using
sleep or select to wait for data on the ether interface.  The system
*always* ran
with a load average > 1.0 ...  Having said that I have to give them
credit that it
has some really nice features.  I think that Cisco did the right thing
aquiring them
and that a combined product with Airespace will be worth looking forward to.

G