Educause Security Discussion mailing list archives
Re: Cisco Clean Access & Impulse Point...
From: Chris Boniforti - Lynn University <CBoniforti () LYNN EDU>
Date: Thu, 14 Jul 2005 16:25:50 -0400
We (Lynn University) 1800FTE, have piloted both CCA and Impulse Point. We went with Impulse Point after 30 day eval. Of each product. CCA install was horrible and Cisco techs seemed to know little about the product. We are a simple designed network and they could not get the product to route between our two core routers (Cisco 6509's). CCA seemed like a pretty good product but a bit cumbersome to manage and honestly I got the feeling that Cisco does not have a clear picture on what they want this product to do. I went to Cisco Networkers last month and asked for them to explain to me the difference between CCA and their NAC initiative. They could not explain it to me clearly. Their NAC initiative seems to be what Cisco is pushing for the future and I am concerned about future developments with CCA. Impulse Point installed easily and is managed by their company. Version 2.1 has the ability to segment through VLAN's now and some other enhancements. We have not deployed to students yet so I do not have that experience yet. We will see in September? If you would like more information please feel free to call me. Christian Boniforti Director of Information Technology Lynn University 3601 N. Military Trail Boca Raton, FL 33431 (O) 561.237.7163 (F) 561.237.7115 (C) 561.703.6130 _____ From: Mark Staples [mailto:mstaples () MAIL MCG EDU] Sent: Thursday, July 14, 2005 3:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Cisco Clean Access & Impulse Point... Anyone pilot both CCA and Impulse Point (http://www.impulse.com/)? Impulse Point was designed for higher ed and is priced very attractively. So far, we've only seen presentations and nothing live. Any feedback would be great. Mark ----- Mark Staples Director of Information Security/Chief Information Security Officer IT Research Liaison Medical College of Georgia Office: 706-721-1577 mstaples () mcg edu -------- All information in the communication, including attachments, is strictly confidential and intended solely for delivery to the addressee(s) identified above (ie, To/cc/bc), and may contain privileged, confidential, proprietary and /or intellectual property entitled to protection from disclosure under applicable law. If you are not the intended recipient, please take note that any use, distribution or copying of this communication is unauthorized and may be unlawful. If you have received this communication in error, please notify the sender, delete this correspondence from your computer, and destroy any printed copies of this communication.
franklin () TXSTATE EDU 07/14/05 3:13 PM >>>
This is a response from our network lead who implemented CCA a month or so ago: I got tired of trying to keep up with the IP's used for windows update. Using the host names is much better, but even then it's a moving target. Microsoft sometimes adds new sub domains and in the latest version of the update page it's a url under microsoft.com. We are allowing traffic to everything ending in microsoft.com and g.msn.com. That way the updates always work (so far) and students can search for and download patches manually. There are cases when windows update claims that a machine is fully patched but it is still missing something. The helpdesk can tell what's missing from the reports and the student can search for KBxxxx and download and install it manually. Anders Engle Systems Programmer I Texas State University -----Original Message----- From: Flagg, Martin D. [mailto:FlaggMD () HIRAM EDU] <mailto:FlaggMD () HIRAM EDU%5d> Sent: Thursday, July 14, 2005 1:13 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Windows Updates and Cisco Clean Access We are implementing Cisco Clean Access (formally Perfigo). It has gone really well but we keep coming up with problems with Windows Update, it fails because CCA is blocking the IP. When this happens, I use a sniffer and add the new IP address that Microsoft is using and then it works, until they change address's again. Cisco says use the Host setting allowing requests that end in "update.microsoft.com". This does not always work. I am really at a loss because it works for 95% of the machines but I can not afford to have 5% of the students in my office when they get back from the summer. Any Ideas? Martin Flagg Hiram College
Current thread:
- Cisco Clean Access & Impulse Point... Mark Staples (Jul 14)
- <Possible follow-ups>
- Re: Cisco Clean Access & Impulse Point... Michael Cole (Jul 14)
- Re: Cisco Clean Access & Impulse Point... Chris Boniforti - Lynn University (Jul 14)
- Re: Cisco Clean Access & Impulse Point... Chad McDonald (Jul 14)
- Re: Cisco Clean Access & Impulse Point... Gibbs, Aaron M. (Jul 14)
- Re: Cisco Clean Access & Impulse Point... Schmitt, Dianne (Jul 15)
- Re: Cisco Clean Access & Impulse Point... Dave Koontz (Jul 17)
- Re: Cisco Clean Access & Impulse Point... chad.mcdonald () gcsu edu (Jul 17)
- Re: Cisco Clean Access & Impulse Point... Michael Grinnell (Jul 18)
- Re: Cisco Clean Access & Impulse Point... Atif Azim (atif) (Jul 18)
- Re: Cisco Clean Access & Impulse Point... Gibbs, Aaron M. (Jul 19)
- Re: Cisco Clean Access & Impulse Point... Dave Koontz (Jul 19)
- Re: Cisco Clean Access & Impulse Point... Doug Sandford (Jul 19)
(Thread continues...)