Educause Security Discussion mailing list archives

Re: Cisco Clean Access & Impulse Point...

From: Dave Koontz <dkoontz () MBC EDU>
Date: Tue, 19 Jul 2005 13:10:09 -0400

Thanks for taking time to post a reply both here and another to me
personally.  It does make me feel a little better, however I think it also
highlights what someone else here posted... Cisco's people don't seem to
know anything about this product nor the direction it is heading.  I will
respond with my issues to you directly off list.


  _____

From: Atif Azim (atif) [mailto:atif () CISCO COM]
Sent: Monday, July 18, 2005 11:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Clean Access & Impulse Point...


Here at the Cisco Clean Access team, we were concerned to hear recent
comments on functionality, perceived longevity of the Clean Access product
(formerly Perfigo CleanMachines) and Cisco's maintenance fees.

Cisco Clean Access (CCA), also known as the NAC Appliance, is an integral
part of the Cisco Network Admission Control (NAC) initiative and we will
continue to expand the options and choices available to our customers.

New Features

Since the acquisition, we've introduced the out-of-band deployment option,
Layer 3 support, VPN/remote user support, and special licensing for smaller
deployments.  We have also added support for over 50 anti-virus products
(and growing) in the preconfigured Clean Access checks to address multi- AV
product requirements in campuses.

http://newsroom.cisco.com/dlls/2005/prod_042505.html

http://newsroom.cisco.com/dlls/2005/prod_071105.html

Upcoming Features

This fall, we will introduce an appliance offering that enhances our
existing software product line. We will also be adding built-in support for
spyware blockers and personal firewalls similar to the existing AV support.

Maintenance and Support

We understand your concerns, support hours are now priced for 7 * 24 access
and additionally you will see a program that addresses the increase in
maintenance costs for contracts that pre-date the acquisition.

Please know that we're continuing to work for you, and we value your
feedback.

Regards,

Atif Azim
Cisco Clean Access

  _____

From: Dave Koontz [mailto:dkoontz () MBC EDU]
Sent: Sunday, July 17, 2005 12:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Clean Access & Impulse Point...


I am also curious about their pricing model as well.

Since Cisco took over Perfigo, our annual maintenance fee went up over 400%!
To add salt to the wound, they also completely removed the VPN client and
functionality from the device in favor of their own VPN Concentrator... at
of course significantly higher fees.  We used this feature for our Wireless
clients.

I believe Cisco only purchased Perfigo because of their market penetration.
In the several talks with our Cisco sales and tech reps, it seems pretty
clear that Cisco has no real vision of this product in their future, it is
only a stepping stone to get everyone converted to their more costly NCA
product line... which is not only more expensive but also requires Cisco
switches end-to-end.  We looked at Cisco's Security Agent before purchasing
Perfigo... not only did it not do everything we needed, but had a cost of
over $80 per student.  Their purchase of Perfigo seems only to be a way for
Cisco to come back and force colleges to pay their outrageous fees and to
squash any cheaper competition... ala Microsoft tactics.

We have now resigned ourselves to find another solution.. .and perhaps
Impulse or another vendor is our ticket.  If anyone has other solutions they
are using, please let me know.

  _____

From: Schmitt, Dianne [mailto:dschmitt () JJC EDU]
Sent: Friday, July 15, 2005 5:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Clean Access & Impulse Point...



What pricing do they offer, better than Clean Access?



Dianne Schmitt



Assoc VP Information Technology

Joliet Junior College

1215 Houbolt Rd.

Joliet, IL 60431-8938



Phone:  815.280.6641

Fax:  815.280.2668

  _____

From: Gibbs, Aaron M. [mailto:AMGibbs () ST-AUG EDU]
Sent: Thursday, July 14, 2005 4:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Clean Access & Impulse Point...



We're looking at implementing Impulses device. We looked at the Bradford
Campus Manager, which has great functionality. However, Impulse Point also
has great functionality that is similar to the Campus Manager coupled with a
good price point. I'd be interested also in knowing others experiences with
Impulse Point.



Aaron M Gibbs
Interim Vice President/CIO
Center for Information Technology
St. Augustine's College
919-516-4379 (Office)
919-516-4382 (Fax)
amgibbs () st-aug edu
www.st-aug.edu

-----Original Message-----
From: Michael Cole [mailto:mcole () CLARKU EDU]
Sent: Thursday, July 14, 2005 3:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Cisco Clean Access & Impulse Point...

FYI for the list:



    We've been using a product called Campus Manager to the past few years
from Bradford networks, www.bradfordnetworks.com  they're a small start up
in NH but they've been growing and have an awesome product that sits off
line and is very flexible in what it can do based on what you want/need.  It
does both network registration and remediation/quarantine functions.  It's
worth looking into if your looking for a solution.  We've been very happy
with it.



Mike



Michael A. Cole
Network Engineer, Information Technology Services
Clark University, Worcester MA  01610
508.793.7772
Mcole () clarku edu

-----Original Message-----
From: Mark Staples [mailto:mstaples () MAIL MCG EDU]
Sent: Thursday, July 14, 2005 3:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Cisco Clean Access & Impulse Point...

Anyone pilot both CCA and Impulse Point (http://www.impulse.com/)?  Impulse
Point was designed for higher ed and is priced very attractively.  So far,
we've only seen presentations and nothing live.

Any feedback would be great.



Mark



-----
Mark Staples
Director of Information Security/Chief Information Security Officer
IT Research Liaison
Medical College of Georgia
Office: 706-721-1577
mstaples () mcg edu



--------



All information in the communication, including attachments, is strictly
confidential and intended solely for delivery to the addressee(s) identified
above (ie, To/cc/bc), and may contain privileged, confidential, proprietary
and /or intellectual property entitled to protection from disclosure under
applicable law.  If you are not the intended recipient, please take note
that any use, distribution or copying of this communication is unauthorized
and may be unlawful.  If you have received this communication in error,
please notify the sender, delete this correspondence from your computer, and
destroy any printed copies of this communication.

franklin () TXSTATE EDU 07/14/05 3:13 PM >>>


This is a response from our network lead who implemented CCA a month or
so ago:

I got tired of trying to keep up with the IP's used for windows update.
Using the host names is much better, but even then it's a moving target.
Microsoft sometimes adds new sub domains and in the latest version of
the update page it's a url under microsoft.com.

We are allowing traffic to everything ending in microsoft.com and
g.msn.com. That way the updates always work (so far) and students can
search for and download patches manually. There are cases when windows
update claims that a machine is fully patched but it is still missing
something. The helpdesk can tell what's missing from the reports and the
student can search for KBxxxx and download and install it manually.

Anders Engle
Systems Programmer I
Texas State University

-----Original Message-----
From: Flagg, Martin D. [mailto:FlaggMD () HIRAM EDU]
<mailto:FlaggMD () HIRAM EDU%5d>
Sent: Thursday, July 14, 2005 1:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Windows Updates and Cisco Clean Access


We are implementing Cisco Clean Access (formally Perfigo).  It has gone
really well but we keep coming up with problems with Windows Update, it
fails because CCA is blocking the IP.  When this happens, I use a
sniffer and add the new IP address that Microsoft is using and then it
works, until they change address's again.  Cisco says use the Host
setting allowing requests that end in "update.microsoft.com".  This does
not always work.

I am really at a loss because it works for 95% of the machines but I can
not afford to have 5% of the students in my office when they get back
from the summer.

Any Ideas?

Martin Flagg
Hiram College

Current thread:

Re: Cisco Clean Access & Impulse Point..., (continued)
- Re: Cisco Clean Access & Impulse Point... Michael Cole (Jul 14)
- Re: Cisco Clean Access & Impulse Point... Chris Boniforti - Lynn University (Jul 14)
- Re: Cisco Clean Access & Impulse Point... Chad McDonald (Jul 14)
- Re: Cisco Clean Access & Impulse Point... Gibbs, Aaron M. (Jul 14)
- Re: Cisco Clean Access & Impulse Point... Schmitt, Dianne (Jul 15)
- Re: Cisco Clean Access & Impulse Point... Dave Koontz (Jul 17)
- Re: Cisco Clean Access & Impulse Point... chad.mcdonald () gcsu edu (Jul 17)
- Re: Cisco Clean Access & Impulse Point... Michael Grinnell (Jul 18)
- Re: Cisco Clean Access & Impulse Point... Atif Azim (atif) (Jul 18)
- Re: Cisco Clean Access & Impulse Point... Gibbs, Aaron M. (Jul 19)
- Re: Cisco Clean Access & Impulse Point... Dave Koontz (Jul 19)
- Re: Cisco Clean Access & Impulse Point... Doug Sandford (Jul 19)
- Re: Cisco Clean Access & Impulse Point... Lee Weers (Jul 19)
- Re: Cisco Clean Access & Impulse Point... Chad McDonald (Jul 19)
- Re: Cisco Clean Access & Impulse Point... WILLIAM I. ARNOLD (Jul 20)
- Re: Cisco Clean Access & Impulse Point... George (Jul 20)
- Re: Cisco Clean Access & Impulse Point... John Stauffacher (Aug 26)