< Back to LISTSERV archives

NETMAN@LISTSERV.EDUCAUSE.EDU


View:

:

[

|

Previous Message

|

Next Message

|

]

:

[

|

Previous Message

|

Next Message

|

]

:

[

|

Previous Message

|

Next Message

|

]

:

Proportional Font

LISTSERV Archives

LISTSERV Archives

NETMAN Home

NETMAN Home

NETMAN  2006

NETMAN 2006

Subject:

Re: Clean Access Solution?

From:

Tristan RHODES <[log in to unmask]>

Reply-To:

The EDUCAUSE Network Management Constituent Group Listserv <[log in to unmask]>

Date:

Fri, 20 Jan 2006 09:31:24 -0700

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (155 lines)

Casey,

I do not have experience with Clean Access.  However, we are about to
implement an open-source solution that has most of the same
functionality.  This software is called PacketFence and is being
developed at Harvard.

PacketFence
http://www.packetfence.org/

PacketFence has these great features:
    * Passive or in-line operation  -  Passive-mode will prevent a
single-point-of-failure
    * Network registration  -  Authenticate with your LDAP directory,
force users to accept the AUP
    * Worm/Bot detection/isolation  -  Traffic of infected host is
isolated
    * User-directed mitigation/remediation  -  Web traffic is
redirected to a remediation site
    * Proactive vulnerability scans  -  Nessus-based, can be performed
during registration or on a scheduled basis

PacketFence does not currently have a client that runs on the PC to
ensure patches and anti-virus software is installed.  However, it can
perform Nessus scans of devices to see if they are vulnerable to known
exploits.

To address your questions:

3)       Does either product need access to the networking equipment
in
use in order to manipulate VLAN membership and ACLs?  (It would make
sense that it does)

PacketFence does not need to access any network devices to function. 
PacketFence can run inline or passive.  Passive mode is very cool
because you don't have to worry about the network going down if the box
dies.  PacketFence uses ARP spoofing to implement this passive
architecture.

4)       Are there other products out there that other institutions
are
using to accomplish this same task?    

PacketFence will perform network admission compliance similar to Clean
Access.  If you want network discovery and mapping, see the applications
listed below.

5)       Are there any recommendations for/against these products?

I would highly recommend anyone who is looking at CleanAccess to also
evaluate PacketFence.

If you are looking for open-source applications that perform network
discovery and mapping of IP->Mac->Switchport, there are some excellent
applications in that area as well.

NeDi (Network Discovery Suite)
http://nedi.web.psi.ch/ 

NetDisco
http://netdisco.org/ 

NAV (Network Administration Visualized)
http://metanav.ntnu.no/ 


Good luck in your search!

Tristan Rhodes
Weber State University

>>> [log in to unmask] 01/20/06 8:44 AM >>>
The topic of Clean Access has come up again here at Wofford, and we
are
trying to find out what everybody else is doing if anything to prevent
un-patched/vulnerable systems from connecting to the network until
they
are patched.

 

In the past, my predecessors made a feeble attempt at using NetReg.
From what I understand, it was up for about 2 weeks and was then taken
down, never to be used again.  My understanding of the product is that
it is free and support is poor at best.  From what I have gathered on
the product was that its intent is not necessarily to enforce policies
on the systems but rather make recommendations on patches and updates.
My other understanding of the product is more focused on providing the
helpdesk with a hardware/software profile of the system and to map
user
IDs to IP addresses for more accurate identification and location of
users.

 

On the other side of that coin, the topic of Perfigo(Now Cisco Clean
Access) was brought up.  My understanding of this product is that it
can
be quite expensive depending on the number of users but it is backed
by
Cisco's TAC.  I am also led to believe that it does much of the same
thing as NetReg but it takes things one step further and requires
machines to be brought into compliance, or the machine in question
will
be put into a quarantined VLAN before allowing any further access to
the
network.

 

My questions are as follows:

 

1)       What experience (good/bad) has each of you had with either of
these 2 products if any?

2)       Do I understand the capabilities of each correctly?

3)       Does either product need access to the networking equipment
in
use in order to manipulate VLAN membership and ACLs?  (It would make
sense that it does)

4)       Are there other products out there that other institutions
are
using to accomplish this same task?    

5)       Are there any recommendations for/against these products?

 

Thank you in advance for your input!

 

 

J. Bart Casey

Network Engineer

Wofford College

 


**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Top of Message | Previous Page | Permalink


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Join or Leave NETMAN

Join or Leave NETMAN


Archives

2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998

ATOM RSS1 RSS2