[26998] in resnet
Re: Impulse Point SafeConnect was RE:Do we still need Network Access Control?
daemon@ATHENA.MIT.EDU (Osborne, Bruce W)
Sat Nov 5 07:08:01 2011
Content-Language: en-US
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID: <7F8CAE21F9C1C94A90F11320EF3974CE0BC968EB@LUEMSMAIL02.University.liberty.edu>
Date: Sat, 5 Nov 2011 11:06:19 +0000
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Osborne, Bruce W" <bosborne@liberty.edu>
To: RESNET-L@listserv.nd.edu
Dan,
At Liberty University, we have used Cisco Clean Access and just let our Bradford Campus Manager support expire. We have looked at impulse, but our management is still debating the benefits of NAC. Bradford may be OK for a small to medium sized institution, but their solution does not scale well beyond one "pod" of two servers.
I know from experience that it takes Bradford a long time to support new AV products. Bradford waits until the product is released before supporting it. At least Impulse uses data from the first customer to produce support and distribute that support to their customers. I am sure Impulse support is not perfect, but just from your experiences you have shared, I think they are likely superior to Bradford.
You complain about needing to parse an exported database for querying. At least, Impulse lets you export the database like that. Bradford's database is internal only. Perhaps the database export would permit you to setup a pretty dashboard for management.
Just a few thoughts.
Bruce Osborne
Wireless Network Engineer
IT Network Services
(434) 592-4229
LIBERTY UNIVERSITY
40 Years of Training Champions for Christ: 1971-2011
-----Original Message-----
From: Foerst, Daniel P. [mailto:FOERST@cua.edu]
Sent: Friday, November 04, 2011 10:58 PM
Subject: Impulse Point SafeConnect was RE:Do we still need Network Access Control?
Hey all,
I am not trying to hijack the previous thread, but I have noticed a couple respondents in former thread who mentioned they were SafeConnect customers. We too are SafeConnect customers and have been for a year now. I am curious what other think of the product; not just the functionality of the product, but also the overall user/client experience.
We recently encountered issues due to SafeConnect not properly recognizing changes in a couple major antivirus brands for the Mac. Frankly, due to reasons I am not going to go into, we had just turned SafeConnect on for the semester about one month ago after it was deactivated for the summer, and it wasn't long that these AV issues hit home and we once again had to disable AV checking for our Mac users.
I was less than pleased.
It took several days for Impulse Point (the makers of SafeConnect) to get a resolution in place for us where the AV product (Norton for Mac) would be properly recognized and then a few more days for us to re-enable Mac AV checking (we didn't want to do this over a weekend when support was not generally available). Once we had gotten back into the saddle we encountered a new problem with Sophos for Mac. It seems that Sophos is now use S3.amazon.com for AV updates and of course these are SSL secured which SafeConnect (being IP based with Policy Based Routing) doesn't have the ability to see into the packet (or so they claim).
This new issue lead to Impulse upgrading our SafeConnect to a "yet to be released" upgrade of the system and offering a means to allow the end user to "apply/opt out" of policy enforcement for a period of time determined by the SafeConnect administrators (anywhere from 15 minutes to days). Additionally upgrades were made to the Dashboard Web GUI.
Now, prior to use becoming a SafeConnect user we were Bradford Network's Campus Manager consumers. We left for a few different reasons and SafeConnect had a good sell. They work relatively well, but I short of the couple issues I covered above, I feel that they are not all they are made out to be after the marketing honeymoon has passed.
I feel their web GUI needs a real graphic artist. It suits the needs relatively well, but I often feel embarrassed when I need to showcase the GUI to my superiors. The data collected is not immediately available in the GUI, but can be exported to a mySQL or MSSQL database for querying (something that should be available in the GUI and not need an understanding of SQL queries IMO - we are about to implement this feature btw).
Then there is the issue that it cannot see into Mac OS very well. If we want to enforce our user's to update their OS' regularly (or at least when the vendor feels they should), why is there not a means to know when MACOS updates are available? I believe there is at least one vendor on the market that can do this.
Next is an AV issue with recognition of software firewall detection. Many antivirus vendors operate their own firewall. As a result they disable the native firewall and SafeConnect can detect (by checking if the service is running through a custom policy) if the Windows firewall is enabled. Why is SafeConnect (or perhaps it is and support hasn't been able to help us) not recognizing a third-party firewall is in operation that has explicitly disabled Windows firewall? We encountered this with Norton I believe or it was NOD32 (perhaps that was just not working), and don't get me on lack of Mac support for firewalls!
Anyhow I think I have ranted quite a bit and I was hoping to see what other's experiences are with SafeConnect. I like the product despite my issues already listed. The support personnel have have phenomenal when we have had issues, but we are getting frustrated and I don't know if I want to hear the claim from a superior "There has to be a way to do this, this is why they are in business" or something similar to that claim. I have also made our account manager aware of many of these issues and she has been good enough to say things are moving along, but something tells me it won't be what we expect.
In the end I am curious of other's experiences and if anyone has had similar thoughts. We may look for a new NAC system, but not necessarily Cisco as I have only read nightmares either on this list or others I am subscribed to (even though we are a big Cisco customer). Perhaps NAC isn't needed anymore, but we want accounting of our users and NAC does fit the bill there.
I think I'll sign off now, thanks in advance!
-dan
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
