cross-post from the RESNET list that does a good job summarizing Perfigo.
Many other posts on Perfigo have been submitted in the last week if you want
to browse over to http://listserv.nd.edu/archives/resnet-l.html
-d
----- Original Message -----
From: "Jim Warner" <[EMAIL PROTECTED]>
Sent: Saturday, February 21, 2004 12:09 PM
Subject: Perfigo (con't)
We are running Perfigo SmartManager version 3.0.0 dated 11/30/2003 in a
test portion of our resnet. The manual we have been provided with is
release 2.9 which carries a date of Februrary 2, 2004.
The Resnet list is the protypical drive-a-truck-up-its-own-tailpipe
list where everyone includes everything already posted on the topic
with varying levels of angle braces, and then for good measure encodes
the whole mess in HTML and includes it again. I'm not going to do that.
But this message may make more sense if you've seen Perfigo postings
over the last few days.
If Perfigo can move a client from one vlan to another based on assigned
role, that would come as a surprise to us. No one from Perfigo has
suggested that this capability exists and the word "vlan" does not
appear in the index in the manual. I would be surprised to hear about
that as a part of the feature set. I don't think it would work
because dhcp has already run by the time perfigo collects the user name
so that it can assign the proper client role. I am guessing here:
I think the marketing guys think of Perfigo roles (i.e. guest, student,
faculty) as a functional analog of vlans and so they use the terms
as if they meant the same thing. Anyone technical enough to be able
to spell 802.1Q will be confused by this.
Perfigo does respect vlan tags on incoming packets. That means a packet
that arrives with a tag on a trunked port will leave with the same tag.
We use this -- trunking through the Perfigo -- and it works just fine.
Of course it the assigned role for that client blocks that particular
packet it won't leave at all. But I am not aware of a role setting that
says "remark vlan tag to the quarantine vlan".
That said, we have found that attempting to get fancy with 802.1q vlans
to trunk through a single SecureSmart manager is frought with potential
perils. Big L2 networks are just plane ugly. If you have a multivendor
switch environnment, perhaps more so. Caveate.
Perfigo would have no special difficulty working in an environment with
hubs instead of switches. The home turf for Perifgo is 802.11 wireless
access control. Wifi is very much like a hub (shared media) and not
at all like a switch (dedicated bandwidth).
Perfigo is offering two separate gizzmos in the war on worms. Whether
"CleanMachine" is one of these, or both is mired in marketing hype. But
they are independent.
1. Perfigo has loaded a version of the Nessus scanner (www.nessus.org)
into the SmartManager. You get to select the tests that are run
against connecting computers and how long to remember the test
results. Remembering test results is useful because the time
required for the test is probably too great to endure at every
connection.
2. Perfigo Client - As far as we know, this exists only for Windows.
It can read the registry to check version numbers and make sure
your favorite antivirus software is installed. The SmartManager
can offer the client software to users that don't have it --
withholding full net access by putting them in a restricted role.
Right now the client can only read the registry. But Perfigo
says that they will include more functions in the future.
>From what we can see, Perfigo has two clients. One is a VPN client
that users of open wireless (no WEP) can use to tunnel their traffic
to the relative safety of the wired network. The other is the
CleanMachines client. These are not the same thing, if that helps.
I have not yet seen the CleanMachines client. I don't think we have
been given it even for testing. The manual offers no suggestions
on how to require the client in a mixed environment that includes
machines that are not running MS windows derivatives. I am told
that they have this figured out but haven't written it down yet.
The Nessus scanner is a cool thing. But it will be a real challange
to do scans and present the results to end users in a way that makes
sense. Anyone thinking about this portion of Perfigo's CleanMachine
should probably go to the source (www.nessus.org) and look at the
'real thing.' If the hope was that Perfigo was going to do the heavy
lifting so that their customers wouldn't need to ever think about
the moving parts within Nessus -- I haven't seen that kind of integration.
While Nessus is pretty powerful and can do lots of good stuff, the
Perfigo claim on Page 73
"Scanning is implemented with Nessus plugins. The plugins can
check for viruses or any other security vulnerabilities."
simply exceeds the the capabilities of Nessus. Nessus can detect
backdoor open ports installed by viruses that are working to
establish a network of open proxies. But something that doesn't
open a network port probably can't be detected.
At Santa Cruz, we have let the cleanmachines system scan connecting
users. But we have not yet either finalized our list of Nessus plugins
or been willing to show any scan results to the connecting users.
A final comment about Perfigo -- if you go to their web page and look
for a tab labeled "support", you won't find one. While perfigo has
been pretty responsive to our questions and emails, that's no substitute
for having a sustainable support model with on-line docs. Feel free
to give them a hard time about this. I know I'll be doing that.
-jim warner, UC Santa Cruz network engineer
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/cg/.
