dustervoice wrote: » I've got some experience with Forescout. While i wouldn't rate it as bad its not great either. if you have the budget and your are a cisco shop i would say stick to Cisco NAC as its tightly integrated into their other products. from what i can remember, there were some issues where unauthorised devices werent being picked up.I believe we had about a 80% success rate while no product is perfect, i was working in a highly secure environment and 80% success rate wasnt going to cut it. also there were issues with the types of classification, most"unknown" devices was labeled linux. also the refresh rate was quite slow by the time it picked up and alerted about a device the damage was already done. overall i think the product will get better but when i played around with it i wasnt overly impressed. by the way it was configured by experts from forescout !
Iristheangel wrote: » I think your Cisco rep didn't understand. Cisco has Identity Services Engine and they're DEFINITELY continuing development on it. I'm beta testing the newest version of it's sexiness right now. I think the rep may not have understood what "NAC" was :P If you want to use ISE as a dedicated NAC for wired, wireless and VPN security you can. You can also use it for TACACS for device administration. You can also integrate it with other products like Checkpoint firewalls, ASAs, Stealthwatch, etc for rapid threat containment if you wanted to bust out some awesomeness :P As far as ISE is concerned, it uses standard CoA on their switches and can use any switch that supports industry standard CoA (HP, Brocade, Aruba, Juniper, etc) and also has the ability to use SNMP as well but that's not really the choice I'd go with since it's more of a bolt-on for any NAC provider to resort to SNMP. Forescout I haven't dealt with in awhile but there were some cons for me: - You pretty much have to have a box at every site with SPAN ports. If you want to manage all these boxes from one place, you're buying another appliance to do that. It's architecture was kludgy to say the least. - If you want it to posture that endpoint without any sort of agent, you have to give Forescout admin credentials to your AD domain. Sorry, I don't trust ANY security product with that. Ever. - SNMP or SSH is how it changes the configs, not CoA. And it's not exactly fast about it in my experience so there's a gap in security right there. - Dot1x was added as a checkbox but their own reps wouldn't even recommend using it. Said some nonsense about it taking away from "visibility" The biggest pro for Forescout was ease of use but for me, a halfarsed security measure that's just easy to use wasn't really what my enterprise was looking for. Can't comment on Intelligo - Never even heard of it.
Iristheangel wrote: » @Verities - What about PacketFence makes it more advanced than ISE?
