We have thought about changing the heartbeat session timer set to 16-24
hours so that users are not kicked if they turn off the computer
overnight.  We have a student environmental action group on campus that
has successfully convinced students to turn their computers off when
they are not being used.  We are planning on de-certifying all machines
at 4:00 am Monday morning, every week.  Any comments or suggestions?


Martin D. Flagg
Network Engineer/Administrator
Hiram College
PH:  330-569-5376
FAX: 330-569-5462
email: [log in to unmask]
-
If you lend someone $20, 
and never see that person again,
it was probably worth it.


 


-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Homer Manila
Sent: Wednesday, July 27, 2005 11:27 AM
To: [log in to unmask]
Subject: Re: Clean Access Test Results

Oh, forgot to mention: We have the heartbeat session timer set to 2
hours, which should force users to login again, if their machines have
been off that long.  Also, we are still deciding if we will force
re-certification at some more frequent regular interval like 1-3 weeks
at a time, to force scanning of machines running the agent that aren't
being made to log-in as much.  One of the timeouts is decertifying
people, according to our graphs, wish I knew which one!

Also in regards to dhcp lease times: if it still renews to the same ip,
they still won't be forced to log in. So, disregard what I said earlier
:)

--Homer Manila
Network Security Administrator
Office of Information Technology
American University

Homer Manila wrote:
> Changing network/internet access from having no requirements to CA can

> be frustrating to the students. Telling them that implementing it will

> make their machine more secure and the network happy sometimes isn't 
> enough.  It helped that we had numbers to back up our decision to 
> implement CA: Last year alone, we had over 1200 virus tickets that 
> resulted in a loss of over $100k in man-hours and downtime.  Those are

> good numbers to give budget/funding too, if you have it.
> 
> I would also suggest increasing your temporary access time to at least

> 2 hours, which is what we did, to facilitate some of the longer 
> downloads(sp2). Increasing your session timeout might be a good thing 
> too; we actually don't have a timeout set for our users.  Since CA 
> will make you log in after the mac-address to ip-address combo is 
> void(dhcp lease time has expired and the user receives a new ip, user 
> moves to another subnet, etc), it will make the user sign-on again. If

> your dhcp lease times are set higher, the user will keep their ip 
> address longer, and have to sign-on less.  Plus, we plan on forcing 
> re-certification after every year or semester is over.
> 
> --Homer Manila
> Network Security Administrator
> Office of Information Technology
> American University
> 
> 
> Sean Ward wrote:
> 
>> We (Bowling Green State University) recently performed a very small 
>> test of Clean Access/Perfigo in a residence hall where we have about 
>> 20 students living because of conferences and the like.  Of the 20, 
>> about 14 had computers that connected, of which 10 filled out a 
>> survey on our website.
>>
>> Included below are the responses we received.  For those of you who 
>> have been testing or have finished testing Clean Access, what type of

>> response did you get from the students?  Were they similar to ours?
>> In what ways did you convince those in charge of the budget/funding 
>> that it was worth the cost?
>>
>> In an occurrence that could only be defined as "awesome", the 
>> instructions document is corrupted, so I cannot attach, include, or 
>> link to it until I take time to recreate it.
>>
>> Any and all responses would be appreciated.
>>
>> Thanks,
>> Sean
>>
>> Did you have any issues with the documentation? If so, what were
they?
>>
>>    * When trying to download clean access it kept comping up with a
>>      message that said you must open excutiable file something,
>>      something, something?? and I had no clue what it was talking
>>      about, so I played around and finally figured it out. That was
>>      confusing at first and somewhat frustrating
>>    * I guess my default settings were making it difficult to
configure
>>      the software
>>    * Some of the windows that popped up, such as the temporary
>>      connection to the network, were not in the manual so I had to
>>      click on what I thought was right.
>>    * I tried to get it to loadfor 3 hours with no luck. Finally RCC
had
>>      to come and install a new web browser. Now it works just fine.
>>    * The documentation was fine.
>>    * I had no problem installing the software and getting back on the
>>      network. The instructions were thorough and I appreciated the
>>      screen shots that were included.
>>    * It made me update fifty million times when I first got on.
>>
>> Have you had any issues connecting to the network or Internet since 
>> having the software installed? If so, how many times did this happen,

>> what type of issues were you having, and what were you doing at the
time:
>>
>>    * Every so many days it would kick me off the network and I'd have
>>      to restart my computer to be able to connect to the internet.
This
>>      is very frustrating and annoying, especially since it happened
>>      again this morning telling me I had to download the new version.
I
>>      thought this test was over??
>>    * Every time I attempt to connnect to the internet I am stopped
>>      because Norton Antivirus is blocking the Clean Access site
becuase
>>      it is unknown. If you already have anti-virus software it makes
>>      this process extremely difficult, and you have to disable the
>>      previous software in order to run the new software, and I have
>>      paid a large amount of money to have my computer protected by my
>>      other services.
>>    * I had had a problem once. Everytime I tried to connect it would
go
>>      to the main screen and then my mouse cursor would start going
>>      crazy....clicking very fast all on its own. No website would
even
>>      appear. It would continue doing the same thing even after I
tried
>>      restarting my computer several times. I decided to leave alone
for
>>      the next and the next day...everything was fine and I was able
to
>>      complete the process without any problems.
>>    * At first, I only had a temporary connection for 20 minutes.
During
>>      that 20 minutes, I had to download a bunch of different things
but
>>      after 20 minutes, I would have to stop because I was no longer
>>      connected. It took 9 hours just to get everything set up. Once I
>>      did, my entire computer was running extremely slow. Every three
>>      days I had to redo everything and that was a big inconvenience.
>>    * It's working well.
>>    * why do i have to re-login every few days....that kicks me off
>>      IM...I don't like it!
>>    * McAfee really slowed down my computer. I took Norton off of my
PC
>>      and it runs just fine now.
>>    * I am very frustrated that I have been randomly kicked off line
>>      (while I've been using the internet and instant messenger) only
to
>>      reaccept the clean access agent agreement and return to my work.
I
>>      knew that this was going to happen (since it was stated on the
>>      instruction sheet-thanks for that info!), but I find this
>>      frustrating and unnecessary. I'd really rather not have the
>>      program on my computer. Plus, I don't know what it does and why
I
>>      need it, other than I can't get on the internet and it's suppose
>>      to help prevent viruses. I had to work when Sean came to our
>>      meeting, and I read what was given to me but I still don't
>>      completely understand the need.
>>    * No problems after setup
>>
>> What could BGSU have done to make this test easier?
>>
>>    *
>>
>>      I guess there really isn't anything to make it easier. It's just
>>      going to be frustrating to you, if you impliment it to the whole
>>      campus, because you will be getting a lot of calls.
>>
>>    * It would have been nice if we were asked to volunteer to do this
>>      instead of having no say.
>>    * I think it woudl be easier for the RCC staff to come configure
the
>>      software on students' computers themselves
>>    * I wish that we would have had advanced notice that this was
going
>>      to happen.
>>    * Had people working later to help with the set up because I
didn't
>>      have internet for almost 2 days.
>>    * Tell people it takes a while to load.
>>    * The test itself is fine. The instructions were complete and I
was
>>      informed that I would be kicked off the network every 3 days or
>>      so. However the fact that the system does boots me off the
network
>>      randomly every few days is very inconvenient, especially since
>>      I've been working while it has happened.
>>    * Made the setup easier. You should only have to update once.
>>
>> Is there anything else you wish to add that was not mentioned?
>>
>>    * Once I finally was able to download the Clean Access software,
it
>>      told me that my login name was unknown and would not let me
proceed.
>>    * After making my complaint via email and phone, RCC was able to
fix
>>      everything on my computer so that it runs even better before.
>>    * The test itself is fine. The instructions were complete and I
was
>>      informed that I would be kicked off the network every 3 days or
>>      so. However the fact that the system does boots me off the
network
>>      randomly every few days is very inconvenient, especially since
>>      I've been working while it has happened.
>>    * It's annoying to have to update every three days. Once a week
>>      would be better.
>>
>>
>