Kyle. I think CDN's will be your downfall.
CDN's (Content Delivery Networks) distribute requests out to the internet via a wide range of hosts. For a good example of how this works, see http://en.wikipedia.org/wiki/Akamai_Technologies There is a nice info graphic on the right hand side of the page) I know Microsoft and most of the *big* AV vendor's use CDN's to distribute they're load. It allows them to have rapid response times all around the world, as well as insulating them from DDOS. It also means that windowsupdate can have *Thousands* of IP addresses. Mike On Fri, Mar 22, 2013 at 11:41 AM, Kyle Torkelson < [email protected]> wrote: > Wanted to ask if anyone has gone through this scenario…we allow students > to use ANY anti-virus program, as long as it’s supported by the Cisco NAC > Agent or Cisco Web Agent and latest Compliance Module. We are running > 4.9.2 and we are familiar with this screenshot (for example):**** > > ** ** > > **** > > **** > > **** > > ** ** > > Here we pretty much allow any anti-virus programs to connect to obtain > their latest virus definitions/signatures, no matter if the user is in the > Unauthenticated Role, Temporary Role, or Quarantine Role. If a student > does NOT have an anti-virus program installed, then we point them to a > locally hosted website where we give them a download to either Symantec > Endpoint Protection or Microsoft Security Essentials.**** > > ** ** > > What I’m running into with ISE is that this doesn’t seem to be a scalable > solution for us as I need to define an ACL (Unknown or Non-Compliant ACL > based on Cisco’s TrustSec documentation) to allow connections to the IP > addresses for each of these update sites. The NAC uses wildcards, but with > ISE I think my best option is to enable entire subnets instead of > individual IP addresses. For example, **** > > ** ** > > *.microsoft.com and *.windowsupdate.com**** > > ** ** > > Instead I need to use:**** > > ** ** > > 24.220.183.0**** > > 69.31.58.0**** > > 64.4.11.0**** > > 157.56.0.0**** > > 157.55.0.0**** > > 65.55.0.0**** > > 65.54.0.0**** > > 212.96.161.0**** > > 207.46.21.58**** > > ** ** > > When integrating this with a Cisco Wireless Controller, I can only have 64 > entries in an ACL. It seems to me that whenever a student with a different > software anti-virus vendor comes on campus, I’m going to have to use > wireshark or another sniffing tool to see what IP addresses that client is > trying to connect to and then add those IP’s to my ACL.**** > > ** ** > > Am I missing something? Or, are there other solutions that anyone can > think of? Do I use a shaping device or firewall on the edge to permit this > kind of traffic and in ISE just “Allow All” but then catch this internet > traffic at the edge? In our current solution, we like the flexibility and > aren’t really sure we want to force a certain anti-virus program on all > students. I’m not sure it’s feasible to host an internal remediation > server for multiple types of anti-virus software, either.**** > > ** ** > > Thoughts and recommendations?**** > > ** ** > > Thanks again…**** > > ** ** > > [image: signature]**** > > ** ** >
<<image003.png>>
<<image002.png>>
<<image005.jpg>>
<<image001.png>>
