Brief Overview of ForeScout Network Access Control Solution

Organisations are becoming ever-more aware of the need to defend their computer networks from Cyber attacks, there have been recent warnings from governmental agencies and regulatory bodies of the increasing threat – 51% of malicious software threats that have ever been identified occurred in 2009

Threats from externally based criminals are not the only risks faced, increasing numbers of varied devices are being attached to the enterprise network by remote workers, contractors or those requiring guest access- meaning insider threats. Whether deliberate or wrought unwittingly by out of compliance machines – can force organisations to have to face up to huge losses due to downtime, financial remediation costs and loss of public confidence, what is needed is a way to control who can access crucial systems and sensitive data…

ForeScout’s CounterACT is a military-grade security system, many aspects of which have been developed in collaboration with the U.S Military and CounterACT has an existing common criteria certification at EAL2 with EAL4+ in progress. As well as protecting the U.S military, ForeScout are also a trusted partner of the U.S government and Federal bodies, further information upon its Government and Department of Defense credentials can be found at: http://www.forescout.com/solutions/dod_gov.html
Other benefits from CounterACT include:

• In-built IPS – based upon patented ActiveResponse Technology that detects attackers’ reconnaissance and responds to them with counterfeit information which eliminates the need for signature updates

• Centralised visibility of ALL devices on the network giving the ability to control data leakage

• Proactive security that notifies, controls or blocks users that do not comply with policies and co-ordinates management of security infrastructure by integrating with wireless, anti- virus, VPN and many other technologies

• Vendor Agnostic – an out-of-band, network-based appliance that works with existing network infrastructures – no switch upgrades, no network reconfigurations. CounterACT integrates with all major enterprise switches, both 802.1x and non-802.1x. so unlike other products that require considerable network/infrastructure modifications before installation CounterACT can be installed in one day.

Other product specifics

• Clientless – No agent software download required. Enables the device to identify, track and monitor ALL devices connected to the network, including guests /contractors.
• Signature-less IPS – Monitors for malware activity specifically reconnaissance behaviour. This is then blocked.
• Out-of-Band – The appliance is located next to a core or distribution switch connect to a span port i.e. out of line
• Tailored Enforcement – A granular approach to policy enforcement dependant on a policy breach :
1) HTTP browser hijack presents a message/warning to user
2) VLAN assignment
3) Virtual Firewall – using TCP resets to block some or all traffic originating from a device
4) Switch port disable – Using SNMP, we instruct the access layer switch to turn off the port users are connected to
• Non disruptive deployment – CounterACT connects at the core or distribution layer requiring a mirrored port on the switch that it connects to.
• End Point X-Ray – end point posture for policy compliance i.e. check for things you need to see on the device (e.g. AV s/w) and things you don’t want to see (e.g. Skype)
• Reporting – A vast array of reports can be generated by the CounterACT device, from high level overviews to detailed information on compromised devices.
• Pre Defined Policies – Predefined, common place policies are available for download from the ForeScout web site.
• Integration-Seamless integration into most environments. Interoperate with most major vendors, including Cisco, Aruba, HP, Nortel, Juniper and may others.

The ForeScout Approach

ForeScout CounterACT is an integrated network security appliance that delivers real-time visibility and control of all devices on your network. CounterACT is deployed out-of-band of your real-time network data flows and through receiving mirrored traffic, or by integrating directly with network layer devices (Routers, Switches, Wireless Controllers, Authentication Services, etc.). ForeScout CounterACT is able to automatically identify who and what is on your network and controls access to your network resources from any host or segment, measuring compliance with your security policies and remediating or mitigating endpoint security and policy violations when they occur.

ForeScout CounterACT employs a proven approach for IT risk management, as shown in the diagram below. Every device that accesses the network is identified, inspected, remediated (if you wish), and continuously monitored.

ForeScout CounterACT revolutionizes Network Access Control (NAC) technology by eliminating deployment obstacles of typical solutions, such as costly hardware upgrades and lack of interoperability with existing infrastructure. Unlike other solutions, ForeScout CounterACT installs quickly and easily. It seamlessly integrates with any network environment. No software to install. No hardware upgrades.

CounterACT is 100% agentless, which means there is no software to install on endpoints. It works with all of your existing endpoints – managed and unmanaged, known and unknown. And CounterACT can control access to your network with or without 802.1X. In Summary;

Key advantages of CounterACT can be best summarized as follows:
1. Clientless Network-based Enforcement: unlike 802.1x-based network access control systems which require a desktop agent, the CounterACT system offers clientless, network-based enforcement.
2. Clientless Remediation: CounterACT can check and remediate company domain member devices (i.e. update OS and applications) without the need for an agent. To help remediate guests or other non-domain member devices, CounterACT offers its thin, dissolvable SecureConnector™ client via a web HTTP welcome screen.
3. Standards-based and Infrastructure Agnostic: CounterACT’s ability to work across heterogeneous network infrastructures has made it a favored solution for insurance, banking and financial networks. It deploys quickly without imposing costly upgrades or retrofits to the existing infrastructure: no prerequisites — such as switch upgrades, 802.1x deployment, client installation, or OS upgrade – are required. This eliminates the overhead imposed by inline solutions which take advantage of “vendor lock-in”.
4. Threat Detection: CounterACT comes with built-in threat detection and prevention technology that can determine if connecting devices are malicious or infected with self-propagating malware. This capability is recommended in Gartner’s 2008 Market Scope:
“To achieve the maximum benefits of network access control, enterprises must do more than just check for vulnerable endpoints. They must be able to detect and quarantine malicious-software-infected endpoints that can do damage to their network.” –John Pescatore, Gartner Market Scope
5. Discovery of Hidden Infrastructure: Rapid detection of rogue or unauthorized devices is a top concern in large networks. Recognized as possibly the strongest network sensor on the market today, CounterACT has demonstrated its ability to quickly and accurately identify and report details on all infrastructure components – both hidden and known. By monitoring network traffic and communicating with the switch infrastructure without the use of a client, CounterACT can see all IP devices on the network. This is a significant differentiator for ForeScout’s customers.
6. Extensive Experience in Large, Global Network Deployments: ForeScout customers include some the largest, most globally distributed companies in the world. For such companies, scalability, reliability and information security are of equal importance. CounterACT is chosen for its ability to address many industry-specific requirements; for example, its comprehensive PCI (Payment Card Industry) compliance solution together with its centralized policy management capabilities help address many bank and retail audit requirements.
7- CounterACT offers Multiple Protection Tools by:
• ActiveScout IPS Protects Internet-Exposed Services
• VPN Integration
• Guest Management
• Spoof Detection
• Unauthorized Device Detection
• Role-based Access
• Espionage Detection
8- CounterACT Finds and Fixes Weaknesses within the network by doing the following;
• Updates Microsoft Patches
• Updates Anti-virus Definitions
• Configures the Desktop Firewall
• Blocks Peer to Peer (P2P) or Instant Message (IM)
• Signature-less IPS Blocks New Worms
• Signature-less IPS Blocks Custom Worms
9- CounterACT Deters Data Leakage by doing the following;
• Inventory Monitoring for missing devices
• Kill Peer to Peer (P2P) and Instant Message (IM)
• Multi-homed wireless detection
• Unauthorized application on desktop
• USB Drive, CD/DVD-R, iPod enforcement.
10 – In disabling USB Memory Drive ( According to your policies), CounterACT do the following;
• Detects when memory drive is inserted
• Disconnects drive
• Command to make drive read-only
• Script to audit drive files
• New feature: block USB memory when offline

ForeScout CounterACT makes you smarter, your network more secure, and your staff less busy by automating tasks that are currently laborious. CounterACT is in use by over 500 of the world’s most secure enterprises and military installations with global deployments spanning 37 countries. ForeScout CounterACT is based on third generation Network Access Control (NAC) technology. Unlike other solutions, ForeScout CounterACT installs quickly and easily. No software (agent-less). Works with existing network infrastructure.

Why ForeScout’s CounterACT NAC Solutions?

• Do you have a Cisco network? Is it self-defending yet?
• Can your network protect against guests and contractors plugging their laptops into open network ports?
• Can your network automatically ensure that every endpoint is compliant with your security policies – antivirus, DLP, encryption, patch level, configuration, etc.?
• What if you could buy a simple network appliance that would work with your existing network infrastructure and give it the intelligence to fix both of these problems?
• Wouldn’t it be embarrassing if your organization learned – the hard way – that you’ve got gaps in protection? That the security agents you spent lots of money for are not installed and working properly on 100% of your endpoints? What if you could buy an appliance that would totally eliminate this risk?
• Do you have policies in place to prevent data loss? (e.g. prohibit use of P2P applications or USB drives) Do you have real-time visibility into how many of your users are violating data loss policies?
• Are you responsible for security audits? Do you have an automated system for reporting on the compliance of devices on your network?
• Do you have a tool that will tell you how many iPhones are connected to your network?

ForeScout CounterACT keeps unwanted visitors and rogue devices off your network. This helps you keep your network more secure. ForeScout CounterACT is very popular because it is so easy to deploy. Everything is contained in a simple appliance. It works with your existing IT infrastructure. No software to install, no hardware to upgrade. Some of the world’s largest enterprises have their endpoint securely managed by us, see www.forescout.com for details.

If you do require further detailed information on this product/solution (with a possible Proof Of Concept Implementation) do not hesitate to contact me directly or visit our homepage at www.smsamic.net

You may also wish to check out some exclusive IT Security resources at the RESOURCE CENTER found on our website.