CounterACT: Features & Benefits

Endpoint X-Ray™

CounterACT features the most granular device interrogation engine in the industry. This includes both a quick inspection for self-propagating threats at point of connection and a deep interrogation of the device to ensure policy compliance. By tapping directly into the registry and file system of a device, CounterACT determines virtually everything about the state of an endpoint ranging from the presence of a desktop firewall, the state of OS patches, last update of anti-virus definitions or the presence of specific files or specific entries in the registry of the system. CounterACT ships with an extensive library of tests which are configured though an intuitive, user-friendly interface.

NAC FastPass™

CounterACT provides flexible access based upon the specific security requirements of each customer. With NAC FastPass, CounterACT does not require connecting devices to wait while they are being interrogated for compliance since it eliminates the usual mandatory "quarantine upon connection" stage. At the point of connection, CounterACT detects and blocks any self-propagating malware or worms on connecting devices with its integrated signatureless intrusion prevention module, ensuring that no infection or propagation takes place. Once the threats are suppressed/blocked, or confirmed that no active threats are present, CounterACT instantly allows users to gain access to network resources while the deep interrogation of the device for policy compliance is being completed. Additionally, CounterACT can be configured to quarantine by default until all policy checks are complete, providing a flexible platform based upon specific security requirements.

Universal Discovery

CounterACT does not require a persistent or downloaded software agent to be installed on any connecting devices in order to perform its in-depth interrogation for compliance with network policies. This ensures universal discovery of all endpoints connecting to the network including non-user devices such as network printers, VoIP phones and PDAs. Upon connection, CounterACT instantly determines the type of device, ensures it does not present a threat, and has the ability to place it in its appropriate logical location on the network.

Tailored Enforcement

ForeScout's NAC solution features a full spectrum of enforcement options to enable organizations to custom-fit responses to network policy violations. CounterACT enables tailored access for all devices and users to ensure all endpoints meet enterprise-wide security requirements. For example, low-risk violations, such as outdated anti-virus definitions, can be dealt with by providing the end-user with self-remediation options while allowing limited access to the network and keeping the user productive while remediation takes place. Serious violations, such as unauthorized access to restricted network resources or worm infections, can be blocked from the network entirely; or in the case of a self-propagating threat, CounterACT can simply block the service or propagation port on the infected machine.

Non-Disruptive Deployment

CounterACT seamlessly integrates with any network environment and does not require any infrastructure changes or costly equipment upgrades. Typically spanned from a distribution layer switch for a highly scalable deployment, CounterACT is completely out-of-band and features downstream enforcement to control devices at the access layer. The non-inline deployment method eliminates latency and point-of-failure issues, without requiring costly infrastructure upgrades. CounterACT also enables policy deployment in monitor mode to allow administrators the ability to assess the effect of a policy on the network before activating enforcement. This ensures that network operations are not disrupted by lack of employee knowledge of new policy or a mis-configured policy.

Transparent Enforcement

CounterACT does not introduce any changes to end-user behavior. Compliant users are not aware that the NAC system is in place until a policy violation occurs, regardless of whether it is at the point of connection to the network or at any time during the network session. In case a violation occurs, CounterACT takes appropriate action to secure the network from a potential threat and quarantine the device if necessary, inform the end-user of a problem, present self-remediation options or notify the appropriate IT staff to mitigate the issue. End-users with compliant devices never know that CounterACT is deployed.

Managing the Unmanaged

Because CounterACT does not require a software client, unmanaged devices (i.e. various types of network guests) are subject to the same policy enforcement as the managed endpoints. At the point of connection, CounterACT instantly determines whether the endpoint is an unknown device. Once the determination is made, CounterACT provides several options including automated assignment to a quarantine VLAN or engaging the end user and requesting permission to scan the device. If permission is granted (through the user re-logging into the device) CounterACT interrogates the device for policy compliance and automatically directs it to a pre-determined network segment with the appropriate access privileges.

Integrated Signatureless IPS

CounterACT features the only integrated signatureless intrusion prevention system that does not require manual updates of pattern files or definitions. By interacting with an attacking source, CounterACT detects and blocks devices infected with self-propagating malware or worms in real-time before they contaminate the network.

3rd Party Integration

CounterACT streamlines policy enforcement by integrating with a wide range of network devices and systems. ForeScout works with industry-leading vendors to provide integration with switches (e.g., Cisco), helpdesk systems (e.g., Remedy), patch management systems (e.g., PatchLink), firewalls (e.g., Check Point), VPN devices (e.g., Cisco VPN3K) and vulnerability assessment systems (e.g.,Qualys). CounterACT also features remote monitoring and management of the appliances by third-party utilities through its extensive API. Custom integration options are available for most proprietary and legacy systems.

802.1X Integration

CounterACT works seamlessly in networks with full or partial 802.1X deployments. In an environment where 802.1X is present, ForeScout leverages the admission control aspect of this standard in conjunction with the other authentication methods employed by CounterACT. If 802.1X is not present, CounterACT can provide the same level of device authentication and work with the switching infrastructure to enforce admission control policies. CounterACT enhances this functionality by providing multiple admission criteria checks (user authentication, MAC address, etc) as well as tailored enforcement options which allow for both limited and full blocking of the non-compliant device.

VPN Enforcement

VPN users are subject to the same policies as the rest of the devices on the network. This ensures that all connecting devices comply with the security policies, regardless of whether the user is connecting with a company-issued device or personal home computer. CounterACT also features the same extensive enforcement options over the VPN as those available on the LAN.

Rogue Wireless Detection

With the ease of installation and prevalence of the 802.11X technology, wireless access points (WAP) are becoming an increasing challenge to enterprise security. CounterACT provides the ability to detect WAP devices using the existing wired infrastructure. This is accomplished through determining how devices are connecting to the network, and if through an unauthorized WAP, CounterACT can block the device from establishing a connection or move to a quarantine VLAN.

Management and Reporting

Each CounterACT appliance comes with a Java-based management interface. When multiple CounterACTs are present (up to 50 appliances), these devices can be managed as one through a central CounterACT Enterprise Manager. Network administrators use the Enterprise Manager to define and distribute network policies throughout the LAN to all CounterACT appliances. Enterprise Manager collects security event data for intuitive reporting, and shares relevant security information gathered from individual appliances with the rest of the CounterACTs on the network.

Vulnerability Assessment

CounterACT provides proactive threat prevention by scanning the network for potential vulnerabilities and takes appropriate actions in response to discovered threats and policy violations. Once the security risks are identified, CounterACT provides one-click protection against threats through an intuitive user interface. Additionally, CounterACT integrates with leading third party vulnerability assessment systems.

Network Information Portal

CounterACT features a powerful search engine that reports on all security events such as policy violations and malware threats, and correlates all relevant event data with specific users and devices for granular forensic capabilities. Additionally, the Network Information Portal features a flexible, user- friendly interface which provides the ability to search the captured information of all connected devices. The information gathered is a complete inventory of all connected network devices and the relevant events and activity associated with them.