CounterACT for Network Access Control

Overview

ForeScout CounterACT for Network Access Control is an network security platform that lets you see, monitor, and control everything on your network – devices, operating systems, applications and users. ForeScout CounterACT lets employees, contractors, and guests remain productive on your network while you protect critical network resources and sensitive data.

ForeScout CounterACT delivers extensive interoperability through our ControlFabric architecture. ControlFabric is an open set of integration technologies that enable ForeScout CounterACT and other solutions to exchange information and resolve a wide variety of network, security and operational issues.

Based on next-generation network access control (NAC) technologies, ForeScout CounterACT is easy to install because it requires no software, no agents, no hardware upgrades or reconfigurations. Comprehensive network access control functions are contained within a single appliance or virtual appliance.

Network access control helps to optimize network accessibility without compromising your enterprise security. Modern security exposures include:

  • Visitors–When guests and contractors come to your location, they bring their computers with them. To remain productive, guests need to access the Internet, and contractors may need additional resources. If you give these visitors unlimited access, you risk attack by malware or compromise of your sensitive data.
  • Wireless and mobile users–Your employees want to use their smartphones and tablets on your network. If you don’t have adequate control, these devices can infect your network or be a source of data loss.
  • Rogue devices–Well-meaning employees can extend your network with inexpensive wiring hubs and wireless access points. These devices can cause your network to become unstable, and they can be a source of infection and data loss.
  • Malware and botnets–Studies show that even well-managed enterprises have infected computers because of zero-day attacks and/or out-of-date antivirus. Once your PCs are compromised, they can be used in “pivot attacks” whereby outsiders can scan your network and steal your data.
  • Compliance–Endpoints can be misconfigured or can be running unauthorized applications. Virtual machines can appear on your network without your knowledge, sometimes without proper security controls. Non-compliant systems are security risks.

ForeScout CounterACT automatically enforces whatever network access policies you desire for your organization. If you wish to ban all guests and unknown computers from your network, ForeScout CounterACT can do that. If you wish to allow guests and handheld wireless devices to access the Internet, ForeScout CounterACT can do that. Features include:

  • Integrated appliance. ForeScout CounterACT includes everything in a single appliance. No software to install, nothing to configure. Built-in integration lets you leverage your existing infrastructure including directory, switches, endpoint security systems, patch management systems, ticketing systems and reporting systems.
  • 802.1X or not. ForeScout CounterACT lets you choose 802.1X or other authentication technologies such as LDAP, Active Directory, Oracle and Sun. New hybrid mode lets you use multiple technologies concurrently, which speeds NAC deployment in large, diverse environments.
  • Built-in RADIUS. ForeScout CounterACT includes a built-in RADIUS server to make rollout of 802.1X easy. Or, leverage existing RADIUS servers by configuring CounterACT to operate as a RADIUS proxy.
  • Automated exception handling. ForeScout CounterACT automates the handling of printers, phones, and other equipment that cannot authenticate via 802.1X. Continuous monitoring of endpoint behavior eliminates the security risk of MAC address or ARP spoofing.
  • Automated 802.1X troubleshooting and remediation. Identify misconfigured endpoints and switch ports. Automatically remediate 802.1X supplicants by appending configurations, fixing erroneous configurations, or updating configurations.
  • Visibility. ForeScout CounterACT’s Asset Inventory provides real-time, multi-dimensional network visibility and control, allowing you to track and control users, applications, processes, services, ports, external devices, and more.
  • Tactical map. Intuitive map lets you spot trouble areas of any sort (compliance, authentication issues, etc.) and drill-down for more information. The map shows alerts and operational information, and lets you drill down to specific sites and devices as required.
  • Guest registration. ForeScout CounterACT’s automated process allows guests to access your network without compromising your internal network security. CounterACT includes several guest registration options allowing you tailor the guest admission process to your organization’s needs.
  • BYOD friendly. Accommodate BYOD devices on your network while preserving security. Hybrid mode lets you use either 802.1X certificates or LDAP user credentials to gain access. Flexible policies allow full or limited network access based on user name, device type, and security posture. Control access based on VLANs, ACLs, or built-in virtual firewall.
  • Real-time mobile device control. ForeScout CounterACT detects and controls hand-held mobile devices connected to your Wi-Fi network. Supports iPhone/iPad, Blackberry, Android, Windows Mobile and Nokia Symbian.
  • Threat detection. ForeScout CounterACT includes ActiveResponse™, a patented threat detection engine which monitors the behavior of devices post-connection. ActiveResponse blocks zero-day self-propagating threats and other types of malicious behavior. Unlike other approaches, ActiveResponse does not rely on signature updates to remain effective, which translates to low management cost.
  • Rogue device detection. ForeScout CounterACT can detect rogue infrastructure such as unauthorized switches and wireless access points by identifying whether the device is a NAT device, identifying whether the device is on a list of authorized devices, or identifying situations where a switch port has multiple hosts connected to it. CounterACT can even detect devices without IP addresses, such as stealthy packet capture devices designed to steal sensitive data.
  • Role-based access control. ForeScout CounterACT ensures that only the right people with the right devices gain access to the right network resources. ForeScout leverages your existing directory where you assign roles to user identities.
  • Flexible control options. Unlike early generation NAC products that employed heavy-handed controls and disrupted users, ForeScout CounterACT provides a full spectrum of enforcement options that let you tailor the response to the situation. Low-risk violations can be dealt with by sending the end-user a notice and/or automatically attempting to remediate the security problem; this allows the user to continue to remain productive while mitigation takes place.

AlertLimitMove-Diagram

  • Policy management. ForeScout CounterACT lets you create security policies that are right for your enterprise. Configuration and administration is fast and easy thanks to ForeScout CounterACT’s built-in policy wizard and knowledge base of device classifications, rules and reports.
  • Out-of-band deployment. ForeScout CounterACT deploys out-of-band which eliminates issues regarding latency and potential points of failure in your network. High availability is available for organizations that require redundancy.
  • Scalability. ForeScout CounterACT has been proven in customer networks exceeding 250,000 endpoints. ForeScout CounterACT appliances are available in a range of sizes to accommodate networks of all sizes.
  • Optional agent. ForeScout CounterACT does not require an agent on the endpoint, which is important when dealing with BYOD. If you wish, you can install ForeScout’s lightweight agent on Windows, Mac, Linux, iOS and Android endpoints. Agents and can be automatically installed when the device connects to the network and the user registers their identity.
  • IT infrastructure integration. Unlike proprietary NAC products, CounterACT is fast and easy to install because it supports an extensive range of third-party networking and security hardware and software, such as network switches, wireless access points, VPN, antivirus, patch management, ticketing, SIEM, vulnerability assessment, and mobile device management (MDM).
  • Reporting. ForeScout CounterACT has a fully integrated reporting engine that helps you monitor your level of policy compliance, fulfill regulatory audit requirements, and produce real-time inventory reports.
  • Endpoint compliance. ForeScout CounterACT can ensure that every endpoint on your network is compliant with your antivirus policy, is properly patched, and is free of illegitimate software such as P2P.
  • Data Exchange. CounterACT can link to your existing databases and directories and pull information that can be used within NAC policies. For example, retrieve a list of MAC addresses of tablets that are owned by the company, and then you can create a policy to block other tablets.
  • Qualifications. ForeScout CounterACT is military grade with the following qualifications:
    • USMC ATO
    • US Army CoN (Certificate of Networthiness)
    • UC APL (Unified Capabilities Approved Product List)
    • Common Criteria EAL 4+

Product Tours

Product Demonstrations | Product Screenshots

Product Demonstrations

ForeScout ControlFabric

ForeScout ControlFabric allows ForeScout CounterACT and other IT security products to exchange information and rapidly respond to a range of enterprise security and operational issues.

Tactical Map

ForeScout CounterACT includes a geographical map that allows you to easily manage the security of a large, global enterprise.

802.1X Management

ForeScout CounterACT includes tools to help IT security managers deploy and manage 802.1X.

topTop

Guest Registration

ForeScout CounterACT for Network Access Control allows guests to register for access to your network without compromising your internal network security.

Network Visibility

ForeScout CounterACT lets IT managers see everything on the network–devices, users, software, peripherals, vulnerabilities, and more.

Port Security

ForeScout CounterACT provides port-based network access control–with or without 802.1X.

Product Screenshots

Click image to enlarge.

Global Overview

ForeScout CounterACT includes a built-in map that shows compliance statistics by site.

topTop
Site Visibility

From the map, you can drill down to see host information by site.

topTop
802.1X Policy Wizard

ForeScout CounterACT policy wizard makes it easy to control network access using 802.1X.

topTop
Mobile Security

By integrating with an MDM system, or using ForeScout Mobile, you can easily detect jailbroken or rooted smartphones and apply appropriate network access policies.

topTop

Compare

= Best = Good = Fair = Poor*
Architecture
Feature ForeScout CounterACT Infrastructure solutions (Cisco, Juniper, etc.) Agent-based solutions (Symantec, etc.)
Number of components
Centralized management
Support for 802.1x port enforcement
Support for non-802.1x port enforcement
Effective on unmanaged/unknown endpoints
Support for non-desktop OS devices (iOS, Android, BlackBerry, printers, wireless access points, etc.)
Integrates with 3rd party products
Deployment
Feature ForeScout CounterACT Infrastructure solutions (Cisco, Juniper, etc.) Agent-based solutions (Symantec, etc.)
Speed of installation
Out-of-band deployment
Support for phased deployment
Centralized deployment
Decentralized deployment
Scalability
Visibility
Feature ForeScout CounterACT Infrastructure solutions (Cisco, Juniper, etc.) Agent-based solutions (Symantec, etc.)
Real-time detection of managed devices
Real-time detection of unmanaged devices
Security posture of managed endpoints varies
Security posture of unmanaged endpoints
Real-time inventory of applications, services, users, devices, vulnerabilities
Track changes of endpoint software or configuration
Enforcement & Remediation
Feature ForeScout CounterACT Infrastructure solutions (Cisco, Juniper, etc.) Agent-based solutions (Symantec, etc.)
Alerting actions
Blocking actions
Switch ACL management
Role-based traffic control varies
Quarantine
Update antivirus
Install / restart security agents
Kill process
Disable unauthorized peripheral device
Block malicious traffic on the network
Guest registration

* The features compared on this page were obtained using publicly available sources from a variety of leading products. Other names may be trademarks of their respective owners.

Specs

ForeScout CounterACT is available as an appliance or a virtual appliance.

Physical Appliance:
CT-R CT-100 CT-1000 CT-2000 CT-4000 CT-10000
Devices¹ Up to 100 Up to 500 Up to 1000 Up to 2500 Up to 4000 Up to 10000
Bandwidth 100 Mbps 500 Mbps 1 Gbps 2 Gbps Multi-Gbps Multi-Gbps
Network Ports – Copper (RJ-45) 4 4 – 8 (depending on specific model) 10/100/1000 4 – 8 (depending on specific model) 10/100/1000 4 – 8 (depending on specific model) 10/100/1000 4 – 8 (depending on specific model) 10/100/1000 4 – 8 (depending on specific model) 10/100/1000
Network Ports – Fiber N/A Available option (Up to 2 total) Available option (Up to 4 total) Available option (Up to 4 total) Available option (Up to 4 total) Available option (Up to 4 total)
I/O Support 1 serial port (RJ45) 1 serial port (RJ45) 1 serial port (RJ45) 1 serial port (RJ45) 1 serial port (RJ45) 1 serial port (RJ45)
USB Ports 2, USB 2.0-compliant 4 back panel USB 2.0 + 1 front panel USB 1.1 4 back panel USB 2.0 + 1 front panel USB 1.1 4 back panel USB 2.0 + 1 front panel USB 1.1 4 back panel USB 2.0 + 1 front panel USB 1.1 4 back panel USB 2.0 + 1 front panel USB 1.1
VGA 1 (DB15) 1 (DB15) 1 (DB15) 1 (DB15) 1 (DB15) 1 (DB15)
CD-ROM N/A 1 1 1 1 1
Hard Drives 1 HDD 3 HDD (RAID-1+HS) 3 HDD (RAID-1+HS) 3 HDD (RAID-1+HS) 3 HDD (RAID-1+HS) 3 HDD (RAID-1+HS)
Power Supply 1 @ up to 60W100-240VAC (External) 1 @ up to 650W100-240VAC 2 @ up to 650W100-240VAC 2 @ up to 750W100-240VAC 2 @ up to 750W100-240VAC 2 @ up to 750W100-240VAC
Power Consumption (max) 45.3w 648w 648w 744w 744w 744w
Operating Temperature 5 °C to 40°C +10°C to +35°C (fluctuation not to exceed 10°C per hour) +10°C to +35°C (fluctuation not to exceed 10°C per hour) +10°C to +35°C (fluctuation not to exceed 10°C per hour) +10°C to +35°C (fluctuation not to exceed 10°C per hour) +10°C to +35°C (fluctuation not to exceed 10°C per hour)
Storage Temperature 0°C to 70 °C -40 °C to 70 °C -40 °C to 70 °C -40 °C to 70 °C -40 °C to 70 °C -40 °C to 70 °C
Cooling Requirement Temperature n/a 2550 BTU/Hr 2550 BTU/Hr 2550 BTU/Hr 2550 BTU/Hr 2550 BTU/Hr
Humidity 20% – 90% 90% non-condensingat 35 °C 90% non-condensingat 35 °C 90% non-condensingat 35 °C 90% non-condensingat 35 °C 90% non-condensingat 35 °C
Chassis 1U desktop(steel slim line case) 1U 19″ rack mount 1U 19″ rack mount 2U 19″ rack mount 2U 19″ rack mount 2U 19″ rack mount
Dimensions Height: 55mm(2.17inches) Width: 335mm(9.84inches)Depth: 213mm

(8.39inches)

Height: 43.2mm(1.70 inches) Width: 430mm(16.93 inches)Depth: 665.5mm

(26.2 inches)

Height: 43.2mm(1.70 inches) Width: 430mm(16.93 inches)Depth: 665.5mm

(26.2 inches)

Height: 87.30mm(3.44 inches) Width: 430mm(16.93 inches)Depth: 704.8mm

(25.75 inches)

Height: 87.30mm(3.44 inches) Width: 430mm(16.93 inches)Depth: 704.8mm

(25.75 inches)

Height: 87.30mm(3.44 inches) Width: 430mm(16.93 inches)Depth: 704.8mm

(25.75 inches)

Shipment Size: 16 x 9.6 x 5.5 inchesWeight: 8 pounds Size: 36 x 28 x 10 inchesWeight: 55 pounds Size: 36 x 28 x 10 inchesWeight: 55 pounds Size: 36 x 28 x 10 inchesWeight: 71 pounds Size: 36 x 28 x 10 inchesWeight: 71 pounds Size: 36 x 28 x 10 inchesWeight: 71 pounds

 

ForeScout CounterACT Virtual Appliance
    • Supported operating systems
      • VMware ESX and ESXi v3.5 update 5
      • VMware ESX and ESXi v4.0 update 2
      • VMware ESX and ESXi v4.1 update 1
      • VMware ESX and ESXi v5.1 update 1
      • Or, Microsoft Hyper-V 2008 R2 with LIC v3.2 and above.
  • Minimum hardware requirements
Model Devices¹ Cores Speed Memory Disk
VCT-R Up to 100 1 1.5GHz 2GB 80GB
VCT-100 Up to 500 2 2.13GHz 2GB 80GB
VCT-1000 Up to 1000 2 2.13GHz 3GB 80GB
VCT-2000 Up to 2500 4 2.13GHz 4GB 80GB
VCT-4000 Up to 4000 4 2.13GHz 6GB 80GB
VCT-10000 Up to 10000 8 2.13GHz 10GB 80GB

 

¹Device count, as determined by CounterACT, is the sum of unique on-site connections made by network assets, connections made by off-site assets managed by CounterACT, and assets made known to CounterACT via third-party integrations. Network assets include user endpoints such as laptops, tablets and smartphones, network infrastructure devices such as switches, routers and access points, and non-user devices such as printers, IP phones, security/medical/manufacturing equipment etc. Device information is retained in CounterACT from initial discovery, until such time the information is purged, based on aging preferences set in CounterACT.

Resources