header-product-nac

CounterACT for Network Access Control

ForeScout CounterACT is an automated security control platform that lets you see and control everything on your network.

Featured Video

Anthony Maciel
Golden West College
View now

CounterACT for Network Access Control

White Paper

Webinar

Overview

ForeScout CounterACT for Network Access Control is an automated security control platform that lets you see and control everything on your network–all devices, all operating systems, all applications, all users. ForeScout CounterACT lets employees and guests remain productive on your network while you protect critical network resources and sensitive data.

Based on third-generation network access control (NAC) technologies, ForeScout CounterACT is easy to install because it requires no software, no agents, no hardware upgrades or reconfigurations. Everything is contained within a single appliance or virtual appliance.

Network access control is an ideal solution to help you optimize the productivity and accessibility of your network without compromising your enterprise security. Today, most attacks come from inside your network, bypassing the security provided by traditional firewalls and IPS systems. Modern threats include:

  • Visitors–When guests and contractors come to your location, they bring their computers with them. To remain productive, guests need to access the Internet, and contractors may need additional resources. If you give these visitors unlimited access, you risk attack by malware or compromise of your sensitive data.
  • Wireless and mobile users–Your employees want to use their smartphones and tablets on your network. If you don’t have adequate control, these devices can infect your network or be a source of data loss.
  • Rogue devices–Well-meaning employees can extend your network with inexpensive wiring hubs and wireless access points. These devices can cause your network to become unstable, and they can be a source of infection and data loss.
  • Malware and botnets–Studies show that even well-managed enterprises have infected computers because of zero-day attacks and/or out-of-date antivirus. Once your PCs are compromised, they can be used in “pivot attacks” whereby outsiders can scan your network and steal your data.
  • Compliance–Endpoints can be misconfigured, and virtual machines can appear on your network without your knowledge, sometimes without proper security controls. Non-compliant systems are security risks.

ForeScout CounterACT automatically enforces whatever network access policies you desire for your organization. If you wish to ban all guests and unknown computers from your network, ForeScout CounterACT can do that. If you wish to allow guests and handheld wireless devices to access the Internet, ForeScout CounterACT can do that. Features include:

  • Integrated appliance. ForeScout CounterACT includes everything in a single appliance. No software to install, nothing to configure. Built-in integration lets you leverage your existing infrastructure including directory, switches, endpoint security systems, patch management systems, ticketing systems and reporting systems.
  • 802.1x or not. ForeScout CounterACT can utilize 802.1x for authentication and switch control. Or, you can avoid the limitations of 802.1x and use ForeScout’s alternative technologies. The choice is yours.
  • Visibility. ForeScout CounterACT’s Asset Inventory provides real-time, multi-dimensional network visibility and control, allowing you to track and control users, applications, processes, ports, external devices, and more.
  • Guest registration. ForeScout CounterACT’s automated process allows guests to access your network without compromising your internal network security. ForeScout CounterACT includes several guest registration options allowing you tailor the guest admission process to your organization’s needs.
  • Real-time mobile device control. ForeScout CounterACT detects and controls hand-held mobile devices connected to your Wi-Fi network. Supports iPhone/iPad, Blackberry, Android, Windows Mobile and Nokia Symbian.
  • Threat detection. ForeScout CounterACT includes ActiveResponse™, a patented threat detection engine which monitors the behavior of devices post-connection. ActiveResponse blocks zero-day self-propagating threats and other types of malicious behavior. Unlike other approaches, ActiveResponse does not rely on signature updates to remain effective, which translates to low management cost.
  • Rogue device detection. ForeScout CounterACT can detect rogue infrastructure such as unauthorized switches and wireless access points by identifying whether the device is a NAT device, identifying whether the device is on a list of authorized devices, or identifying situations where a switch port has multiple hosts connected to it.
  • Role-based access control. ForeScout CounterACT ensures that only the right people with the right devices gain access to the right network resources. ForeScout leverages your existing directory where you assign roles to user identities.
  • Flexible Control Options. Unlike early generation NAC products that employed heavy-handed controls and disrupted users, ForeScout CounterACT provides a full spectrum of enforcement options that let you tailor the response to the situation. Low-risk violations can be dealt with by sending the end-user a notice and/or automatically remediating his security problem; this allows the user to continue to remain productive while remediation takes place.
  • Policy Management. ForeScout CounterACT lets you create security policies that are right for your enterprise. Configuration and administration is fast and easy thanks to ForeScout CounterACT’s built-in policy wizard and knowledge base of device classifications, rules and reports.
  • Out-of-band deployment. ForeScout CounterACT deploys out-of-band which eliminates issues regarding latency and potential points of failure in your network.
  • Scalability. ForeScout CounterACT has been proven in customer networks exceeding 250,000 endpoints. ForeScout CounterACT appliances are available in a range of sizes to accommodate networks of all sizes.
  • Clientless operation. Since ForeScout CounterACT is a clientless solution, it works with all type of endpoints–managed and unmanaged, known and unknown. Nothing escapes ForeScout CounterACT. If it’s on your network, ForeScout CounterACT sees it.
  • Optional client. ForeScout CounterACT gives you the option to install either a persistent or a dissolvable lightweight client, giving you additional control over the endpoint. Client supports Windows, Mac and Linux and can be automatically deployed when the user connects to the network and registers their identity on the system.
  • IT infrastructure integration. Unlike proprietary NAC products, ForeScout CounterACT is fast and easy to install because it supports an extensive range of third-party networking and security hardware and software, including both 802.1x and non-802.1x enterprise switches.
  • Authentication. ForeScout CounterACT supports existing standards-based authentication and directories such as 802.1x, LDAP, RADIUS, Active Directory, Oracle and Sun.
  • Reporting. ForeScout CounterACT has a fully integrated reporting engine that helps you monitor your level of policy compliance, fulfill regulatory audit requirements, and produce real-time inventory reports.
  • Endpoint compliance. ForeScout CounterACT can ensure that every endpoint on your network is compliant with your antivirus policy, is properly patched, and is free of illegitimate software such as P2P.

Tour

Guest Registration

ForeScout CounterACT for Network Access Control allows guests to register for access to your network without compromising your internal network security.

Network Visibility

ForeScout CounterACT lets IT managers see everything on the network–devices, users, software, peripherals, vulnerabilities, and more.

Port Security

ForeScout CounterACT provides port-based network access control–with or without 802.1x.

Compare

= Best = Good = Fair = Poor*
Architecture
Feature ForeScout CounterACT Infrastructure solutions (Cisco, Juniper, etc.) Agent-based solutions (Symantec, McAfee, etc.)
Number of components
Centralized management
Support for 802.1x port enforcement
Support for non-802.1x port enforcement
Effective on unmanaged/unknown endpoints
Support for non-desktop OS devices (iOS, Android, BlackBerry, printers, wireless access points, etc.)
Integrates with 3rd party products
Deployment
Feature ForeScout CounterACT Infrastructure solutions (Cisco, Juniper, etc.) Agent-based solutions (Symantec, McAfee, etc.)
Speed of installation
Out-of-band deployment
Centralized deployment
Decentralized deployment
Visibility
Feature ForeScout CounterACT Infrastructure solutions (Cisco, Juniper, etc.) Agent-based solutions (Symantec, McAfee, etc.)
Real-time detection of managed devices
Real-time detection of unmanaged devices
Security posture of managed endpoints varies
Security posture of unmanaged endpoints
Real-time inventory of applications, services, users, devices, vulnerabilities
Track changes of endpoint software or configuration
Enforcement & Remediation
Feature ForeScout CounterACT Infrastructure solutions (Cisco, Juniper, etc.) Agent-based solutions (Symantec, McAfee, etc.)
Alerting actions
Blocking actions
Switch ACL management
Role-based traffic control varies
Quarantine
Update antivirus
Install / restart security agents
Kill process
Disable unauthorized peripheral device
Block malicious traffic on the network
Guest registration

* The features compared on this page were obtained using publicly available sources from a variety of leading products. Other names may be trademarks of their respective owners.

Specs

ForeScout CounterACT is available as an appliance or a virtual appliance.

Physical Appliance:
CT-R CT-100 CT-1000 CT-2000 CT-4000
Concurrent Devices 100 500 1000 2500 4000
Bandwidth 100 Mbps 500 Mbps 1 Gbps 2 Gbps Multi-Gbps
Network Ports – Copper 4 4 – 8 (depending on specific model) 4 – 8 (depending on specific model) 4 – 8 (depending on specific model) 4 – 8 (depending on specific model)
Network Ports – Fiber N/A Available option
(Up to 2 total)		 Available option
(Up to 4 total)		 Available option
(Up to 4 total)		 Available option
(Up to 4 total)
I/O Support 1 serial port (DB9) 1 serial port (DB9)
PS/2 keyboard
& mouse port		 1 serial port (RJ45)
PS/2 keyboard
& mouse port		 1 serial port (RJ45)
PS/2 keyboard
& mouse port		 1 serial port (RJ45)
PS/2 keyboard
& mouse port
USB Ports 2, USB 2.0-compliant 4 back panel USB 2.0 + 1 front panel USB 1.1 4 back panel USB 2.0 + 1 front panel USB 1.1 4 back panel USB 2.0 + 1 front panel USB 1.1 4 back panel USB 2.0 + 1 front panel USB 1.1
VGA 1 (DB15) 1 (DB15) 1 (DB15) 1 (DB15) 1 (DB15)
CD-ROM N/A 1 1 1 1
Hard Drives 1 HDD 2 HDD (RAID-1) 2 HDD (RAID-1) 2 HDD (RAID-1) 2 HDD (RAID-1)
Power Supply 1 @ up to 60W
100-240VAC (External)		 1 @ up to 650W
100-240VAC		 2 @ up to 650W
100-240VAC		 2 @ up to 750W
100-240VAC		 2 @ up to 750W
100-240VAC
Power Consumption (max) 45.3w 648w 648w 744w 744w
Operating Temperature 5 °C to 35 °C -10 °C to 35 °C
(fluctuation not to
exceed 10 °C per hour)		 -10 °C to 35 °C
(derated 0.5 °C for every
1000 ft; 10,000 ft. max)
-40 °C to 70 °C		 -10 °C to 35 °C
(derated 0.5 °C for every
1000 ft; 10,000 ft. max)		 -10 °C to 35 °C
(derated 0.5 °C for every
1000 ft; 10,000 ft. max)
-40 °C to 70 °C
Storage Temperature -20 °C to 70 °C -40 °C to 70 °C -40 °C to 70 °C -40 °C to 70 °C -40 °C to 70 °C
Cooling Requirement Temperature n/a 2550 BTU/Hr 2550 BTU/Hr 2550 BTU/Hr 2550 BTU/Hr
Humidity 20% – 90% 90% non-condensing
at 35 °C		 90% non-condensing
at 30 °C		 90% non-condensing
at 30 °C		 90% non-condensing
at 30 °C
Chassis 1U desktop
(steel slim line case)		 1U 19″ rack mount 1U 19″ rack mount 2U 19″ rack mount 2U 19″ rack mount
Dimensions Height: 42mm
(1.65 inches)
Width: 180mm
(7.48 inches)
Depth: 150mm
(5.91 inches)		 Height: 43.25mm
(1.703 inches)
Width: 430mm
(16.93 inches)
Depth: 692mm
(27.25 inches)		 Height: 43.2mm
(1.7 inches)
Width: 430mm
(16.93 inches)
Depth: 654.4mm
(25.76 inches)		 Height: 87.30mm
(3.44 inches)
Width: 430mm
(16.93 inches)
Depth: 704.8mm
(25.75 inches)		 Height: 87.30mm
(3.44 inches)
Width: 430mm
(16.93 inches)
Depth: 704.8mm
(25.75 inches)
Shipment Size: 16 x 9.6 x 5.5 inches
Weight: 8 pounds		 Size: 10 x 28 x 36 inches
Weight: 54 pounds		 Size: 10 x 28 x 36 inches
Weight: 54 pounds		 Size: 10 x 28 x 36 inches
Weight: 68 pounds		 Size: 10 x 28 x 36 inches
Weight: 70 pounds
Virtual appliance:

Operating system: VMware ESX or ESXi, versions 3.5 update 5, 4.0 update 2, and 4.1 update 1. Hardware: Minimum hardware requirements are dependant on the number of devices that you need to include within the scope of the ForeScout CounterACT Virtual Appliance.

Model Devices CPUs GHz/CPU RAM Disk
VCT-R 100 1 1 1 GB 80 GB
VCT-100 500 2 1,5 1.5 GB 80 GB
VCT-1000 1000 2 2 2 GB 80 GB
VCT-2000 2500 2 3 4 GB 80 GB
VCT-4000 4000 4 3 6 GB 80 GB

Resources