ForeScout | Access Ability

Overview

Users want to use their personal mobile devices to access corporate resources and data. Managers want productivity gains. This consumerization of IT—also known as Bring-Your-Own-Device or BYOD—represents a daunting security challenge. How can you accommodate employee and guest requests to use their smartphones, netbooks and tablets while mitigating security risks?

ForeScout CounterACT helps you enable BYOD by giving you real-time visibility of personal devices on your network, and allowing you to readily enforce guest network and access restrictions based on user and device policy.

ForeScout Mobile augments ForeScout CounterACT and provides additional visibility and management control over smartphones and tablet devices.

The Challenge

Increasingly, employees are bringing their personal devices into the office and expecting to connect them to the enterprise network and/or the Internet. In July 2011, IDC released a study indicating that 40.7% of devices used by information workers to access business applications are ones they own themselves, including laptops, smartphones, and tablets such as Apple’s iPad. That was a 10-point jump from the prior year’s study.¹

Perhaps more concerning, this trend is happening faster than IT managers realize. When IDC surveyed IT managers about the number of consumer devices on their networks, they underestimated the number by 50%.

Consumer devices accessing corporate networks pose numerous security challenges. IT managers need to find a way to secure corporate data on the devices, protect the corporate network from infection by malware that may be present on the devices, and control the level of access the devices have to the corporate network.

The initial response of many IT organizations was to ban all consumer devices from their networks. But IT organizations are increasingly seeing that this is not a sustainable strategy. According to Gartner:

“Consumerization is an unstoppable trend, and most organizations need to demonstrate flexibility and allow employees to use their personal devices for work. But, they also need to establish limits and not permit every device, every operating system and every configuration. Although approaches such as server-based computing and virtualization will also be used to deal with consumerization, NAC provides the flexibility that enterprises need in a BYOD environment, while providing the controls that enable network and security managers to retain control over the network.”²

For a more extensive analysis of the risks presented by BYOD, read this whitepaper by well-known security analyst Mike Rothman and this whitepaper by the SANS Institute.

ForeScout’s Solution

While mobile device management (MDM) solutions are strong for provisioning, managing settings on and sandboxing smartphones, they do not provide granular control over network access, nor do they work on personal laptop computers. For a comprehensive solution, you need to be able to control the network layer directly as well.

ForeScout CounterACT is an automated network security platform that gives IT security managers an easy way to reduce the risks associated with BYOD. ForeScout CounterACT provides real-time visibility of personal devices on your network, limits the network access of those devices, and prevents those devices from spreading malware onto your network.

Step One – Visibility
Gartner estimates that the typical enterprise is aware of only 80% of the devices that are active on its network.² ForeScout CounterACT shows in real-time all devices on your network, including devices that you don’t own. ForeScout CounterACT categorizes devices by type—Windows, Mac, Linux, Apple iOS, Android, Blackberry, printers, etc. ForeScout CounterACT also categorizes devices by ownership—corporate devices vs. personal devices. For more information on ForeScout CounterACT’s visibility features, see here.

ForeScout CounterACT Mobile Security Module provides even greater visibility by providing deep inspection of Android and iOS devices including information about the hardware, software, and configuration of these devices.

Note 1: http://www.cio.com.au/article/393246/idc_it_hasn_t_grasped_consumerization_trend/

Note 2: “Strategic Road Map for Network Access Control”, Gartner, 11 October 2011, Lawrence Orans and John Pescatore.

Features

ForeScout CounterACT and ForeScout Mobile Security Module help IT security managers solve the BYOD problem:

• Network-based. The advantage of a network-based approach is that it covers everything—devices that employees are carrying today, and devices they will carry in the future which are not yet on the market. Not only is a network-based approach future-proof, it also avoids the need to try to install software on devices you don’t control, especially devices belonging to guests and contractors. ForeScout CounterACT:
  • Is a network appliance, either physical or virtual
  • Works with your existing network infrastructure
  • Installs out-of-band, for zero network disruption
  • Works with or without agents
• Identifies personal devices. Before you can secure your network or enforce policies, you need to know what is on your network. ForeScout CounterACT:
  • Detects all devices on your network in real-time, regardless of the connection method—wired, wireless, or VPN
  • Categorizes all devices by type—computers, wireless access points, handheld phones, USB memory devices, printers, gaming consoles, etc.
  • Categorizes devices by operating system—Windows, MacOS, Apple iOS, Android, Windows Mobile, Blackberry
  • Categorizes devices by ownership. Built-in mechanisms allow ForeScout CounterACT to distinguish personal or unknown devices from corporate devices. These mechanisms include:
    • Did the device successfully authenticate with your directory (802.1x, LDAP, RADIUS, Active Directory, Oracle or Sun)?
    • Does the device match a known whitelist?
    • Does the device contain a known MAC address?
    • Is there a “watermark” on the device?
    • Is the device manageable via the domain or a host-based agent?
    • Is the device running a specific process or application?
    • Is the device running the ForeScout Mobile app, or does it contain a ForeScout Mobile iOS policy?

• Provides detailed information about iOS and Android devices
  • Hardware information such as vendor, model, OS version, installed apps, IP and MAC addresses, serial number
  • Is the device jailbroken or rooted?
  • How is the device connected? WiFi? VPN? Broadband?
  • Is password enabled?
  • Is encryption enabled?
  • What applications are installed?
  • Are security applications such as antivirus or MDM installed and running?

• Wide range of enforcement options. ForeScout CounterACT provides an extensive range of automated network controls which keeps your business running, your users happy, and your network secure. The list includes:
  • Monitor—learn who and what are on your network, and identify non-compliant systems
  • Notify—send emails or messages to IT personnel or end-users, or HTTP hijack end-users. Automated messages can guide end-users to take remediation steps, such as install specific MDM applications or security tokens.
  • Limit—limit the network access based on device type, device ownership, time of day, and device compliance. The limited access network can allow access to a subset of applications and data, blocking access to more sensitive corporate resources.
  • Block—keep all (or just certain types of) devices off your network completely.
  • Remediate—directly remediate (without end-user intervention) iOS devices with actions as remote wipe, enforce password policy, remove or disable apps, and enforce specific WiFi access methods.

• Automated guest registration. As an alternative (or supplement) to security policies that enforce network access based on device type, ForeScout CounterACT includes a built-in guest registration system that allows you to collect information about the user, for example: name, company, phone, and email address. Different people can be granted different network access, automatically.
• Post-connect monitoring. Once ForeScout CounterACT admits an endpoint onto your network, ForeScout CounterACT continuously monitors the endpoint to ensure that it remains compliant with your security policies and uninfected. If the device begins to attack your network, ForeScout CounterACT’s built-in threat prevention system blocks the attack.