ForeScout | Access Ability

Overview

Employees want to use their personal mobile devices to access corporate resources. Managers want productivity gains. This consumerization of IT—also known as Bring-Your-Own-Device or BYOD—represents a daunting security challenge.  How can you accommodate employee and guest requests to use their smartphones, notebooks and tablets on your network while mitigating security risks?

ForeScout helps you embrace BYOD while preserving security. ForeScout products give you real-time visibility and control over personal devices on your network.  ForeScout offers a range of products that protect your network and your data, regardless of what type of device your employees are trying to use.

The Challenge

Increasingly, employees are bringing their personal devices into the office and expecting to connect them to the enterprise network and/or the Internet.  In July 2011, IDC released a study indicating that 40.7% of devices used by information workers to access business applications are ones they own themselves, including laptops, smartphones, and tablets such as Apple’s iPad. That was a 10-point jump from the prior year’s study.¹

Perhaps more concerning, this trend is happening faster than IT managers realize.  When IDC surveyed IT managers about the number of consumer devices on their networks, they underestimated the number by 50%.

Consumer devices accessing corporate networks pose numerous security challenges.  IT managers need to find a way to secure corporate data on the devices, protect the corporate network from infection by malware that may be present on the devices, and control the level of access the devices have to the corporate network.

The initial response of many IT organizations was to ban all consumer devices from their networks. But IT organizations are increasingly seeing that this is not a sustainable strategy. According to Gartner:

“Consumerization is an unstoppable trend, and most organizations need to demonstrate flexibility and allow employees to use their personal devices for work.  But, they also need to establish limits and not permit every device, every operating system and every configuration. Although approaches such as server-based computing and virtualization will also be used to deal with consumerization, NAC provides the flexibility that enterprises need in a BYOD environment, while providing the controls that enable network and security managers to retain control over the network.”²

For a more extensive analysis of the risks presented by BYOD, read this whitepaper by well-known security analyst Mike Rothman and this whitepaper by the SANS Institute.

ForeScout’s Solution Set
ForeScout provides three levels of security for BYOD. Depending on your budget and your level of security requirements, you may use all three at the same time.  Many of our customers find that the optimal security solution is to reserve the more expensive solution for those users with the highest need for mobile security on their devices.

The foundation of ForeScout’s mobile security solution is ForeScout CounterACT.  This network-based appliance works with PCs and handheld devices. It gives you immediate, real-time visibility of every device on your network without the need for agents.  No software to download, no enrollment to administer. It tells you who each user is and who owns each device.  It ties into directory services and provides role-based network access control.  Different users and devices get different access.  The price is low, and the impact to your users is trivial because it’s transparent.

The benefit of device visibility cannot be overstated. Gartner estimates that the typical enterprise is aware of only 80% of the devices that are active on its network.² ForeScout CounterACT shows in real-time all devices on your network, including devices that you don’t own. CounterACT categorizes devices by type—Windows, Mac, Linux, Apple iOS, Android, Blackberry, printers, etc.  CounterACT also categorizes devices by ownership—corporate devices vs. personal devices.  For more information on CounterACT’s visibility features, see here.

With ForeScout CounterACT, you can define and enforce different network access policies that support your mobile security strategy.  For example, you might want to allow all devices that contain an MDM agent onto the production network, and send all other personal devices onto a guest network. Or, you might want to restrict personal devices with MDM agents to certain portions of your network.

If you need stronger mobile security, then we offer ForeScout CounterACT with our optional ForeScout Mobile Security Module.  With this you get enhanced device security for Android and iOS devices. ForeScout Mobile Security Module gives you deep inspection of Android and iOS devices, so you can determine the security posture.  Is a password configured?  Is the device jailbroken? Is encyption turned on?  This lets you enforce more sophisticated network access control policies than you can with just CounterACT by itself. For example, you might want to specifically block jailbroken iOS devices from your network.

In addition, ForeScout Mobile Security Module lets you manage the configuration of Apple iOS devices.  The product leverages Apple’s built-in MDM API to control almost every aspect of the device, using Apple’s policy framework which is built into the iOS 4 operating system.  This does not require the installation of any type of agent on the Apple device.  All the visibility and control is provided natively from within the iOS operating system, using ForeScout CounterACT with ForeScout Mobile Security Module. You can directly set the password policy, remotely wipe the data, and many other functions.

In this solution tier, the impact on users remains very light, and the price is slightly higher than the first tier.

If your need for security on mobile devices is high, you will probably want to deploy a mobile device management (MDM) system. Such a system gives you extensive control over every aspect of a wide range of mobile device operating systems.

ForeScout MDM is a cloud-based MDM platform that provides end-to-end management of iOS, Android, Symbian, BlackBerry, Windows, and webOS devices.  ForeScout MDM lets you manage the entire mobile device lifecycle – from enrollment to security, monitoring, application management and support.

Regardless of whether you use ForeScout MDM or another MDM system, for optimal security and operational efficiency you should tie the MDM system into ForeScout CounterACT via our optional ForeScout Mobile Integration Module.  This gives you the advantage of network security PLUS unified security policy management. Rather than manage separate security policies for PCs vs. handheld devices, you can configure a single set of network access control policies in ForeScout CounterACT, and you can enforce those policies regardless of whether the user has a PC, a Mac, a smartphone or a tablet.

Note 1: http://www.cio.com.au/article/393246/idc_it_hasn_t_grasped_consumerization_trend/

Note 2: “Strategic Road Map for Network Access Control”, Gartner, 11 October 2011, Lawrence Orans and John Pescatore.

Features

ForeScout CounterACT

• Network-based. The advantage of a network-based approach is that it covers everything—devices that employees are carrying today, and devices they will carry in the future which are not yet on the market. Not only is a network-based approach future-proof, it also avoids the need to try to install software on devices you don’t control, especially devices belonging to guests and contractors. ForeScout CounterACT:
  • Is a network appliance, either physical or virtual
  • Works with your existing network infrastructure
  • Installs out-of-band, for zero network disruption
  • Works with or without agents

• Identifies personal devices. Before you can secure your network or enforce policies, you need to know what is on your network. ForeScout CounterACT:
  • Detects all devices on your network in real-time, regardless of the connection method—wired, wireless, or VPN
  • Categorizes all devices by type—computers, wireless access points, handheld phones, USB memory devices, printers, gaming consoles, etc.
  • Categorizes devices by operating system—Windows, MacOS, Apple iOS, Android, Windows Mobile, Blackberry
  • Categorizes devices by ownership. Built-in mechanisms allow ForeScout CounterACT to distinguish personal or unknown devices from corporate devices. These mechanisms include:
    • Did the device successfully authenticate with your directory (802.1x, LDAP, RADIUS, Active Directory, Oracle or Sun)?
    • Does the device match a known whitelist?
    • Does the device contain a known MAC address?
    • Are security applications such as antivirus or MDM installed and running?

• Wide range of enforcement options. ForeScout CounterACT provides an extensive range of automated network controlswhich keeps your business running, your users happy, and your network secure. The list includes:
  • Monitor—learn who and what are on your network, and identify non-compliant systems
  • Notify—HTTP hijack end-users and guide them to take remediation steps, such as install specific MDM applications or security tokens.
  • Limit—limit the network access based on device type, device ownership, time of day, and device compliance. The limited access network can allow access to a subset of applications and data, blocking access to more sensitive corporate resources.
  • Block—keep all (or just certain types of) devices off your network completely.

• Automated guest registration. As an alternative to security policies that enforce network access based on device type, ForeScout CounterACT includes a built-in guest registration system that allows you to collect information about the user, for example: name, company, phone, and email address.  Different people can be granted different network access, automatically.
• Post-connect monitoring. Once ForeScout CounterACT admits an endpoint onto your network, ForeScout CounterACT continuously monitors the endpoint to ensure that it remains compliant with your security policies and uninfected. If the device begins to attack your network, ForeScout CounterACT’s built-in threat prevention system blocks the attack.

ForeScout Mobile Security Module

• Provides additional detailed information to CounterACT about iOS and Android devices
  • Hardware information such as vendor, model, OS version, installed apps, serial number
  • Is the device jailbroken or rooted?
  • Is password enabled?
  • Is encryption enabled?
  • What applications are installed?

• Provides additional actions such as:
  • Notify—send messages to end-users on their mobile devices
  • Remediate—directly remediate (without end-user intervention) iOS devices with actions as remote wipe, enforce password policy, remove or disable apps, and enforce specific WiFi access methods.

ForeScout MDM

• OTA configuration
• Passcode enforcement
• Security policy management
• Remote lock and full wipe
• Selective wipe of corporate data
• Device restrictions
• Asset management
• Self-service portal
• Real-time reporting
• Corporate app storefront