Strong Network Access Control

ForeScout CounterACT is a military-grade security product ideally suited to protect the network infrastructure of the U.S. Department of Defense (DoD), military contractors and suppliers.

In the United States, all Department of Defense (DoD) networks and their connecting networks are required to have an advanced level of security.   Some of the specific security requirements include:

  1. Network access control. The requirement for port-based network access control is contained in the Security Technical Implementation Guide (STIG) that is published by the United States Defense Information Systems Agency (DISA). This document states that all DoD networks must control access at the switch port.
  2. IAVA. United States DoD networks must comply with Information Assurance Vulnerability Alerts (IAVA) standards.
  3. Unauthorized devices and applications. Many defense organizations have restrictions against the use of USB memory sticks and peer-to-peer (P2P) applications.

In 2011, ForeScout has achieved the industry’s highest level of security certification for a Network Access Control (NAC) solution involving assurances from the EAL 4+ level.  ForeScout CounterACT is also included in the United States Army Information Assurance Approved Products List (AIAAPL), demonstrating that CounterACT met the Army’s high standards for security, ease of use and deployment, low end-user impact, and interoperability with existing remediation solutions and infrastructure requirements. Since then, many U.S. Department of Defense facilities have deployed CounterACT.

Much of our success is based on CounterACT’s ability to see every IP device connected to the network, control all connections down to the switch port, and provide complex policies to enable and enforce security processes and standards. Enforcement actions can include post-connection monitoring for threat prevention, and detection/blocking of banned devices (such as unencrypted USB memory devices). CounterACT can be deployed with or without 802.1x.


ForeScout CounterACT is an automated security control platform that delivers real-time visibility and control of all devices on your network.

The features which make ForeScout CounterACT uniquely suited to address the needs of defense and military organizations include:

  • Port-level access control. ForeScout CounterACT helps organizations meet the access control requirements as detailed in the DISA STIG.
  • Network policy compliance. In addition to the simple port-level access control requirements mandated by the DISA STIG, ForeScout CounterACT includes many advanced network visibility and policy enforcement features.
  • IAVA integration. ForeScout CounterACT integrates with products from eEye Digital Security to deliver a combined vulnerability assessment (VA) and network access control (NAC) solution which automates the process of ensuring that all devices on the network are in compliance with IAVA standards.
  • Control unauthorized USB devices and applications. ForeScout CounterACT blocks unauthorized USB devices and applications (e.g. P2P) from all computers on the network.
  • Integration with McAfee ePolicy Orchestrator (ePO™). ForeScout CounterACT integrates with McAfee ePO.   Specifically, ForeScout CounterACT provides ePO with real-time information about computers on the network, including many parameters (such as the location of computers) that is otherwise unavailable to ePO.   This additional information gives security managers a higher degree of Situational Awareness and a greater degree of control over managed endpoints (those within the scope of McAfee ePO).
  • ControlFabric Integration. All of the information generated by ForeScout CounterACT can be exported to your existing IT management systems and other security systems. Integrations are available for most leading SIEM systems, and end-users can build custom integrations with the Open Integration Module.
  • Scalability. ForeScout CounterACT has more large deployments than any other network access control solution. Our product has been proven in organizations with more than 200,000 endpoints who manage their entire network from a single centralized ForeScout CounterACT enterprise manager console.
  • Compatibility. ForeScout CounterACT is an out-of-band, network-based appliance that works with your existing network infrastructure – no switch upgrades, no network reconfigurations. CounterACT integrates with all major enterprise switches, both 802.1X and non-802.1X.
  • Certifications.ForeScout CounterACT is a military-grade security product that has achieved widespread utilization within military environments.   ForeScout CounterACT has achieved the following certifications:
  • Government contracts.ForeScout CounterACT is listed in several government contracts to ease procurement:
    • GSA Schedules (also referred to as Multiple Award Schedules and Federal Supply Schedules)
    • NASA SEWP (Solutions for Enterprise-Wide Procurement) GWAC (Government-Wide Acquisition Contract)
    • ITES/2H (Managed and used by US Army. Also used by DoD and other federal agencies)
    • Encore II (Managed by DISA, Defense Information Systems Agency)


With ForeScout CounterACT, defense agencies achieve the following benefits:

Strong security
  • Comply with requirements and mandates (such as DISA STIG).
  • Ensure that unauthorized users are not on your network.
  • Reduce risk of data loss by ensuring that encryption and DLP agents are running, users are not running unauthorized applications or peripheral devices (e.g. USB memory sticks).
  • Reduce risk of infection by ensuring that antivirus is properly updated and vulnerabilities are patched.
  • Block rogue and unauthorized devices such as smartphones, tablets, wireless access points.
Save time
  • Realtime information improves situational awareness and lets you take action while the problem still exists.
  • Integration with other security systems, such as McAfee ePO and eEye Retina saves time.
Improve network stability
  • Identify rogue network infrastructure such as wiring hubs, wireless access points, and DHCP servers. Often these unauthorized devices are the source of network instability and outages.
Painless deployment
  • ForeScout CounterACT is the fastest, easiest way to gain strong access control, regardless of whether you are planning to utilize 802.1x for authentication and port control.
Security Assurance
  • With EAL4+, government agencies can be assured that the specification, implementation and effectiveness of CounterACT for Network Access Control have been evaluated in a rigorous and standardized manner to meet their security and compliance needs.
Break down information silos
  • Through ForeScout’s ControlFabric architecture, customers can achieve continuous monitoring and mitigation capabilities that better leverage their infrastructure investments and optimize IT resources.

Product Tours

Product Demonstrations

Port Security

ForeScout CounterACT provides port-based network access control–with or without 802.1x.

Product Screenshots

Click image to enlarge.

Virtual Client-unauthorized changes

ForeScout CounterACT can identify unauthorized changes to PC configurations or software.

Unauthorized processes

ForeScout CounterACT shows you which PCs are running unauthorized processes.

Unapproved Network WiFi device

ForeScout CounterACT identifies rogue WiFi devices.

Kill peer-to-peer user experience

ForeScout CounterACT lets you kill unauthorized software, keeping endpoint systems in compliance with your security policies.

Global Overview

ForeScout CounterACT includes a built-in map that shows compliance statistics by site.

Site Visibility

From the map, you can drill down to see host information by site.

802.1X Policy Wizard

ForeScout CounterACT policy wizard makes it easy to control network access using 802.1X.

Mobile Security

By integrating with an MDM system, or using ForeScout Mobile, you can easily detect jailbroken or rooted smartphones and apply appropriate network access policies.