Network Access Control

Overview

The Challenge

Have you read stories about network access control (NAC) solutions that have taken months to deploy? Most of the NAC solutions from major vendors are architectural nightmares. They require installation of 802.1X software on every endpoint, changes and/or upgrades to your entire switch infrastructure, and manual workarounds for devices such as printers that can not accommodate 802.1X agents.

Most NAC products from major vendors also suffer from a limited range of actions. They are good at kicking devices off the network, but that is bad for the business and detrimental to the careers of IT managers.

The ForeScout Difference

ForeScout CounterACT is different from most network access control (NAC) solutions because it is easy to deploy and provides rapid results. Here is why:

  • One box, one day to install. Everything is contained in a single appliance. Setup is easy with built-in configuration wizards.
  • Hybrid 802.1X / Non-802.1X . Since you can choose 802.1X or other authentication technologies such as LDAP, Active Directory, device attributes or more, our hybrid mode lets you use multiple techniques concurrently, which speeds NAC deployment in large, diverse or complex environments.
  • ForeScout works with what you have. All your existing switches, routers, firewalls, endpoints, patch management systems, antivirus systems, directories, ticketing systems–ForeScout CounterACT works with them. We require no infrastructure changes or equipment upgrades.
  • No software. ForeScout CounterACT agents are optional – you can go 100% agent less which means it works with all types of endpoints: managed and unmanaged, embedded, known and unknown, authorized and rogue.
  • Non-disruptive. Unlike first generation NAC products that immediately disrupt users with heavy-handed access controls, ForeScout CounterACT can be deployed in a phased approach which minimizes disruption and accelerates results. In the initial phase, CounterACT gives you visibility to your trouble spots. When you want to move forward with automated control, you can do so gradually, starting with the most problematic locations and choosing an appropriate enforcement action.
  • Accelerated results. ForeScout CounterACT provides useful results on Day 1 by giving you visibility to problems on your network. The built-in knowledge base helps you configure security policies quickly and accurately.

Second, unlike the NAC solutions from major vendors that use heavy-handed controls and disrupt users, ForeScout CounterACT provides an extensive range of automated controls which keeps the business running to the maximum extent possible. The list includes:

User enforcement and education

  • Open trouble ticket
  • Send email to user or administrator
  • Create traps
  • Syslog
  • Personalized web message (network use policy, self remediation, etc.)
  • Auditable end-user acknowledgement
  • Force authentication/password change
  • Log-off user, disable user AD account
Application control and remediation

  • Application start or stop
  • Peer-to-peer/IM start or stop
  • Apply updates and patches
Network access control

  • Port disable (802.1X, SNMP)
  • VLAN control
  • VPN disconnect
  • ACL block at the switch, firewalls and routers
  • Wireless allow/deny
  • Quarantine until the devices is remediated
Application control and remediation

  • Application start or stop
  • Peer-to-peer/IM start or stop
  • Apply updates and patches
Traffic control

  • Virtual firewall
  • Update network ACL (switch, router, firewall)
Operating system control and remediation

  • Patch/hotfix update
  • Registry configuration
  • Process start/stop
Device control

  • Disable NIC
  • Shutdown PC
  • Disable use of peripheral device
ForeScout vs. Cisco

Most ForeScout customers have Cisco-based networks. They have chosen ForeScout CounterACT over Cisco’s solution because CounterACT is faster to deploy, easier to manage, and less expensive than Cisco’s solution.

Want details? Let’s get specific: A complete Cisco solution requires the installation of agents, multiple appliances, consumes more power, takes up more rack space, and requires that you purchase several annual license subscriptions.

Cisco’s solution is heavily dependent on 802.1X which requires complex configuration of the network infrastructure, especially in wired LANs. 802.1X is a poor fit for BYOD environments. Also, Cisco ISE requires inline deployment for certain features, which is a potential failure point. In contrast, ForeScout never requires inline deployment.

Cisco ISE requires agents to be deployed on every endpoint for posture assessment and remediation. Cisco has two NAC endpoint agents which further complicates deployment: mobile devices require the Cisco AnyConnect client, while all other endpoints require the Cisco NAC agent. Dependency on 802.1X also necessitates a supplicant be installed on each endpoint. In contrast, ForeScout CounterACT can profile, authenticate, inspect, and remediate endpoints without agents.

Want more Details? Download this 24-page, comparative NAC report conducted by The Tolly Group which compares ForeScout CounterACT with Cisco Systems, Juniper and Bradford Networks NAC products. The evaluation covers 34 criteria points across key functional categories: deployment, interoperability, guest management, endpoint compliance, enforcement, remediation and scalability

Features

ForeScout CounterACT for Network Access Control automatically enforces whatever network access policies you desire for your organization. For a complete list of product features, see our product page. At a high-level, these are the important features that you should look for in a NAC product:

  • Easy to deploy. Look for a product that:
    • Works with your existing network infrastructureall brands of switches, without requiring them to support 802.1x
    • Is agentless. Products that require you to deploy agents to desktops are not only difficult to deploy, but they are inherently unable to deal in a sophisticated way with unmanaged devices such as personal laptops, smartphones, network equipment such as printers, diagnostic equipment, etc.
    • Has few moving parts. The fewer appliances, servers, and software that you need to install and configure the better.
  • Wide range of enforcement actions. Look for a product that includes these characteristics:
    • Monitor-mode which lets you detect (and report on) policy violations without taking action.
    • Notifications which let you send emails or HTTP hijacks to endusers who violate policies
    • Auto-remediation which lets you automatically fix security problems such as operating system vulnerabilities, broken security agents, etc.
    • Disable actions such as unauthorized USB memory sticks, unauthorized applications
    • Restrict traffic to certain portions of the network
    • Block network access using a wide range of technologies such as 802.1x, SNMP, ACL management, TCP reset
  • Automated guest registration. Look for a product that identifies guests trying to access your network and gives them an opportunity to automatically request and receive permission to use your network, similar to the system used in hotel lobbies.
  • Automatic detection of printers. Look for a product that can automatically detect network devices such as printers, VoIP phones, switches, and other equipment. The NAC product should not require you to manually update a list of such devices.
  • Post-connect monitoring. Look for a product that will monitor a device after it has been admitted to the network, checking to ensure that it does not begin to behave in a threatening manner.

Benefits

ForeScout CounterACT’s automated security control system helps organizations improve security while saving money.

Improve security

 

  • Ensure that unauthorized users are not on your network
  • Ensure that unauthorized devices are not on your network
  • Reduce risk of infection by ensuring that authorized endpoints are properly configured, antivirus is properly running and updated, vulnerabilities are patched, and the latest versions of software is installed.
  • Reduce risk of data loss by ensuring that encryption and DLP agents are running properly. Ensure that users are not able to run unauthorized applications or peripheral devices (e.g. USB memory sticks).
  • Thwart network attacks with CounterACT’s built-in ActiveResponse technology.
Save time and money
  • ForeScout CounterACT lets you eliminate manual labor associated with opening or closing network ports for guest access.
  • ForeScout CounterACT can automatically detect and categorize network devices such as printers, automatically granting network access according to the policy that you specify. This save time relative to simpler NAC systems that require maintenance of a MAC address list for these sorts of devices.
  • If you have been dedicating separate Internet connections for use by guests, you can decommission these lines and save money.
Avoid disruption
  • Unlike simplistic products that disrupt users with heavy-handed security controls, ForeScout CounterACT offers a full spectrum of enforcement actions ranging from gentle (notifications) to assertive (update software or kill processes). The range of enforcement actions helps you be more successful by working with users, not against them.
Improve productivity
  • ForeScout CounterACT allows guests and contractors to work efficiently while they are on your premises. CounterACT grants the right level of network access to each person and device, without intrusive intervention or software installation.

Product Tours

Product Demonstrations | Product Screenshots

Product Demonstrations

Tactical Map

ForeScout CounterACT includes a geographical map that allows you to easily manage the security of a large, global enterprise.

802.1X Management

ForeScout CounterACT includes tools to help IT security managers deploy and manage 802.1X.

topTop

Port Security

ForeScout CounterACT provides port-based network access control–with or without 802.1X.

Product Screenshots

Click image to enlarge.

Guest Registration

ForeScout CounterACT allows guests to register for access to your network.

Compliance Corporate Host

ForeScout CounterACT gives you real-time visibility to who is on your network, including the location and security posture of guest computers.

topTop

Resources