ForeScout | Access Ability

Overview

The Challenge

Have you read stories about network access control (NAC) solutions that have taken months to deploy? Most of the NAC solutions from major vendors are architectural nightmares. They require installation of 802.1x software on every endpoint, changes and/or upgrades to your entire switch infrastructure, and manual workarounds for devices such as printers that could not accommodate 802.1x agents.

Most NAC products from major vendors also suffer from a limited range of actions. They are good at kicking devices off the network, but that is not good for the business, and it is detrimental to the careers of IT managers.

The ForeScout Difference

ForeScout CounterACT is different from most network access control (NAC) solutions because it is easy to deploy and provides rapid results. Here is why:

• One box, one day to install. Everything is contained in a single appliance. Setup is easy with built-in configuration wizards.
• ForeScout works with what you have. All your existing switches, routers, firewalls, endpoints, patch management systems, antivirus systems, directories, ticketing systems–ForeScout CounterACT works with them. We require no infrastructure changes or equipment upgrades.
• No software. ForeScout CounterACT is agentless, which means it works with all types of endpoints–managed and unmanaged, known and unknown, authorized and rogue. No client installation is required.
• Non-disruptive. Unlike first generation NAC products that immediately disrupt users with heavy-handed access controls, ForeScout CounterACT can be deployed in a phased approach which minimizes disruption and accelerates results. In the initial phase, CounterACT gives you visibility to your trouble spots. When you want to move forward with automated control, you can do so gradually, starting with the most problematic locations and choosing an appropriate enforcement action.
• Accelerated results. ForeScout CounterACT provides useful results on Day 1 by giving you visibility to problems on your network. The built-in knowledge base helps you configure security policies quickly and accurately.

Second, unlike the NAC solutions from major vendors that use heavy-handed controls and disrupt users, ForeScout CounterACT provides an extensive range of automated controls which keeps the business running to the maximum extent possible. The list includes:

ForeScout vs. Cisco

Most ForeScout customers have Cisco-based networks. They have chosen ForeScout CounterACT over Cisco’s solution because CounterACT is faster to deploy, easier to manage, and less expensive than Cisco’s solution.

Want details? Let’s get specific: A complete Cisco solution requires the installation of agents, multiple appliances, consumes more power, takes up more rack space, and requires that you purchase several annual license subscriptions. The following table shows what is required for a complete Cisco solution that compares to ForeScout CounterACT:

Features

ForeScout CounterACT for Network Access Control automatically enforces whatever network access policies you desire for your organization. For a complete list of product features, see our product page. At a high-level, these are the important features that you should look for in a NAC product:

• Easy to deploy. Look for a product that:
  • Works with your existing network infrastructure–all brands of switches, without requiring them to support 802.1x
  • Is agentless. Products that require you to deploy agents to desktops are not only difficult to deploy, but they are inherently unable to deal in a sophisticated way with unmanaged devices such as personal laptops, smartphones, network equipment such as printers, diagnostic equipment, etc.
  • Has few moving parts. The fewer appliances, servers, and software that you need to install and configure the better.
• Wide range of enforcement actions. Look for a product that includes these characteristics:
  • Monitor-mode which lets you detect (and report on) policy violations without taking action.
  • Notifications which let you send emails or HTTP hijacks to endusers who violate policies
  • Auto-remediation which lets you automatically fix security problems such as operating system vulnerabilities, broken security agents, etc.
  • Disable actions such as unauthorized USB memory sticks, unauthorized applications
  • Restrict traffic to certain portions of the network
  • Block network access using a wide range of technologies such as 802.1x, SNMP, ACL management, TCP reset
• Automated guest registration. Look for a product that identifies guests trying to access your network and gives them an opportunity to automatically request and receive permission to use your network, similar to the system used in hotel lobbies.
• Automatic detection of printers. Look for a product that can automatically detect network devices such as printers, VoIP phones, switches, and other equipment. The NAC product should not require you to manually update a list of such devices.
• Post-connect monitoring. Look for a product that will monitor a device after it has been admitted to the network, checking to ensure that it does not begin to behave in a threatening manner.

Benefits

ForeScout CounterACT’s automated security control system helps organizations improve security while saving money.

Improve security

• Ensure that unauthorized users are not on your network
• Ensure that unauthorized devices are not on your network
• Reduce risk of infection by ensuring that authorized endpoints are properly configured, antivirus is properly running and updated, vulnerabilities are patched, and the latest versions of software is installed.
• Reduce risk of data loss by ensuring that encryption and DLP agents are running properly. Ensure that users are not able to run unauthorized applications or peripheral devices (e.g. USB memory sticks).
• Thwart network attacks with CounterACT’s built-in ActiveResponse technology.

Save time and money

• ForeScout CounterACT lets you eliminate manual labor associated with opening or closing network ports for guest access.
• ForeScout CounterACT can automatically detect and categorize network devices such as printers, automatically granting network access according to the policy that you specify. This save time relative to simpler NAC systems that require maintenance of a MAC address list for these sorts of devices.
• If you have been dedicating separate Internet connections for use by guests, you can decommission these lines and save money.

Avoid disruption

• Unlike simplistic products that disrupt users with heavy-handed security controls, ForeScout CounterACT offers a full spectrum of enforcement actions ranging from gentle (notifications) to assertive (update software or kill processes). The range of enforcement actions helps you be more successful by working with users, not against them.

Improve productivity

• ForeScout CounterACT allows guests and contractors to work efficiently while they are on your premises. CounterACT granst the right level of network access to each person and device, without intrusive intervention or software installation.