Network Access Control (NAC)

ForeScout's network access control solution provides complete access control over any device connected or connecting to the network. With numerous soft and hard enforcement options, the network access control solution helps ensure user productivity while providing the highest level of policy enforcement and network security. CounterACT provides an unparalleled level of access control and policy enforcement over all devices connected to the enterprise network, regardless of whether they are company owned (802.1x enabled or not), personal, or non-user based (i.e., printers, fax, VoIP phones, etc). This clientless, transparent system allows for non-disruptive deployment and appropriate enforcement of network policies. And, the ForeScout solution controls and enforces polices at the network level enabling enterprise wide scalability.

Clientless Network Access Control (NAC) - How it Works

ForeScout's CounterACT appliance takes a unique approach to network access control compared to other solutions in order to ensure the right devices have access to the right resources. The security platform consists of pre-defined policies that all network devices must adhere to in order to connect to the network. These policies are automatically propagated throughout the network of appliances from a centralized management console.

When a device is first connecting into an organization's network, the ForeScout network access control process flow automatically transparently guides the device through several steps to ensure that it is compliant with the pre-defined policies and continues to monitor the device for compliance through out its session, regardless of the device type. This ensures that not only are the right devices accessing the right resources, but that they continue to stay compliant while connected minimizing risk of a security lapse.

Policy Creation and Enforcement for all Network Devices

By using CounterACT, administrators have the ability to create a wide range of granular sets of conditions/policies to ensure all connecting devices meet the baseline security criteria. Specific elements range from a patch level or anti-virus definitions status to presence of illegal applications or self-propagating malicious code. These pre-defined set of values enable the appliance to identify endpoint activities and detect when the endpoint has violated the corporate security policy. During this time, triggers are enabled that allow for the determination of when a policy is enforced (e.g. upon detection of a new MAC address connecting to the network). The appliance will detect policy violations both upon connection and post connection through continuous monitoring of network activity.

ForeScout creates and enforces policies for all types of networked devices. This includes:

• Corporate users operating within the network perimeter. - ForeScout's NAC solution allows for both role-based and location-based access policies- allowing an administrator to choose who has access to which resources and where they can access from.
  
  
• Network guests. - CounterACT solves the challenge of securing onsite guests providing a clientless solution, which allows administrators to grant limited access to unmanaged devices attempting to gain access to the network. It can implement a policy that moves any non managed resources into a quarantined VLAN upon connection providing the device with only internet connectivity.
  
  
• Remote access VPN users. - By instantly detecting and continuously monitoring VPN devices, CounterACT enforces the organization's full network access control policies and ensures that no self-propagating malware will be allowed through the VPN connection.
  
  
• Wireless access points. - CounterACT detects both devices connecting through the WAP, along with any unauthorized WAPs through the wired network, without the need for additional RF equipment. Policies can be set to automatically disable any unauthorized WAP found on the network.
  
  
• Non-OS/Non-User devices. - ForeScout recognizes all devices, including non-user devices such as IP-enabled printers, fax machines, VoIP phones, and wireless devices (PDAs). The CounterACT system handles non-user devices by detecting the type of device, and continuously monitoring to ensure that the traffic being passed from this device is consistent with the typical packets associated with the specific device.
  
  
• 802.1x enabled devices. - ForeScout's security platform can be seamlessly integrated into any network environment with full or partial 802.1x deployment. CounterACT leverages the existing infrastructure to define and enforce policies, authentication, remediation, and VLAN assignment, not requiring the wholesale upgrade of existing network equipment.

Appropriate Responses to Policy Violations

Implementing these security policies is only successful when it is enforced in a gradual manner. The CounterACT system provides an array of enforcement responses with the ability to apply a measured and appropriate response/enforcement to specific policy violations. The enforcement options range from informing the end user of policy violation through a hijacked HTTP session dialogue box to complete and immediate connection termination based upon the severity of the policy violation and the detected risk to network operations.

Why Choose ForeScout's Network Access Control (NAC)?

• Clientless - ForeScout's NAC solution does not require a software client/agent to be installed on any connecting devices in order to perform its interrogation of network devices to ensure compliance.
  
  
• Not Inline - CounterACT does not sit inline, therefore eliminating any throughput latency or point-of-failure issues.
  
  
• Behavior-based IPS - ForeScout's intrusion prevention is behavior-based, and does not rely on signatures therefore eliminating the need for manual updates as well as reduces the chance of false positives.
  
  
• Seamless Integration - CounterACT deploys seamlessly into any network environment without requiring any infrastructure changes or upgrades. This includes "blended" networks where 802.1x is deployed in certain segments.
  
  
• Rogue Wireless Access Point detection - CounterACT detects and disables rogue wireless access points over the wire, without relying on unreliable detection methods such as network banners and MAC addresses.
  
  
• Measured Response - CounterACT features a wide range of informational and enforcement actions instead of a typical NAC binary access/no-access response. With enforcement actions ranging from email notification to HTTP session hijacking to physical shut-off of a switch port, CounterACT ensures business continuity with minimal disruptions.

To learn more about ForeScout's Network Access Control (NAC) solution, download the brochure or contact us for more information.