Soka-Bau Achieves Mobile and Guest Device Access with ForeScout
“Thanks to ForeScout CounterACT, we have been able to clean up our entire network and implement secure access for employee notebooks and guest devices. Everything has been very smooth right from day one.”
- Headquartered in Wiesbaden, Germany, SOKA-BAU provides benefits, compensation and pension insurance services to over 70,000 domestic and foreign construction companies, managing total assets worth 5.5 billion Euros.
- SOKA-BAU’s IT network includes around 4000 endpoints across the headquarters, 7 branch offices and a large number of SOHO offices.
- SOKA-BAU had decided to allow notebooks, both corporate owned and those of authorised guests and contractors, to connect to, and run on, parts of the company network. To allow for greater accessibility, a network access control (NAC) solution was needed to minimise security risks and keep advanced threats at bay.
- Specifically, the company was looking for a reliable approach that would allow it to classify all devices attempting to connect to the company network against pre-defined security policies, but needed to integrate as seamlessly as possible with the existing Cisco network infrastructure.
- Beyond access control, they wanted to fortify defences against hackers and growing amounts of malware.
- SOKA-BAU evaluated a number of NAC products before unanimously agreeing that ForeScout CounterACT provided the best solution.
- Much of the required functionality was already included out of the box with CounterACT, such as an intuitive policy editor with pre-defined actions; automatic identification of devices; automatic detection of P2P software and missing Microsoft security patches; as well as comprehensive alerting, enforcement and reporting options.
- Both the implementation and operation of CounterACT were non-intrusive, as the solution was an appliance that could be connected easily into the existing Cisco network.
- “Unlike other NAC solutions, CounterACT didn’t require installation and management of 802.1x software, didn’t need to operate in-line, and didn’t require so many components for the NAC to actually work,” explained Steffen Appel, Group Leader WAN / Security at SOKA-BAU. “It provided great, integrated functionality without the high initial cost, deployment risks and overall effort that would have come with the other NAC solutions we evaluated.”
- Network transparency
One of the first – and partly unexpected – benefits of installing CounterACT was that, for the first time, the IT team had a completely transparent live view of all devices on the company network.
- Guest management
SOKA-BAU is currently extending access control to the company network via CounterACT. Guest devices are, by default, automatically separated from the company network and moved onto a guest VLAN; phase two of this project will see the implementation of a guest registration process leveraging more of CounterACT’s guest management features. Furthermore, the conference room area in SOKA-BAU’s offices is not only used by employees, but also by guests and tenants. A separate network environment was set up behind a firewall to allow wireless access to the internet for guest notebooks, and is also secured by CounterACT.
- Endpoint security assurance
Using ForeScout CounterACT ensures that all endpoints are compliant with SOKA-BAU’s security policies; anti-virus protection is up to date; firewalls are active, and patches have been installed correctly. If a non-compliant device is found, an automated trouble ticket is generated and distributed via email to the relevant administrator. Using this method, problems can be addressed proactively before triggering a helpdesk call. CounterACT also blocks malware and malicious activity on the network. Whenever a device acts suspiciously, it is automatically isolated from the network and an alert is sent to the IT team.
- Time and cost savings
The effort involved in previously manual and labour intense processes was significantly reduced thanks to CounterACT-supported automation. This includes regular network reviews, compliance checks and resolving a diverse range of device issues.