General Product Questions
- What is Shellshock (Bash vulnerability) and does it affect CounterACT?
- What is the Heartbleed Bug and Does It Affect CounterACT?
- What is ForeScout CounterACT?
- What is ForeScout ControlFabric?
- What is ForeScout CounterACT Virtual Appliance?
- What is new in ForeScout CounterACT 7.0.0?
- Does ForeScout CounterACT include a policy management server?
- Does ForeScout CounterACT work with virtual machines?
- What reports does ForeScout CounterACT include?
- What report export capabilities does ForeScout CounterACT provide, and does it integrate with third-party reporting products?
- How does ForeScout sell and distribute its products?
- Why is the NAC market growing so quickly?
- How is the NAC market evolving?
- What are the key reasons for ForeScout’s success?
- How is ForeScout CounterACT delivered and licensed?
- How is ForeScout Mobile delivered and licensed?
- What support and service programs does ForeScout offer?
- What professional services does ForeScout offer?
- Can ForeScout CounterACT be purchased as a hosted or managed service?
- What is your VMware virtual appliance support policy?
- Does ForeScout CounterACT integrate with leading SIEMs?
- Is ForeScout certified for use in government and military facilities?
- What was announced between ForeScout and McAfee?
- Where can I obtain visio stencils of CounterACT?
- Does ForeScout CounterACT have any known security vulnerabilities?
- Support for Users with Disabilities
- Where can I find ForeScout’s end user license agreements?
Network Access Control Functionality
- How does ForeScout CounterACT measure up to products from other leading NAC vendors?
- What methods can ForeScout CounterACT use to control access?
- How does ForeScout CounterACT work within an 802.1X architecture?
- Does ForeScout recommend use of 802.1x ?
- In 802.1X environments, how does ForeScout CounterACT handle endpoints without supplicants?
- Does ForeScout CounterACT enforce access control via DHCP?
- How does VLAN enforcement work?
- How does ACL enforcement work?
- How does ForeScout CounterACT’s virtual firewall work?
- What does an end-user experience when ForeScout CounterACT starts to enforce network access control policies?
- Does ForeScout CounterACT include a guest networking application?
- Is ForeScout CounterACT able to enforce access control based upon a user’s role?
- What identity management systems does ForeScout CounterACT support?
- Describe ForeScout CounterACT’s ability to enforce NAC for an SSL VPN and for an IPsec VPN.
- How does ForeScout CounterACT detect unauthorized WAP’s and other rogue devices?
- How does ForeScout CounterACT identify non-PC devices on a network?
- Does ForeScout offer the means to enable a “Bring Your Own PC to Work” policy?
- Does CounterACT operate as an in-line or out-of-band appliance?
- Is CounterACT deployed at every switch?
- Does ForeScout CounterACT include an agent?
- How does ForeScout CounterACT work without an agent?
- Does ForeScout CounterACT detect the existence of malware on an endpoint or propagation of malware on your network?
- Does CounterACT provide continuous monitoring?
- Does ForeScout CounterACT support automated remediation?
- Does ForeScout CounterACT support remediation through dialogs with the quarantined user?
- Does the ForeScout CounterACT agent pass parameters (e.g., missing patch) to a remediation agent, or does it simply “kick off” the remediation agent?
- Does ForeScout CounterACT pass information to a trouble ticketing solution?
- Who are ForeScout CounterACT’s remediation partners?
- Does ForeScout CounterACT provide the ability to monitor the network for anomalous traffic?
- Can ForeScout CounterACT track changes that occur on endpoints?
- Does ForeScout CounterACT provide mobile security?
- What handheld devices does ForeScout CounterACT identify?
- Does ForeScout CounterACT require deployment of an agent to handheld devices?
- Does ForeScout CounterACT or ForeScout Mobile replace Mobile Device Management solutions?
- How does ForeScout address BYOD?
General Product Questions
A recently published vulnerability in GNU Bash (“Bourne Again Shell”), widely known as ShellShock (CVE-2014-6271 and CVE-2014-7169), allows an attacker to inject arbitrary shell commands and code via specially crafted environment variables. Some of the attack vectors reported are exploitable by unauthenticated attackers.
The underlying OS component of CounterACT, as distributed, contains a version of Bash that includes this vulnerability. However, CounterACT is not susceptible to the attack vectors associated with this vulnerability because all externally-exposed services, such as its HTTP server, DHCP client etc., do not process any directives in a Bash environment. SSH restricted shell attack vectors that have been reported are also not applicable to CounterACT.
As a precautionary measure, ForeScout has issued an update that replaces the Bash binary installed on CounterACT versions 6.3.4.x and 7.0.0 with a patched Bash version. This update is available to customers and partners via our customer portal. ForeScout Security Advisory 14-02 has more details at https://updates.forescout.com/support/index.php?url=sec_adv
The Heartbleed bug (CVE-2014-0160) is a vulnerability in the OpenSSL cryptographic software library reported on April 7, 2014. If exploited to its fullest extent, this could enable an attacker to eavesdrop and take data from an SSL/TLS encrypted communication session. Specifically, in some cases it can result in the attacker obtaining sensitive data, such as encryption keys and service credentials.
Only one component within CounterACT implements SSL sessions using the OpenSSL library — specifically CounterACT SecureConnector for Windows®, on ForeScout CounterACT 6.3.4x and 7.0.
ForeScout CounterACT Hotfixes that address this limited exposure were released on April 10, 2014 and are available to customers and partners via our customer portal. ForeScout Security Advisory 14-01 has more details at:
ForeScout CounterACT is an automated security control platform that lets you see, monitor, and control your network— devices, operating systems, applications, users. ForeScout CounterACT is a risk management platform measures compliance with your security policies and remediates endpoint security deficiencies. Through built-in network access control technologies, CounterACT lets employees, contractors, and guests remain productive on your network while you protect critical network resources and sensitive data.
Unlike agent-based security systems, ForeScout CounterACT operates in real-time, has no blind spots, and does not require cooperation from the endpoint. ForeScout CounterACT is easy to deploy because it requires no software, no agents, no network reconfigurations.
ForeScout CounterACT is also the centerpiece of the ControlFabric architecture. ControlFabric is an open platform enabling ForeScout CounterACT and other solutions to exchange information and resolve a wide variety of network, security and operational issues.
ControlFabric is a set of technologies that enable ForeScout CounterACT and other IT solutions to exchange information and more efficiently mitigate a wide variety of network, security and operational issues. ForeScout partners with industry-leading hardware and software providers that extend the value of our pervasive network security platform and provides ways to team their solutions with ForeScout’s. ControlFabric is based on ForeScout CounterACT, which dynamically identifies and assesses all network users, endpoints and applications; applies flexible policies to allow, limit or deny access; directly remediates endpoint security issues; and triggers external systems to apply remediation. Enterprise IT organizations that leverage the ControlFabric ecosystem can achieve continuous monitoring and mitigation capabilities that better leverage their infrastructure investments and optimize IT resources.
PlugFast @ 2014 Blackhat.
Watch explainer video.
ForeScout CounterACT Virtual Appliance gives customers the freedom to deploy ForeScout CounterACT leveraging their hardware and VMware investment. ForeScout CounterACT is installed as a guest host on a VMware ESX virtual machine or Microsoft Hyper-V, with reserved processor, memory and storage resources. Customer benefits can include:
- Easier to maintain hardware based on corporate standards
- Green – save money on power, cooling and rackspace
- Convenient remote deployment scale out (no need to ship physical appliances)
- Takes advantage of VMware provisioning and availability mechanisms
- On-demand capacity and performance increase, just add more hardware resources as needed
ForeScout CounterACT version 7.0 is about delivering superior NAC usability, unparalleled integration and accelerated time-to-value. The release further enables 802.1X flexibility, deployment, migration and management ease including a built-in RADIUS. Gaining situational awareness and expediting response across distributed networks has never been easier with a new console tactical map, advanced search and filtering, and reporting management. In the mobile arena, seeing and controlling unmanaged mobile devices and integrating with mobile device management systems is further streamlined. Endpoint visibility and compliance features captures more details with greater efficiency. As a result, NAC as never been easier, more manageable and of greater value. Highlight enhancements include:
Yes. Our policy management server is built into the ForeScout CounterACT appliance. It includes a wizard that makes it easy to create and apply policies to single devices/users as well as groups, to schedule policy enactments, and to exclude segments from policy enactments. The wizards include a knowledgebase of the most commonly used security policies.
Yes. ForeScout CounterACT includes the same visibility and control for virtual machine as for physical machines. However, each virtual machine needs to have its own IP address in order to maintain the same level of granular control that ForeScout CounterACT gives you for physical machines. The fact that CounterACT can be implemented as a virtual appliance means that CounterACT can be installed within your virtualized environment, providing visibility to hosts that reside within individual vSwitches.
ForeScout CounterACT provides several out-of-the-box reports that specifically highlight different views on:
- The level of policy compliance
- Compliance trending
- Malicious activity
- Assets (both hardware and software) on your network
The predefined reports are easily customizable by the user and include the following:
- NAC Policy Compliance Summaries Report
- Vulnerability Report (Windows)
- PCI NAC Policies Compliance Report
- Inventory Report
- NAC Policy Compliance Trend Report
- NAC Policy Compliance Details Report
- Registered Guest Analysis Report
In addition to canned and configurable reports, ForeScout CounterACT includes an Assets Portal which provides visibility into the information collected by ForeScout CounterACT. Google-like searches can be performed within the Assets Portal in an effort to track assets, view asset details, or generate a list of assets which match specific criteria (i.e. devices with 255 as the first octet).
What report export capabilities does ForeScout CounterACT provide, and does it integrate with third-party reporting products?
ForeScout CounterACT reports are exportable to CSV and PDF formats. Integration into third-party systems can be done via SYSLOG and CEF protocols. In addition, two-way ticketing information can be shared with trouble-ticketing systems (i.e. Remedy).
ForeScout sells products directly as well as through VARs, distribution partners, global systems integrators, OEM partners, and product integration partners. For a complete listing of our channel partners (by region), visit our reseller locator.
Gartner, Inc. evaluated the NAC market in December 2013 and predicted* that the market would grow approximately 45% in 2014. The overall growth for Network Access Control adoption is being fueled by five trends:
- The demand for a wide range of personally owned devices to gain access to the network while preserving security.
- The failure of traditional security software to assure endpoint compliance and stop zero-day, targeted (APT) and propagating threats such as Conficker and Zeus.
- Maturing compliance mandates, both internal and external (government regulation), that require controls for all access to, and protection of, sensitive data and personally identifiable information (PII)
- The explosion of “consumer” devices accessing corporate networks, e.g. iPhones, iPads, Androids, and personal laptop computers.
- The use of social media, unsanctioned personal data sharing, malware and phishing techniques for social engineering purposes to gain a foothold in endpoint devices
* Gartner, Inc., “Magic Quadrant for Network Access Control”, Lawrence Orans, December 2013.
NAC was originally designed for a world that does not exist today—a world of Windows hegemony, with PCs connected to wired LANs, operated mostly by employees, and updated (patched) periodically. In this environment, NAC would function like a security agent on an airport security line—denying access to the network unless the user and the device could prove their identity and compliance with security requirements.
The modern enterprise IT environment is now radically different, characterized by:
- Widespread acceptance of end-user mobility and BYOD policies
- A transition from periodic monitoring and patching to continuous monitoring and remediation
- A pressing need for security operations automation, for both speed and efficiency
- A drive toward “contextual security” policies and enforcement
In response to this new IT environment, NAC products are evolving to a much broader functionality characterized by the following:
- Greater endpoint visibility and coverage. This especially includes the ability to detect, categorize and inspect non-Windows devices such as smartphones and tablets, personally owned computing devices which lack endpoint security agents, industrial equipment, and virtualization.
- Continuous monitoring of endpoint configuration and status to support evolving governance and compliance needs
- Integration with other IT security and management systems such as SIEM, firewall, VPN, identity management, vulnerability scanning, trouble ticketing, MDM, advanced threat detection systems, etc.
Some market researchers (for example, Enterprise Strategy Group) are suggesting that the evolution is so significant that a new name should be used for this product category, such as EVAS—”Enterprise Visibility, Access and Security”.
Our company’s growth is fueled by the strength and versatility of the ForeScout CounterACT platform. This boils down to five things:
- Easy and non-disruptive. ForeScout CounterACT is dramatically easier and faster to deploy than traditional NAC products. One box, one day to install, built into the appliance. No software to install. No changes to your existing infrastructure. By supporting both 802.1X and non-802.1X, trusted access and endpoint compliance can be assured with the least impact to your end users and operations.
- Integrated. ForeScout CounterACT includes a large range of functionality: An extensive range of automated controls that let you manage your network the way you want to. Full-featured guest registration. Visibility and network access control of the most popular smartphones. Extensive information about your network – devices, users, applications, ports, peripherals, etc. Built-in options for remediation that include updating security agents, patching operating systems, even killing unauthorized applications and processes.
- Scalability. ForeScout CounterACT scales better than anything on the market. We have customers today with over 750,000 endpoints, being managed by a single ForeScout CounterACT Enterprise Manager console.
- Manageability. ForeScout CounterACT is easy to manage. Our engineers have a passion for developing good user interfaces and setup wizards. People who test our product and compare it to competitors’ products consistently tell us that ForeScout CounterACT’s user interface is easier and more intuitive than competitors’ products.
- Interoperability. ForeScout CounterACT works with your existing infrastructure. The approach is completely vendor agnostic. For example, switches, directory services, anti-virus software and other network and security infrastructure from almost any vendor can be used and networks with multiple vendors are easily supported.
ForeScout CounterACT is delivered in either physical or virtual appliance form.
ForeScout CounterACT is licensed by the number of network devices (IP addresses) that are within the scope of the appliance.
- Each of our physical appliances is built to handle a certain number of network devices, and each appliance comes with a license for that number of devices. Our range of licenses ranges from 100 devices (CT-R appliance) to 10000 devices (CT-10000 appliance). In between, we have appliances that are licensed for 500 devices, 1000 devices, 2500, and 4000 devices.
- ForeScout CounterACT Virtual Appliance is licensed the same way as our physical appliance. We offer licenses for 100, 500, 1000, 2500, 4000 and 10,000 devices.
ForeScout also offers a ForeScout CounterACT Enterprise Manager to streamline management of up to 200 ForeScout CounterACT appliances. Licensed by the number of ForeScout CounterACT appliances under management, ForeScout CounterACT Enterprise Manager enables customers to centrally see and manage endpoints, policies and appliances. We also offer high-availability pricing for our physical appliances. Our HA pricing includes a license for a set number of users plus two appliances covered within the scope of that license.
ForeScout Mobile Security Module is a plugin that works with ForeScout CounterACT. The plugin is downloaded from ForeScout’s customer support web site and installed in the ForeScout CounterACT appliance (if the customer is just using one ForeScout CounterACT appliance) or the ForeScout CounterACT Enterprise Manager appliance (if the customer is using multiple ForeScout CounterACT appliances).
ForeScout Mobile Security Module is licensed according to a specified number of mobile devices. A single ForeScout Mobile Security Module license is applied to a ForeScout CounterACT appliance or, if multiple ForeScout CounterACT appliances are in use, to a ForeScout CounterACT Enterprise Manager. For example, suppose you have one ForeScout CounterACT CT-R, one ForeScout CounterACT CT1000, and one ForeScout CounterACT CT-4000 appliance. In this situation, you have licenses to operate ForeScout CounterACT for a total of 5100 IP addresses. If you wish to obtain additional visibility and control over 100 mobile devices, you would purchase one ForeScout Mobile Security Module license for 100 mobile devices.
Multiple ForeScout Mobile Security Module licenses may be purchased in order to achieve a larger license. For example, if you purchase two copies of the ForeScout Mobile Security Module for 100 mobile devices, we will send you a license key for 200 mobile devices.
ForeScout products include a ninety (90) day limited warranty for parts and labor. In addition, ForeScout offers two ActiveCare extended support options. Each option can be purchased for a one year term and renewed on a per annum basis. The benefits include:
- Support Website unlimited access allowing customers to
- Download software updates
- Download purchased plug-ins for integration with other 3rd party systems
- Download product documentation and manuals
- ForeScout Technical Support
- ActiveCare Advanced support provides 24×7 access to a support engineer who can perform remote troubleshooting.
- ActiveCare Basic support provides access to a support engineer from 8:00 a.m. to 5:00 p.m., Monday through Friday for remote troubleshooting
- Advance Hardware Replacement. If there is a hardware problem with a ForeScout appliance, ForeScout will send a replacement unit to the customer site prior to receiving the defective appliance. This offers a fast and economical method of maintaining an unlimited “virtual spares” inventory.
ForeScout also offers a range of professional services to meet customer needs of the product lifecycle, such as site assessment, installation, deployment, policy development, training, health-checks and upgrades.
ForeScout solutions are easy, interoperable, flexible and powerful – they are designed for convenient deployment and rapid results. Customers can expedite implementation and fortify their investment in ForeScout CounterACT by leveraging the expertise provided by us and our partners in order to meet deployment schedules, assure compliance initiatives or improve/refine policies.
The following professional services are offered on-site, remotely or can be customized.
- Deployment and configuration
- Policy development and optimization
- Health check/system review
- Customer coaching via Web conferencing
- Software Release Upgrade
- Hardware Procurement and Installation
- Custom Services
- Training: HelpDesk, Basic, Advanced, Custom – On-site or Remote
- BYOD/ Mobile Security Policy assessment and development
Yes – organizations that would prefer to implement ForeScout CounterACT as a hosted or managed service, ForeScout has a network of service providers ready and able to help you accelerate product procurement, deployment, management and ongoing success.
ForeScout is a member of the VMware Technology Alliance Partner Program. ForeScout employs reasonable efforts to maintain interpretability and support for VMware platform and products.
ForeScout CounterACT virtual appliance solution operates as a guest host on VMware ESX or ESXi or Microsoft Hyper-V. The company will support customers who run the ForeScout CounterACT virtual appliance product on VMware certified operating environments and on Microsoft Hyper-V as defined in our Quick Installation guide and as per our End User License Agreement. The operating environment, procured by the customer, must comply with VMware or Microsoft’s set of certified hardware. The customer and Microsoft will be responsible for any interactions or issues that arise at the hardware and operating system layers as a result of their use of Hyper-V.
ForeScout reserves the right to request our customers to diagnose certain issues in a native certified operating system environment. ForeScout will only make this request when there is reason to believe that the virtual environment is a contributing factor to the issue. ForeScout will inform the customer to request support from VMware or Microsoft directly regarding any problems that may, in the sole opinion of ForeScout, be directly related to VMware or Hyper-V. In such a case, ForeScout will provide detailed information where possible to support the customer and VMware or Microsoft.
YYes, ForeScout CounterACT integrates with leading SIEMs leveraging the Common Event Format (CEF) for syslog parsing. The SIEM products that CounterACT integrates with include ArcSight ESM, McAfee ESM (formerly Nitro Security), IBM QRadar, LogLogic, and RSA Envision. See how ForeScout takes “Actionable Intelligence” to a whole new level: watch video.
Many government agencies at the Federal, state and municipal levels, and supporting contractors, use ForeScout CounterACT to accelerate “connect to comply” mandate, strengthen security enforcement, and prove regulatory compliance. ForeScout has achieved the industry’s highest level of security certification for a Network Access Control (NAC) solution involving assurances from the EAL 4+ level. With EAL4+, government agencies can be assured that the specification, implementation and effectiveness of ForeScout CounterACT for Network Access Control have been evaluated in a rigorous and standardized manner to meet their security and compliance needs. CounterACT is also compliant with FIPS 140-2, as well as listing on the United States Army Information Assurance Approved Products List (AI-APL). Read the most current press release on ForeScout certifications.
In 2012, ForeScout deepened its collaboration with McAfee by bringing its best-in-class network access control (NAC) solution to McAfee customers through its appointment as a McAfee Sales Teaming Partner within the McAfee Security Innovation Alliance™ (SIA) program. McAfee will present ForeScout CounterACT as its preferred NAC platform to existing and prospective McAfee NAC customers.
The combination of ForeScout CounterACT with McAfee Enterprise Security Manager (ESM,) McAfee ePolicy Orchestrator (McAfee ePO) software, and McAfee Endpoint Protection helps customers realize continuous monitoring and mitigation benefits. Inparticular, ForeScout CounterACT helps automate the identification and profiling of network devices, provides McAfee ePO software and HBSS agent detection, finds and remediates endpoint security gaps and provides dynamic endpoint intelligence and remediation capabilities for McAfee ESM.
McAfee customers and partners can contact their local McAfee sales representative for more details.
You can obtain visio stencils by visiting http://www.shapesource.com/scripts/prodView.asp?idproduct=698.
ForeScout follows secure software development practices and we appreciate experts sharing their knowledge of any discovered vulnerabilities with ForeScout and our community. If you have identified a new vulnerability, please email: email@example.com and include all details including the source of the pubic reference.
Security advisories are provided to inform our customers, partners and those evaluating our solutions of security vulnerabilities found in ForeScout products, and the required steps to mitigate them. Licensed users should frequently visit either the Customer Portal or Community Forum in order to obtain the list of current security advisories and are urged to apply actions recommended in the advisory at the earliest convenience.
For information about Shellshock (Bash vulnerability) see ForeScout Security Advisory 14-02.
For information about the Heartbleed bug see ForeScout Security Advisory 14-01.
Yes. ForeScout Technologies products are accessible for users, including people with disabilities. Users with audio and visual impairments can click here to find out more about our support for these disabilities.
A Voluntary Product Accessibility Template , or VPAT, is a standardized form developed that shows how a software product meets key regulations of Section 508 of the Rehabilitation Act. Click here to read the VPAT document that describes the accessibility features of ForeScout products.
Click here to obtain our end user license agreement for Generally Available (GA), Early Availability (EA), Evaluation and Beta products.
Network Access Control Functionality
“When it comes to network access control (NAC), ForeScout CounterACT is the most superior solution on the market. Don’t just take our word for it, get a 24-page, comprehensive comparative report on the leading NAC products produced by The Tolly Group.”
ForeScout CounterACT has built-in support for the following methods to control network access:
- 802.1X: VLAN steering or switch blocking
- Switch blocking using SNMP
- VLAN Steering
- ACL enforcement
- Virtual Firewall
- Built-in RADIUS server, plus the ability to function as a RADIUS proxy. The proxy mode is useful if you are already using a RADIUS server and don’t wish to utilize the RADIUS that is built into CounterACT.
- Built-in visibility tools to help you see whether your switches and endpoints are correctly configured for 802.1X authentication. The tools can be run in monitor mode before you start to enforce 802.1X access control; this lets you solve problems before they become disruptive.
- Built-in remediation tools identify when an endpoint does not have a properly configured supplicant. When such an endpoint is found, CounterACT can run a script to install and/or configure the supplicant.
- Hybrid NAC includes the ability to utilize 802.1X or other authentication technologies within the same network. This has two benefits: 1) It lets you roll out NAC quickly in an environment that does not support 802.1X. 2) It provides a redundant authentication mechanism for endpoints that fail the 802.1X authentication for whatever reason.
- Support for a wide variety of vendors’ switches and wireless access points: is configured to function as a RADIUS proxy. In this model, ForeScout CounterACT becomes the authentication server for the switch and the authenticator for the RADIUS server. ForeScout CounterACT provides integration with 802.1x switches and supports 802.1x switches from Cisco, Extreme, FoundryBrocade, Nortel, Aruba, and HP ProCurve.
- Support for a wideForeScout CounterACT variety of network enforcement methods: 1) VLAN assignment, 2) ACL management, 3) virtual firewall. This flexibility allows customers to quickly deploy our NAC solution in difficult network environments, e.g. when computers are daisy-chained to VoIP phones.
- Automated MAC exception lists based on ForeScout CounterACT’s built-in endpoint profiler. CounterACT automatically identifies endpoints that do not support 802.1X supplicants—for example, printers—and will place these endpoints on the network and then add their MAC addresses to an exception list. CounterACT continuously maintains the exception list and monitors endpoints in order to prevent MAC address spoofing. places authenticated endpoints into the proper VLAN according to the end-user’s role and as determined by LDAP grouping. ForeScout CounterACT places non-compliant or unverified endpoints in a remediation VLAN or in a lobby VLAN for inspection. The exact behavior is configurable by our customers.
802.1X is just one type of authentication protocol that ForeScout CounterACT supports, the others being authentication against an LDAP directory such as Active Directory, authentication against CounterACT’s built-in guest registration database, and authentication against CounterACT’s built-in MAC address bypass list. It is up to the customer to choose which authentication protocol he wishes to use.
In general, 802.1X is a very secure method of device authentication, but there are alternative approaches that are just as secure. As IT environments become larger with more heterogeneous equipment and a large number of legacy devices which do not support 802.1X, the overhead of deploying 802.1X, managing the exception list, and deploying and remediating 802.1X supplicants may become burdensome. In these situation, alternative authentication approaches should be considered.
Spire Security has written an excellent description of the pros and cons of 802.1X. For more details, see “Network Access Control and 802.1X: Advantages, Constraints and Capabilities” by Spire Security.
Also watch this video which shows how ForeScout CounterACT provides strong port control with or without 802.1X and how CounterACT enhances 802.1X so that it is truly enterprise-ready.
The 802.1X protocol is inherently ungraceful in the way that it handles new endpoints that lack supplicants, such as printers. This is one of the drawbacks to 802.1X and why many ForeScout customers do not utilize 802.1X.
The only one way to allow new devices without supplicants (such as printers) onto an 802.1X network is to enter the MAC address of the device into an exception list which is stored on the RADIUS server. This can be done prior to putting the device onto the network, or afterwards. If afterwards, you can configure a policy within ForeScout CounterACT that automatically handles the onboarding of endpoints such as printers without supplicants, as well as more capable endpoints (computers, smartphones, etc.) that have not yet been configured for 802.1X. Using ForeScout CounterACT’s hybrid NAC, any device that fails 802.1X authentication is placed in a lobby VLAN. If the device is a printer or other piece of equipment, ForeScout CounterACT can be configured to automatically add that device’s MAC address to an exception list, then CounterACT can move that device to the production network. If the device is a computer, ForeScout CounterACT can be configured to give the user an opportunity to authenticate via another method, such as by entering his Active Directory credentials. If the user is a guest, ForeScout CounterACT can give the user the opportunity to register for guest access on the network. As the number of unmanaged (BYOD) computers that need to access corporate networks increases, ForeScout CounterACT’s hybrid NAC becomes an increasingly attractive solution to any organization that wants to maintain high end-user productivity and minimize the number of help desk calls.
No. Many NAC solutions rely on DHCP blocking as an alternative to 802.1X enforcement. Unfortunately, DHCP enforcement is an inherently ineffective enforcement option because it is easily bypassed, will not work in certain environments, and is unrealistic for enterprise NAC deployments. Even if successfully implemented, it still lacks the ability to provide point of access control through VLAN steering or port up/port down.
Some of the fundamental issues with DHCP enforcement include:
- DHCP enforcement is “opt in” enforcement because it relies on the end-user to obey specific rules.
- DHCP blocking will not work on users that connect to the network with static IP addresses.
- DHCP blocking is effective only when the end-point requests/renews its DHCP lease. Once DHCP hands out an address, there is no way to take it back. If someone becomes infected or policy needs to block a user after connect, there is no way to take back the IP address until the DHCP lease expires.
In the case of ForeScout we just use the DHCP as a form of discovery to detect a new admission
ForeScout CounterACT can assign an endpoint to an appropriate VLAN based on the policy that you configure within the ForeScout CounterACT policy manager. The actual port assignment can be done via 802.1X or via SNMP. The latter option is plug-and-play, does not require 802.1X, requires no software on the endpoint, and is able to manage any device on the network including guests and non-OS appliances.
ForeScout CounterACT provides the ability to dynamically update ACL’s on firewalls, routers, and switches. This lets you enforce security policies at a very granular level, leveraging your existing switch infrastructure. Beyond just restricting a device to a specific VLAN, ACL-based enforcement can restrict access on a device-by-device basis or port-by-port basis. ACL management lets you apply different policies in situations where multiple devices are connected to a single switch port, for example when workstations are connected to VoIP phones, or when multiple virtual machines are connected to a single switch port. While some NAC solutions provide basic ACL management capabilities, competitors typically limit their support to L3 switches or routers at the core of your network. ForeScout’s ACL management works at the access layer and gives you tremendous enforcement granularity with no administrative overhead.
ForeScout CounterACT’s virtual firewall uses surgical packet injection to offer granular and dynamic control of traffic. Essentially, it is a TCP reset mechanism. Unlike competitors’ TCP reset mechanisms, which send the RESET to the source after the data is already on the wire, ForeScout CounterACT will send the RESET to the destination after the first SYN, tearing down the connection before the handshake completes. This can be done as often as necessary to isolate a device from specific network resources. In addition, ForeScout CounterACT tears down UDP sessions by sending ICMP unreachable messages to both client and server. This method is effective in query-response protocols, such as DNS. This system is a very easy and flexible way of providing role-based access, even separating traffic that is on the same VLAN. It can also be used to provide NAC functionality where VLANs are not possible (e.g. flat networks) or where proper role-based access would require too many VLANs (separating employee roles on the same network.)
What does an end-user experience when ForeScout CounterACT starts to enforce network access control policies?
Enterprise end-users whose credentials are present in the enterprise authentication system will generally not notice anything different–their PCs will be automatically joined to the network. However, users that are non-compliant will see either automatic or guided mediation efforts. These will begin with notification via email, http, or balloon messages.
Your policy on how to handle guest users can be customized to meet the needs of your organization. Most people configure ForeScout CounterACT so it will prompt guests to enter a network password, or to register for a password if they have never before joined the network.
Yes. ForeScout CounterACT provides a built-in policy to identify and distinguish guest users from corporate users. The most critical part of any guest networking application is the ability to determine whether a connecting device is a “guest”. Because organizations have various standards for what constitutes a guest device, ForeScout CounterACT provides several options to identify guest vs. corporate devices. These include — but are not limited to — the following:
- Device authentication vs. Active Directory
- Check for presence of SecureConnector installed on the device
- Check to see if the device is not part of domain or if admin credentials fail
- Check to see if the device is on an “approved device list”
- Check to see if the NetBIOS hostname matches corporate standard
- Query an endpoint for buried registry settings or a specific file
- Any combination of the above
Yes. ForeScout CounterACT can manage users and enforce their network access based on the role of the logged-in uer. User management can be done internally or via integration with any of the common identity management systems.
ForeScout CounterACT works with Microsoft AD, Novell directory, Sun, Lotus Notes, RADIUS, TACCAS, and any user-defined LDAP server.
ForeScout CounterACT supports Nortel and Juniper SSL VPN gateways and Cisco, Nortel and Juniper IPsec VPN gateways. ForeScout CounterACT provides the ability to conduct compliance checks on connecting endpoints (post-connection to VPN gateway). The device is automatically checked for any malicious threat and, if found, the connection is terminated – with temporary revocation of the user’s credentials. ForeScout CounterACT can notify the end user prior to disconnecting their device. Enforcement is completely configurable and can be set for a specific timeframe (e.g., User “janedoe” will not be allowed to logon for 1 hour).
ForeScout CounterACT keeps track of traffic from network devices. Rogue devices show up as new network devices that do not conform to policies. For example, they show up as NAT devices, or as devices from an unapproved vendor.
ForeScout CounterACT uses both passive monitoring and active scanning to detect devices on the network, as long as the device has an IP address or is connected to a device with an IP address. The only devices that ForeScout CounterACT cannot detect are completely passive devices like an Ethernet line tap. For more details, see our whitepaper “Device Host and Detection Methods“.
Yes, ForeScout allows enterprises to quickly enable a bring-your-own-PC to work policy. Without agents or through a non-persistent agent, ForeScout CounterACT can identify, assess the security posture and apply a variety of controls for any device connecting to the network. In particular, systems that do not have particular security services invoked can be re-directed to a self-remediation center or ForeScout CounterACT can attempt to remediate the endpoint with little to no IT intervention. See a presentation on how ForeScout enables and safeguards BYOPC – IT Consumerization. Learn how the City of Guelph advanced their BYOPC policy using ForeScout CounterACT.
ForeScout CounterACT operates as an out-of-band network security appliance (physical or virtual appliance). The appliance connects to a core, distribution or access-layer switch via span port, mirror port or via traffic aggregator. An out-of-band Network Access Control appliance has the following advantages over in-line approaches:
- Seamless deployment: does not require any architectural changes or down time.
- Does not impact network performance.
- Can not be a single point of failure
- Fails-on; does not affect operations should the system be unavailable.
- Flexible deployment: broad infrastructure support.
CounterACT provides customers with a wide variety of deployment options depending on their needs, the level of network access and endpoint compliance control, as well as the operating environment. The appliance connects to a core, distribution or access-layer switch via span port, mirror port or via traffic aggregator ForeScout recommends CounterACT to be at the distribution or core layer switches but this approach will vary depending on each customer’s specific needs and network architecture. In some cases, the CounterACT appliance doesn’t even have to be on the same network as the endpoints being monitored such as those customers that have remote sites.
ForeScout CounterACT can be deployed with or without an agent on the desktop. Both options provide full functionality.
The name of our agent is ForeScout SecureConnector. SecureConnector can be installed in either dissolvable or permanent (persistent) mode. Once installed, SecureConnector creates an SSL-encrypted VPN-like tunnel back to the ForeScout CounterACT appliance. SecureConnector supports Windows (2000, XP, 2003, Vista, Window 7), Mac and Linux/Unix devices.
Regardless of whether you use our agent, the ForeScout CounterACT appliance performs the endpoint interrogation, remediation and enforcement. This includes patch levels, anti-virus status, registry settings, services/processes, firewall configuration, file versions, application compliance, termination of specific processes, USB enforcement, log-off, and shutdown of customer-defined scripts. It is important to note that the trust and logic of policy enforcement is maintained by the ForeScout CounterACT appliance rather than via the endpoint agent. This is a security benefit, because malware will often attempt to spoof or disable the security agents that are resident on the host.
ForeScout CounterACT can obtain some information about endpoint devices through passive listening and interrogation of the switch infrastructure. In order to obtain detailed information about endpoints devices, ForeScout CounterACT conducts a remote login to the device. Once logged in, ForeScout CounterACT can inspect virtually any criteria, including registry settings, and active/inactive processes. ForeScout also offers a lightweight agent called SecureConnector which is helpful for :
- Killing or controlling USB ports
- More frequent killing of a process (up to once each second, instead of once each minute without SecureConnector)
- Balloon messages
- VoIP environments present/missing applications. This covers standard NAC criteria (AV, patch level, IM, etc.)
Does ForeScout CounterACT detect the existence of malware on an endpoint or propagation of malware on your network?
Yes, using multiple methods:
- Detecting attacks on the network, using ForeScout’s patented ActiveResponse technology.
- Detecting unexpected behavior, such as when a printer starts acting like a Windows host.
- Detecting effects of malware, e.g. when antivirus is repeatedly disabled on a system
- Unauthorized configuration changes or drifts, e.g. change to registry settings
For example, ForeScout ActiveResponse was able to detect and block attacks such as Zeus, Stuxnet and the recent FLAME zero day attacks on day-zero – before any security company anywhere had developed a signature for these attacks. The technology has been able to detect and block tens of thousands of worms, such as the infamous Conficker. Armed with ActiveResponse™ companies can reduce the risk of APTs in two ways. First, it blocks APTs that attempt to spread over the network, such as FLAME did. Second, it can thwart the ability of APTs to locate and steal information over the network by identifying behavior as was in the case of Operation Aurora.
Yes. The U.S. Department of Homeland Security now requires all U.S. Federal agencies to continuously monitor IT infrastructure to eliminate intrusions (confidentiality), protect sensitive information (integrity), and mitigate exposure to denial of service cyber-attacks (availability). ForeScout CounterACT addresses Federal requirements. CounterACT uses a combination of discovery techniques to accurately classify and inspect endpoints. CounterACT’s agentless solution enables it to work with endpoints–managed and unmanaged, known and unknown. For more information, see our solution brief note titled “Addressing Continuous Diagnostics & Mitigation (CDM) Requirements with ForeScout CounterACT”.
Yes. ForeScout CounterACT offers fully automatic remediation. In addition, it can integrate with third-party patch management systems (such as Microsoft SMS/SCCM, WSUS, etc.). ForeScout CounterACT provides automated remediation using clientless or agent-based methods. This includes patch management, antivirus updating, registry and configuration management, application and service control, file version management, as well as a completely scriptable configuration and installation system.
Yes. ForeScout CounterACT offers Web-based interactive user dialogs with automated or self-guided remediation.
The ForeScout CounterACT system communicates with the user with personalized, customizable web pages. Because ForeScout CounterACT can open these web pages automatically (without waiting for the user to browse the web) the user is immediately informed. The web interface can direct the user to resolve the problem with detailed instructions, web links or contact phone numbers, or merely inform the user of the remediation that is being done automatically by the appliance.
Does the ForeScout CounterACT agent pass parameters (e.g., missing patch) to a remediation agent, or does it simply “kick off” the remediation agent?
Both are possible. When remediating the endpoint using its own clientless or agent-based method, the ForeScout CounterACT system passes on specific parameters (i.e. configuration, registry value, etc.). When leveraging a third-party agent, ForeScout CounterACT will cue the update agent then monitor for completion of the remediation process.
Yes: ForeScout CounterACT integrates with Remedy and can send alerts to most any trouble ticketing system using industry-standard protocols (SYSLOG, SNMP, SMTP).
ForeScout CounterACT is fully integrated with Microsoft SMS/SCCM and can trigger remediation by that system. If an endpoint is found to be out-of-compliance due to out-of-date antivirus, ForeScout CounterACT can trigger an AV update. Most importantly, ForeScout CounterACT includes a scripting engine that integrates with virtually any remediation product. In short, a customized script can be written to cue any patch process based on policy results: for Mac/Linux, this will be a shell script; for Windows this will be a C-script; we also support standard console scripts that will initiate .bat and .exe files.
Yes – based upon ForeScout’s patented technology. ForeScout CounterACT can instantly identify both human and self- propagating threats without requiring signatures or anomaly detection.
Following the patented ActiveResponse ™ methodology, the appliance uses specially-crafted information to respond to network reconnaissance and access attempts. If a device takes this information and attempts to use it to gain access to the resource, ForeScout CounterACT determines this to be a malicious threat. Based upon enforcement policy in place, the device will be isolated, quarantined or blocked.
Yes, ForeScout CounterACT allows you to define a change tracking policy. This feature allows the administrator to take automatic action when a specific property of an end-point changes (for example, if an end-point profile changes from “Printer” to “windows”).
ForeScout CounterACT provides real-time visibility and control over smartphones, tablets and wireless devices on your network. With our solution, you can let users enjoy the productivity benefits of modern handheld devices while you protect your network against malicious threats and data loss. Capabilities include:
- Detection: Identify mobile devices the moment they try to connect to your network, either via a wireless access point or a wired network port. No agents or software are required.
- Visibility: Categorize and report handheld mobile devices by brand and by user. ForeScout supports Apple iPhone and iPad, Windows Mobile, Nokia Symbian, Android, and BlackBerry devices. With the addition of ForeScout Mobile Security Module, you can see detailed information about each device such as hardware model, OS version, installed apps, IP address, serial number, phone number, and more.
- Registration: ForeScout CounterACT can force mobile users to go through an automated guest registration process via HTTP hijack.
- Network Control: Apply custom network access policies to corporate and personal smartphone and mobile devices. Available control options include Allow, Block, or Limit. ForeScout CounterACT lets you automatically control where different types of people can go on your network, based on who they are or what device they are using.
- Device Control: With ForeScout Mobile Security Module, you can directly control the configuration settings and remediate security deficiencies. ForeScout Mobile Security Module lets you remediate iOS devices with actions as remote wipe, enforce password policy; require apps such as anti-virus, MDM or virtualization; remove or disable native apps such as the camera; and enforce specific WiFi access methods. Our MDM Integration Module lets you automatically trigger device remediation as provided by your MDM system.
- Protection: If malware exists on the mobile device and tries to propagate or interrogate your network, ForeScout CounterACT will detect the malicious behavior, block the threat, and can automatically quarantine or remove the mobile device from your network. ForeScout CounterACT for mobile security includes ForeScout’s patented ActiveResponse™ technology.
- Productivity: ForeScout CounterACT frees workers to use mobile and wireless devices of choice, for maximum productivity.
ForeScout CounterACT identifies iPhone, iPad, Android, Blackberry, Windows Mobile, Nokia Symbian.
No, the features shown above do not require the presence of an agent on the handheld device.
Does ForeScout CounterACT or ForeScout Mobile Security Module replace Mobile Device Management solutions?
No, ForeScout CounterACT and the ForeScout Mobile Security Module complement MDM solutions, as per the following chart:
|Feature||ForeScout CounterACT||MDM Solutions|
|Network Access Control||Yes – unified network access controls for PCs and handheld devices||No, MDM only controls access to email via ActiveSync|
|Real-time visibility of your network||Yes||No – only managed handheld devices|
|Compliance management and remediation||ForeScout CounterACT provides compliance management and remediation for PCs. ForeScout Mobile Security Module provides compliance management and remediation for iOS devices||Handheld devices only|
|Security management (password, encryption, remote wipe, etc.)||ForeScout CounterACT provides compliance management and remediation for PCs. ForeScout Mobile Security Module provides security functions for iOS such as set encryption, remote wipe, remote lock, set password||Handheld devices only|
Bring Your Own Device (BYOD) represents a daunting security challenge. ForeScout’s products let organizations accommodate personal mobile devices on the network without compromising security. ForeScout CounterACT provides real-time visibility of personal and mobile devices, limits the network access of those devices, and prevents those devices from spreading malware on the network. ForeScout Mobile Security Module provides additional capabilities including deep inspection of handheld device’s properties and compliance status, and the ability to manage configuration of supported devices. For more information, see here.
Obtain an in-depth IDC analyst report on how to architect a flexible bring your own device strategy, click here.