NAC Deployment With Minimal Network Changes

When working with new customers deploying network access control, I am often asked: “How can servers be secured with minimal change in the network?” This is very relevant since often many departments own the network, and IT may not have full authority over the entire network.

CounterACT can quickly and completely secure traffic to internal servers with little to no change of your network. Forescout offers an out-of-band deployment to a switch that will be able to monitor every connection to any IP device. There are only a few requirements needed with this approach. The first requirement is a mirror port for the server’s traffic. This can be a mirror on the physical port or on the VLAN where they are located. Secondly, CounterACT needs a port to connect to. This allows IT to monitor all the traffic with the SPAN port and use a virtual firewall with TCP resets as a control for access. In addition, if integration with the switch is available, a dynamic ACL can be applied.

Initially, IT will define a segment for CounterACT that includes the server being protected – note this may be a set of servers. This segment will be the one assigned as the internal network and will be monitored for inventory. Every port and every TCP connection that is connected will be detected.

With this setup you will be able to do the following quickly:

1. Create a whitelist of all services being hosted by your server
2. Identify open ports on your server and close them with ACL or virtual firewall dynamically and automatically
3. Monitor all TCP connections; be able to limit the connections to only the whitelisted ports and IP’s
4. Add an additional layer of security to IP connections by requiring authentication
5. Send a web portal authentication request to the connecting user
6. Detect and monitor TCP connections with the server

With CounterACT, security can be quickly deployed and pinpointed to the devices that need protection.