NAC Deployment With Minimal Network Changes

Luis Romero | January 17, 2014
When working with new customers deploying network access control, I am often asked: “How can servers be secured with minimal change in the network?” This is very relevant since often many departments own the network, and IT may not have full authority over the entire network.
CounterACT can quickly and completely secure traffic to internal servers with little to no change of your network. Forescout offers an out-of-band deployment to a switch that will be able to monitor every connection to any IP device. There are only a few requirements needed with this approach. The first requirement is a mirror port for the server’s traffic. This can be a mirror on the physical port or on the VLAN where they are located. Secondly, CounterACT needs a port to connect to. This allows IT to monitor all the traffic with the SPAN port and use a virtual firewall with TCP resets as a control for access. In addition, if integration with the switch is available, a dynamic ACL can be applied.
Initially, IT will define a segment for CounterACT that includes the server being protected – note this may be a set of servers. This segment will be the one assigned as the internal network and will be monitored for inventory. Every port and every TCP connection that is connected will be detected.
With this setup you will be able to do the following quickly:
With CounterACT, security can be quickly deployed and pinpointed to the devices that need protection.
Toll-Free (US): 1-866-377-8771
Tel (Intl): +1-408-213-3191
Support: +1-708-237-6591
Headquarters
190 W Tasman Dr.
San Jose, CA, USA 95134