By Cameron Sturdevant  |  Posted 2006-02-06 Print this article Print

Forescout Technologies CounterAct 5.1 network access control appliance goes beyond simple worm detection with new rules that determine whether endpoints, including many common wireless access points, can connect to internal protected networks.

Click here to read more about network access control.
Using an agentless approach, CounterAct 5.1 performs extensive network monitoring before, during and after endpoint connection time. Many NAC tools check the endpoint only at connection time for such characteristics as anti-virus software.

However, the Forescout product has significant room for improvement when it comes to detecting rogue wireless access points. During eWEEK Labs tests, CounterAct 5.1s performance in this area was below par when compared with almost any other wireless security product: We had to add log-on scripts for our Microsoft Windows Server 2003 Active Directory installation, as well as actually walk around our test environment to find rogue access points.

Despite this disappointment, IT organizations whose mobile users frequently connect and disconnect (and connect again) to the protected network should consider implementing CounterAct 5.1. They should keep in mind, however, that achieving the full benefit of the product will require a significant investment in time to create custom policies.

CounterAct 5.1 watches client traffic mainly to detect worm propagation in the protected network.

Because worms are normally quite chatty during propagation, CounterAct 5.1—which started life as a worm detection tool called ActiveScout—is quite accurate. With almost no effort beyond installing the appliance on our network, we were able to detect worm-infected machines.

CounterAct 5.1, which became available Jan. 23, is priced based on the amount of bandwidth needed to process network activity and the number of machines monitored. The CT-100 model that we tested (with the 100 representing 100M bps) starts at $12,000. The CT-1000 (1,000M bps) is priced starting at $48,995.

CounterAct 5.1 does not provide high availability or failover mode, so there is no pair pricing for redundancy. Company officials said this capability is being considered for a future version of the product, due in April.

Like many internal network security control devices, CounterAct 5.1 uses a monitor port on the switch to track network activity.

During tests, that meant configuring a mirror port on our Cisco Systems 3550 switch. We connected the monitor line to the CounterAct 5.1 CT-100 appliance so that we could see the traffic on our network. We connected a second cable from the CounterAct 5.1 CT-100 back to the switch.

This connection, called an injection port by Forescout, allowed the device to stop bad traffic on our network. We made a third connection from the CounterAct 5.1 CT-100 to the network for the sole purpose of managing CounterAct 5.1.

Aside from creating the monitor ports, we made no other changes to our test network to accommodate the CounterAct 5.1 CT-100 device. The ease of initial installation was facilitated by the fact that CounterAct 5.1 is an agentless network security device. Using the connections and configuration changes noted above, we easily connected the device to our network in about half an hour, about the amount of time most IT managers should plan to spend.

The more time-consuming aspect of installation came, as we expected, when we implemented policy rules to tell CounterAct 5.1 how to govern our network.

There is no shortcut to creating these rules, and IT managers will need to devote some serious study time with the users manual to get up to speed on the myriad options that can be turned into policy rules. Once we became familiar with what conditions CounterAct 5.1 can recognize, the task of actually writing the policy rules was trivial.

We tested the rogue wireless access point detection now included in CounterAct by connecting a D-Link AirPlus Xtreme G wireless access point to our test network.

It almost wasnt worth the trouble—to detect a rogue access point, it must have an IP address inside the range that CounterAct 5.1 is protecting. When we assigned an access point an address outside the protected range, CounterAct 5.1 ignored the access point—or, rather, was unaware of its presence.

To detect access points outside the protected range, CounterAct 5.1 informed us, we would need to add several components. These components are free, but we think this all adds up to one big management headache.

Once a rogue access point was discovered, CounterAct 5.1 excelled at disrupting traffic traveling over it. The virtual firewall feature basically intercepted TCP connections destined to be sent over the rogue access point and sent a TCP reset to the Web server.

As with previous versions of CounterAct, optional plug-ins are available for free that will shore up Version 5.1s security. For example, we used the switch plug-in that works with Ciscos and Extreme Networks equipment to successfully turn off the port that was associated with worm-infected systems on our network.

Next page: Evaluation Shortlist: Related Products.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at csturdevant@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel