A Little Planning Goes a Long Way

 

I built the policy quite easily; however, it's important to note that trying to deploy any NAC solution without a little upfront planning will strongly steer you towards failure. Likewise, the CounterACT Console has a great look and feel, and excellent context-sensitive help, but you have to at least have conceptualized your policies in advance or this can get confusing very quickly. In addition, as the consequences of denying authorization to legitimate PCs/users can be dire (like shutting down your CEO during the morning of a board meeting), configuring CounterACT 100 is not something that you can just wing.

Policy can be built very easily with proper planning. In the CounterACT Console, I clicked on the stoplight icon to open the NAC Policy Manager, clicked Add in the left pane to add folders for Production and Test in order to organize my new policies. Once in the Test folder, I clicked Add in the right pane, which opened the NAC Policy Wizard. From here I could select from different templates (Asset Classification, Guest Policy, Compliance, Malicious Hosts, PCI Compliance) or create a custom policy. Policies can be built for just about anything ranging from verifying that endpoints have antivirus running, recent definitions, no mass storage devices connected to USB ports, authentication via AD or LDAP, to MAC address, IP address, and running processes. Likewise, actions can be taken to remediate each condition, ranging from sending the user to a portal page with instructions to moving the workstation to an isolated VLAN to providing Internet access-only (for guests). Alerts can be issued to administrators via SNMP, e-mail or syslog.

You can push a silent install of the SmartConnect client to remediate workstations being used by users not in AD or LDAP.

The only thing that disappointed me during testing was the IPS features. The CounterACT 100 monitors the internal network and attached devices for malware-like behavior. The CounterACT 100 identified neither internal NMAP scans nor outbound DOS attacks originating from an internal device. However, when I ran a "worm generation tool" available from ForeScout, the CountACT 100 correctly identified the traffic and isolated the endpoint from the LAN immediately. Although some IPS functionality is included in the CounterACT 100, I recommend a full-featured external IPS solution.

Reporting and data searching are exemplary. A Web-based portal allows authorized users to query by a variety of parameters, such as IP address, MAC address, OS-including wildcards. It's easy to install a Firefox search engine to query the CounterACT 100, which can make life a lot easier for support staff to figure out the status of network devices when fielding tech support calls. I easily searched for systems to determine their most recent security assessment, how and when they were accessed, and what remediation was taken. It's easy to generate reports in the same fashion, which can be scheduled, exported to pdf or csv and e-mailed. 

Integration with eEye Digital Security's Retina vulnerability assessment platform is a distinguishing feature for ForeScout CounterACT 100. The first NAC device to support such integration, this allows organizations, such as the U.S. military, to combine the endpoint security assessment features of both CounterACT 100's interrogation and Retina's deep scans. I easily configured the two to work together. This provided some very cool features, such as the ability to not allow endpoints to use the network if they hadn't been scanned by Retina in more than a week, and then force a new scan.

Tight integration with Retina is icing on the cake for shops (like mine) that rely on Retina's vulnerability assessment services.

Matthew D. Sarrel is executive director of Sarrel Group, an IT test lab, editorial services, and consulting firm in New York City.