Enterprises looking for greater protection of their networks often look to network access control technology to evaluate endpoint security status and enforce which systems should be allowed on the network.
Typically, a security policy is built and software agents-or in the case of ForeScout's CounterACT 100, a Web browser with Java-and network scans interrogate clients to determine their adherence to this policy and then allow, disallow or allow limited access to the LAN and/or Internet. This is useful for preventing unauthorized access, shutting down rogue wireless APs, separating guests from employees and other valuable internal resources, and just about anything else.
The degree of access varies not only with the security policy, but also with the strength of integration between a NAC solution and the rest of the devices, such as Ethernet switches, and security solutions, such as endpoint antivirus, it is paired with. This is because the NAC device can issue commands to compatible switches to move the unauthorized workstation to a different VLAN or shut down its switch port.
ForeScout's CounterACT 100 does a decent job of providing full support for the most commonly used enterprise-class Ethernet switches, such as those provided by Cisco Systems, Juniper Networks, Extreme Networks and Foundry Networks. Integration with antivirus and endpoint security software, necessary to verify and remediate protection status, is acceptable; present is out-of-the-box coverage for major vendors such as McAfee and Symantec, but lacking is support for smaller vendors such as eEye Digital Security (which seems odd after such good Retina support, see below). It's easy to interrogate a workstation looking for a specific process, such as "blink.exe", to verify protection status, but remediation was not nearly as easy as with supported software.
The ForeScout CounterACT 100 monitors Ethernet switch span ports, scanning connected devices, sniffing their network traffic and applying security policy. The first mechanism that the CounterACT 100 uses is NMAP scans to identify devices and their function, and then logically group them as in the case of a network printer, which would be placed into the "printers" group. This is a big step above the rest of the NAC market as it eases the administrative burden of manually classifying devices during installation.
I connected the CounterACT 100's monitor port to a recently configured span (or mirror) port on my Trendnet TEG-240WS switch and then connected the CounterACT 100's response port to the switch also. I initially configured the device using an attached keyboard and monitor, but it would also have been possible to use serial console access. Setup is intuitive and menu-driven; it even includes a little utility to flash the lights on the CounterACT 100's ports to identify them. The unit rebooted, I browsed to its IP address, downloaded the CounterACT Console app to my workstation and started to build NAC policy.