eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Forescout Technologies CounterAct 5.1 network access control appliance goes beyond simple worm detection with new rules that determine whether endpoints, including many common wireless access points, can connect to internal protected networks.
Click here to read the full review of CounterAct 5.1.
2
Forescout Technologies CounterAct 5.1 network access control appliance goes beyond simple worm detection with new rules that determine whether endpoints, including many common wireless access points, can connect to internal protected networks.
Using an agentless approach, CounterAct 5.1 performs extensive network monitoring before, during and after endpoint connection time. Many NAC tools check the endpoint only at connection time for such characteristics as anti-virus software.
However, the Forescout product has significant room for improvement when it comes to detecting rogue wireless access points. During eWEEK Labs tests, CounterAct 5.1s performance in this area was below par when compared with almost any other wireless security product: We had to add log-on scripts for our Microsoft Windows Server 2003 Active Directory installation, as well as actually walk around our test environment to find rogue access points.
Despite this disappointment, IT organizations whose mobile users frequently connect and disconnect (and connect again) to the protected network should consider implementing CounterAct 5.1. They should keep in mind, however, that achieving the full benefit of the product will require a significant investment in time to create custom policies.
CounterAct 5.1 watches client traffic mainly to detect worm propagation in the protected network.
Because worms are normally quite chatty during propagation, CounterAct 5.1—which started life as a worm detection tool called ActiveScout—is quite accurate. With almost no effort beyond installing the appliance on our network, we were able to detect worm-infected machines.
CounterAct 5.1, which became available Jan. 23, is priced based on the amount of bandwidth needed to process network activity and the number of machines monitored. The CT-100 model that we tested (with the 100 representing 100M bps) starts at $12,000. The CT-1000 (1,000M bps) is priced starting at $48,995.
CounterAct 5.1 does not provide high availability or failover mode, so there is no pair pricing for redundancy. Company officials said this capability is being considered for a future version of the product, due in April.
Like many internal network security control devices, CounterAct 5.1 uses a monitor port on the switch to track network activity.
During tests, that meant configuring a mirror port on our Cisco Systems 3550 switch. We connected the monitor line to the CounterAct 5.1 CT-100 appliance so that we could see the traffic on our network. We connected a second cable from the CounterAct 5.1 CT-100 back to the switch.
This connection, called an injection port by Forescout, allowed the device to stop bad traffic on our network. We made a third connection from the CounterAct 5.1 CT-100 to the network for the sole purpose of managing CounterAct 5.1.
Aside from creating the monitor ports, we made no other changes to our test network to accommodate the CounterAct 5.1 CT-100 device. The ease of initial installation was facilitated by the fact that CounterAct 5.1 is an agentless network security device. Using the connections and configuration changes noted above, we easily connected the device to our network in about half an hour, about the amount of time most IT managers should plan to spend.
The more time-consuming aspect of installation came, as we expected, when we implemented policy rules to tell CounterAct 5.1 how to govern our network.
There is no shortcut to creating these rules, and IT managers will need to devote some serious study time with the users manual to get up to speed on the myriad options that can be turned into policy rules. Once we became familiar with what conditions CounterAct 5.1 can recognize, the task of actually writing the policy rules was trivial.
We tested the rogue wireless access point detection now included in CounterAct by connecting a D-Link AirPlus Xtreme G wireless access point to our test network.
It almost wasnt worth the trouble—to detect a rogue access point, it must have an IP address inside the range that CounterAct 5.1 is protecting. When we assigned an access point an address outside the protected range, CounterAct 5.1 ignored the access point—or, rather, was unaware of its presence.
To detect access points outside the protected range, CounterAct 5.1 informed us, we would need to add several components. These components are free, but we think this all adds up to one big management headache.
Once a rogue access point was discovered, CounterAct 5.1 excelled at disrupting traffic traveling over it. The virtual firewall feature basically intercepted TCP connections destined to be sent over the rogue access point and sent a TCP reset to the Web server.
As with previous versions of CounterAct, optional plug-ins are available for free that will shore up Version 5.1s security. For example, we used the switch plug-in that works with Ciscos and Extreme Networks equipment to successfully turn off the port that was associated with worm-infected systems on our network.
Next page: Evaluation Shortlist: Related Products.
Page 3
Evaluation Shortlist
Arbor Networks Peakflow X An internal IPS that uses constantly updated Internet threat data to stop attacks (www. arbornetworks.com)
Cfengine A project coordinated by Mark Burgess, Cfengine is a configuration management and threat protection tool (www.cfengine.org)
Lancopes StealthWatch Uses appliance-based sensors to monitor for abnormal network behavior (www.lancope.com)
Mazu Networks Profiler A behavior-based tool that stops attacks by learning what normal traffic patterns look like (www.mazunetworks.com)
Snipe Network Securitys NetGuard Uses both anomaly detection and behavior profiles to stop internal network threats (www.snipenetwork.com)
Technical Director Cameron Sturdevant can be reached at cameron_sturdevant@ziffdavis.com com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.