Enterprises looking for greater protection of their networks often look to network access control technology to evaluate endpoint security status and enforce which systems should be allowed on the network.
Typically, a security policy is built and software agents-or in the case of ForeScout’s CounterACT 100, a Web browser with Java-and network scans interrogate clients to determine their adherence to this policy and then allow, disallow or allow limited access to the LAN and/or Internet. This is useful for preventing unauthorized access, shutting down rogue wireless APs, separating guests from employees and other valuable internal resources, and just about anything else.
The degree of access varies not only with the security policy, but also with the strength of integration between a NAC solution and the rest of the devices, such as Ethernet switches, and security solutions, such as endpoint antivirus, it is paired with. This is because the NAC device can issue commands to compatible switches to move the unauthorized workstation to a different VLAN or shut down its switch port.
ForeScout’s CounterACT 100 does a decent job of providing full support for the most commonly used enterprise-class Ethernet switches, such as those provided by Cisco Systems, Juniper Networks, Extreme Networks and Foundry Networks. Integration with antivirus and endpoint security software, necessary to verify and remediate protection status, is acceptable; present is out-of-the-box coverage for major vendors such as McAfee and Symantec, but lacking is support for smaller vendors such as eEye Digital Security (which seems odd after such good Retina support, see below). It’s easy to interrogate a workstation looking for a specific process, such as “blink.exe”, to verify protection status, but remediation was not nearly as easy as with supported software.
The ForeScout CounterACT 100 monitors Ethernet switch span ports, scanning connected devices, sniffing their network traffic and applying security policy. The first mechanism that the CounterACT 100 uses is NMAP scans to identify devices and their function, and then logically group them as in the case of a network printer, which would be placed into the “printers” group. This is a big step above the rest of the NAC market as it eases the administrative burden of manually classifying devices during installation.
I connected the CounterACT 100’s monitor port to a recently configured span (or mirror) port on my Trendnet TEG-240WS switch and then connected the CounterACT 100’s response port to the switch also. I initially configured the device using an attached keyboard and monitor, but it would also have been possible to use serial console access. Setup is intuitive and menu-driven; it even includes a little utility to flash the lights on the CounterACT 100’s ports to identify them. The unit rebooted, I browsed to its IP address, downloaded the CounterACT Console app to my workstation and started to build NAC policy.
A Little Planning Goes a Long Way
I built the policy quite easily; however, it’s important to note that trying to deploy any NAC solution without a little upfront planning will strongly steer you towards failure. Likewise, the CounterACT Console has a great look and feel, and excellent context-sensitive help, but you have to at least have conceptualized your policies in advance or this can get confusing very quickly. In addition, as the consequences of denying authorization to legitimate PCs/users can be dire (like shutting down your CEO during the morning of a board meeting), configuring CounterACT 100 is not something that you can just wing.
Policy can be built very easily with proper planning. In the CounterACT Console, I clicked on the stoplight icon to open the NAC Policy Manager, clicked Add in the left pane to add folders for Production and Test in order to organize my new policies. Once in the Test folder, I clicked Add in the right pane, which opened the NAC Policy Wizard. From here I could select from different templates (Asset Classification, Guest Policy, Compliance, Malicious Hosts, PCI Compliance) or create a custom policy. Policies can be built for just about anything ranging from verifying that endpoints have antivirus running, recent definitions, no mass storage devices connected to USB ports, authentication via AD or LDAP, to MAC address, IP address, and running processes. Likewise, actions can be taken to remediate each condition, ranging from sending the user to a portal page with instructions to moving the workstation to an isolated VLAN to providing Internet access-only (for guests). Alerts can be issued to administrators via SNMP, e-mail or syslog.
You can push a silent install of the SmartConnect client to remediate workstations being used by users not in AD or LDAP.
The only thing that disappointed me during testing was the IPS features. The CounterACT 100 monitors the internal network and attached devices for malware-like behavior. The CounterACT 100 identified neither internal NMAP scans nor outbound DOS attacks originating from an internal device. However, when I ran a “worm generation tool” available from ForeScout, the CountACT 100 correctly identified the traffic and isolated the endpoint from the LAN immediately. Although some IPS functionality is included in the CounterACT 100, I recommend a full-featured external IPS solution.
Reporting and data searching are exemplary. A Web-based portal allows authorized users to query by a variety of parameters, such as IP address, MAC address, OS-including wildcards. It’s easy to install a Firefox search engine to query the CounterACT 100, which can make life a lot easier for support staff to figure out the status of network devices when fielding tech support calls. I easily searched for systems to determine their most recent security assessment, how and when they were accessed, and what remediation was taken. It’s easy to generate reports in the same fashion, which can be scheduled, exported to pdf or csv and e-mailed.
Integration with eEye Digital Security’s Retina vulnerability assessment platform is a distinguishing feature for ForeScout CounterACT 100. The first NAC device to support such integration, this allows organizations, such as the U.S. military, to combine the endpoint security assessment features of both CounterACT 100’s interrogation and Retina’s deep scans. I easily configured the two to work together. This provided some very cool features, such as the ability to not allow endpoints to use the network if they hadn’t been scanned by Retina in more than a week, and then force a new scan.
Tight integration with Retina is icing on the cake for shops (like mine) that rely on Retina’s vulnerability assessment services.
Matthew D. Sarrel is executive director of Sarrel Group, an IT test lab, editorial services, and consulting firm in New York City.