NAC Appliances enable identity and posture-based network access policy enforcement. In addition to keeping malware out, these appliances can help safely connect bring-your-own devices (BYODs). In this EnterpriseNetworkingPlanet's buyer's guide, we examine capabilities and features offered by ForeScout CounterACT for NAC.
VP of Marketing Scott Gordon describes CounterACT is a turn-key automated security control appliance. "CounterACT works out of the box, fully integrated. There are no separate components for assessment or guest networking or remediation. If you want agents, we offer them for Windows, MacOS and Linux, but we don't need agents – that simplifies control over devices where you don't have management," he said.
Easy to install
ForeScout took this all-in-one approach to ease installation. CounterACT for NAC is sold on five hardware platforms, ranging from the CT-R (100 endpoints, aggregate bandwidth 100 Mbps) to the CT-4000 (4000 endpoints, >2 Gbps). For customers that prefer to bring their own hardware, ForeScout offers virtual appliances (VCT-R to VCT-4000) which run under VMware ESX or ESXi. Unlike hardware that must be selected to fit at time of purchase, virtual appliance capacity can be increased by license key.
"Typically, we're attached to switch span ports – usually at the network core, but also at access or even distribution layers," said Gordon. As an out-of-band appliance, CounterACT for NAC can be paired with a wide variety of switches and routers, including 3COM, Alcatel, Brocade, Cisco, D-Link, Enterasys, Extreme, HP, Juniper, Nortel and others. 802.1X is supported but not required.
In large distributed networks, customers may deploy many CounterACT appliances. Managing them from a central console requires ForeScout CounterACT Enterprise Manager (CEM), licensed by number of managed appliances (from 5 to 100).
Although CounterACT for NAC is self-contained, it can be integrated with enterprise infrastructure, including user directories (e.g., LDAP, RADIUS, ActiveDirectory, Oracle, Sun), endpoint security products (e.g., McAfee, Trend Micro, Symantec, Sophos), patch management systems (e.g., Lumension, Microsoft), and trouble ticketing systems (e.g., Remedy). Integration occurs with downloadable plug-ins, all but four of which are free.
ForeScout uses the CounterACT appliance to deliver several security products, including Mobile Security, Threat Prevention, Endpoint Compliance and Network Access Control. CounterACT for NAC is designed to address threats that can originate inside a network such as:
- Enabling visitor access to the Internet and other resources;
- Controlling network access by wireless and mobile devices;
- Blocking network connection by rogue devices, including consumer hubs and APs;
- Detecting and block devices infected by malware and botnets; and
- Ensuring endpoint compliance with security control policies.
"Our number one use case is authenticated user/device network access," said Gordon. "Guest networking and asset visibility are also common. Some customers use us to leverage their investment in endpoint security by making sure that things that should be running are running correctly, sometimes followed by self-remediation. We're also used for suspicious activity monitoring – like notifying administrators when what seemed to be a printer [based on MAC address] starts behaving like a Windows machine."
Gordon sees customer interest in mobile security and BYOD access control growing, but notes that CounterACT has a history of dealing with diverse unmanaged endpoints. "The first folks dealing with BYODs were universities. Those customers have [deployed] CounterACT without agents, using HTTP hijack to control where users can go. This let us deal with [student-owned] devices like e-readers, gaming consoles and personal APs."
Starting with a baseline
To accomplish this, CounterACT starts with automated discovery, watching traffic and probing to create an inventory of all devices that touch the network. "We track devices by type, user, group, department, or any other segment you want to customize," said Gordon. "We use multiple fingerprinting [techniques] so that even devices that are not generally known, like video cameras and heart monitoring systems, can be identified. We gather attributes about discovered devices that you can use to create classifications."
Given an inventory, policies can use attributes to tell CounterACT how to react when that kind of device is detected. "Your policy can be to just monitor and report, or you might classify the device as a guest, sending them to a registration center or putting them on web-only VLAN. If the device then authenticates to your [enterprise] mail server, we can move them to another VLAN. We can take a series of policy-based actions, with or without agents, with or without 802.1X. To make this easier, we build in policy templates that cover majority of scenarios," explained Gordon.
In clientless environments, CounterACT accomplishes endpoint assessment by RPC queries or directing guests to a portal page. ForeScout also offers persistent and dissolvable agents for Windows, MacOS and Linux endpoints, which some customers prefer for managed endpoint populations. Endpoint health and posture decisions can be based on a long list of conditions, including OS type/version/patch level, endpoint security agents installed/running, and connected peripheral type/manufacturer, as well as on-going network activity like malicious traffic.
Purchasing NAC as a managed service
NAC is usually deployed by larger organizations, like universities, hospitals and large enterprises. "NAC hasn't historically been an SMB play, but they're also getting hit with mobile BYODs and many new unmanaged kinds of devices that could benefit from NAC. This is why we announced a packaged virtual appliance line for hosting providers and managed security service providers," said Gordon.
Gordon sees many providers that already sell managed firewall, IPS, VPN, anti-malware, and even SEIM services. "These are fairly competitive markets, where offering NAC could bring differentiation and value-add to installed customer bases," said Gordon. "CounterACT lends itself to being implemented as a service because we're [self-contained], can interoperate in any network, are non-disruptive and agentless."
To address SMB needs, ForeScout does not plan to offer a hosted or cloud NAC service. Rather, it created a new package for channel partners to more easily offer those services. "Our package lets partners pay for virtual appliances monthly, scale licenses up or down quarterly, automate customer policy provisioning, etc, along with certification and training to bring new managed service providers up to speed quickly."
ForeScout packages CounterACT hardware and virtual appliances as products to address specific needs such as NAC, Mobile Security, and now Managed Security Services. But all of these products takes a self-contained "swiss army knife" approach that largely avoids separately-licensed a la carte options.
Moreover, CounterACT leverages network and endpoint independence to speed installation, along with hands-free discovery and observation to reduce on-going effort. These tactics make CounterACT look like a one-size-fits-all appliance. But don't be fooled - customers can still decide whether and how to deploy available models, capabilities, features, policy attributes and enforcement methods to meet their own needs.
To learn more about ForeScout CounterACT products, visit this link.