Network Access Control That’s Easy, Powerful and Broad Functioned
Review by Mark Brownstein
It goes without saying that organizations want authorized people to be able to get at appropriate information wherever, whenever and however they need to, and want to prevent unauthorized people from getting anywhere near their systems. That being said, threats abound and come in all forms – misconfigurations, viruses, rogue applications, unpatched systems and data leakage. Add in other users -- consultants, students, company visitors; add in a variety of wireless access and online applications; and throw in the use of nearly ubiquitous mobile and personal devices – and managing security issues gets that much more challenging.
The questions of network security, access control and problem resolution have been handled – though not always completely, and not always very successfully, by many products, using many different approaches. Network Access Control (NAC) aims to enforce network security policy based on who is connecting to the network, the location and time the connection is made, what device is being used to connect, how the device is configured, and how NAC enables the devices to have access to network resources. An important factor for all NAC products is how easily these security policies can be enforced and how easily the NAC system can be managed.
While initial NAC products that focused on 802.1x authenticated access and guest management were complicated, modern NAC has indeed become easier. In fact, NAC offers so many more capabilities that it is getting difficult to just call such products NAC. So, beyond price, those interested in return on investment should also consider manageability, flexibility and breadth of features of NAC products.
ForeScout CounterACT 6.4 provides an easy and integrated NAC platform for even the most complex networks. CounterACT automates many security tasks with functionality that goes beyond mere NAC.
Let’s examine some common security policies and risks that NAC address. A user attempts to log into a network with an unsupported or unpatched system. A remote employee tries to get onto a network with anti-virus disabled. A consultant plugs a notebook computer into a network port revealing an unauthorized network domain. An employee inadvertently brings in a rogue peer to peer (P2P) application that he unknowingly installed onto his notebook computer while he was getting a double mocha java at a WiFi hotspot. An employee brings his own smartphone or tablet to work and uses corporate credentials to connect to the work network. A new virtual machine is created that does not follow configuration policy. A compliance trend and remediation report is needed for the auditors. Yes, NAC handles these security issues.
CounterACT (v 18.104.22.168) is a network security tool offered as either an appliance or virtual appliance that is placed in the core network via an out-of-band switch connection, using port mirroring to perform different access and endpoint control tasks transparently and without impacting network performance. Installation and configuration is relatively fast and easy – offering a menu driven means to connect switch ports/port taps, domain controllers, Firewall, directory services and more. The Installation Guide instructs the user how to successfully deploy the product (the Administrator’s Guide is very complete) and the console is well designed. A separate web portal also offers online monitoring views.
Once interfaced to the switch, CounterACT discovers the network via switch ARP and MAC table queries and/or seeing span port traffic, and builds an active inventory of all connected devices: determining their IP and MAC address, hardware, OS versions, installed applications, domain and Active Directory attributes,and many other details. The system automatically classifies discovered devices and populates a detailed, real-time inventory database used for a variety of functions that affords operators immediate network visibility. Administrators can also further segment discovered devices (into different groups, by location or business unit, for example) and can easily define unknown device types.
A large number of well-organized templates for device classification, and rules with actions called policies, make up the core of administration. The built-in templates are extensive and customizable to enable fine-tuning of access controls, guest management and other responses.
ForeScout provides basic and advanced technical support via email, phone and a web portal for access to CounterACT updates, an online knowledge base and a multitude of plug-ins to download for added interoperability. For example, the system supports numerous switches, anti-virus, wireless access controllers, etc., which not only extend device support, but allows each new device attribute to be automatically incorporated into policies and report functions.
CounterACT typically runs agentless (which means no client on the inspected device). CounterACT can perform many of its assessment and remediation functions without requiring an agent, which should make deployment easier and avoids agent management issues (see 802.1x reference below). The optional CounterACT SecureConnector agent provides even greater real-time authentication, assessment and post-admission monitoring capabilities.
Being agentless comes in handy when it comes to 802.1x port-based network authentication. Implementing the 802.1x standard requires managing software agents across any device connecting to the network as well as coordinating each 802.1x-supported infrastructure – switches and authentication servers and more. Not only is a full plug-in and template for 802.1x well supported in CounterACT, but by being agentless, CounterACT alleviates the deployment roadblocks and, as such, avoids such well known 802.1x management issues as unmanaged guest devices, required network upgrades, and coping with exceptions and with devices that don’t support 802.1x.
CounterACT identifies and inspects network devices through the use of traffic inspection, SNMP, FTP, SSH, RPC, Windows domain and Active Directory credentials, and numerous other protocols. When a user and/or device attempts to access the network, CounterACT detects the device, determines the type of device, user and respective configuration – and based on these and other attributes, reacts using policy templates designed for dealing with different scenarios.
CounterACT offers NAC and goes beyond NAC – integrating a wealth of functions such as role-based access control, guest management, end point compliance and reporting, automated remediation, and post-admission monitoring. This integrated functionality, combined with agentless operation, means that with one appliance, organizations can deploy quickly and do so without impacting network or user operations. What this means is that you can start seeing everything on your network and apply rules and manage exceptions as you develop and mature your policies to protect sensitive network resources and data.
Here are a few more details:
CounterACT provides real-time network visibility and helps with end point compliance. The system does an excellent job categorizing all assets on the network using different methods, as mentioned above. CounterACT can analyze a system, see port use, query the registry, determine installed patches and check security software. In real-time, the system determines if the device conforms to security policies, and if not, there exists a wide range of remedies: alert, report, block, VLAN redirection, change switch ACLs, redirect to an update center or guest registration, or remediate the issue in the background (such as activating an anti-virus client).
Additionally, mobile security is a very timely feature. CounterACT can detect mobile devices almost immediately, without prior device knowledge, and can apply policy in different ways. For example, for unmanaged smartphones, tablets and other portable devices, CounterACT can force guest registration or device interrogation. Since everything is captured, mobile device use reporting is built-in. Mobile device user access to network resources will depend on device classification and action rules applied to handle such connections.
It’s an unfortunate fact that not everything runs smoothly on a network. Whether it’s a system misconfiguration, agent contention, outdated patch or malware, CounterACT can detect these events and implement such fixes as checking for an active DLP agent, or initiating an anti-virus update. As appropriate, the appliance can even start or stop applications or offending processes (via whitelisting or blacklisting), or disable external USB storage. The built in actions are easily applied as part of a policy or manually through the console.
Since CounterACT’s policies can be simple or complex (the appliance well supports custom action scripts), the degree of advanced capabilities is only limited by the administrator’s expertise -- from initiating a trouble ticket to starting an update.
CounterACT also provides active post-admission protection. Even after a user/device is allowed on the network, CounterACT can detect unusual traffic on a system. For example, it can detect virus-like or suspicious activity. When such activity is detected, CounterACT can suppress it and notify the security administrator. It can also detect when a device that was identified as a printer is now acting like a Windows device – another known security vulnerability.
During my review process, I had the pleasure of meeting a security director for a large organization managing thousands of computers worldwide. I was able to see, first-hand, how CounterACT was able to protect a variety of endpoints located at different global sites. In one console, the security administrator had real time status of all locations, devices and the overall security posture of his entire network – managing distributed CounterACT appliances and policies through a centralized CounterACT Enterprise Manager. He expressed how easy he found the process of bringing up new divisions, discovering and accommodating new device types, managing guests, and implementing new policies.
The resulting GUI and policy controls gave him extensive visibility. He could easily see and drill down to specific offices, devices or users with issues. CounterACT enabled him to apply or amend policy changes, manage exceptions, fix problems, and generate reports as needed. And, when necessary, CounterACT can issue trouble tickets to remotely inform local help desks if any additional remediation tasks or employee contact is required.
Given that security and compliance standards must be upheld regardless of network, device and user access complexity, CounterACT delivers a needed level of visibility and functionality of value to IT security organizations. With an entry price of $4,995, even small, mid-tier enterprises can fortify their defenses.
I found CounterACT to be a multi-faceted, extremely powerful, exceptionally flexible and exquisitely configurable system for protecting networks of all sizes – from mid-sized businesses to massive corporations. Being both integrated and agentless, it offers a significant bang for the buck -- avoiding many of the implementation and administrative issues that often plague 802.1x-only NAC products. Possessing clear management, visibility and control automation advantages, ForeScout’s CounterACT is well worth considering for any organizations requiring more advanced network security.
For more information, visit http://www.forescout.com.
Mark Brownstein is a Contributing Editor for Computer Technology Review. He has served as L.A. Bureau Chief at InfoWorld, the Technology Editor at Network World, and Senior Technology Editor at Network Magazine. He is an avid writer and product reviewer, and has written for many leading technology publications. Mark, a technology consultant and author of seven books, can be reached at email@example.com.