First Look Review by Mark Brownstein
Last year, I took a long look at ForeScout CounterACT, a Network Access Control platform, and I was impressed. Now, with Version 7.0, I’m even more impressed. If I had responsibility for securing a medium-sized or even global enterprise network, CounterACT would be among the tools that I would strongly consider to be a must-have.
802.1x is one of only a few standards for device and user authentication, but it can be sheer drudgery to configure and manage in large, heterogeneous environments. The new version of CounterACT adds a wide range of 802.1x features, including an OpenRADIUS Server that is built into the product. The prior version of CounterACT only offered a proxy-mode, which was easy to set up, but by providing both proxy and built-in RADIUS approaches, there are more authentication options. For those who don’t have RADIUS, when you implement CounterACT, you will – and for those who do have RADIUS, CounterACT will give you a secondary RADIUS Server for high availability.
CounterACT makes Network Access Control (NAC) even more flexible and easier to manage than it was in the previous version. CounterACT offers alternative authentication methods for parts of your network that might not be ready for 802.1x or for systems that can’t support an 802.1x supplicant (agent software). You get the benefits of NAC right away while you migrate to 802.1x or merge different organizations or locations. For many, avoiding or reducing reliance on agents is the better alternative to 802.1x. Either way, CounterACT 7 covers it with extensive roles-based and device-based authorization and broad enforcement routes. Scalability also gets a boost from an updated Enterprise Manager that now manages up to 250 CounterACT appliances as one and a new CounterACT appliance that supports 10,000 devices.
CounterACT 6 came with a bunch of cookie-cutter templates
plus a powerful policy engine if you wanted to get fancy – all presented in an
elegant GUI. Version 7 adds usability features. Perhaps the visually most
striking and readily handy feature is the new Tactical Map. This slick
dashboard map (yes, actually using Google maps) shows, at a glance, the status
of all connected devices. The administrator can drill down by location, logical
group or issue type to quickly determine the status of any device. The map
makes it even easier to manage and monitor one or multiple sites and thousands
of endpoints. This extends the previous release that had presented list views
with device status and action options.
Above: ForeScout CounterACT 7: Dashboard Tactical Map
While version 6 provided a real-time inventory of devices and many other endpoint details, version 7.0 offers more hardware information and the query function is made even more accessible. The search console appears to respond faster and now provides extremely diverse search options, with the ability to search based on single or multiple values, against data on all hosts, or by device selected, using one or more filters. For example, you can search for threats in a particular network segment, and can drill down to specific threats on specific devices. Alternatively, your interest may be in specific applications, patches, or compliance issues within organizational units. CounterACT makes searches easy and powerful – and the results can be exported.
Any discovered endpoint attribute is searchable and can be used in a NAC policy. For example, you can inspect and validate X.509 certificates to assure that all network connections are made only to devices with valid certificates. This helps protect the network from attacks by rogue systems using spoofed, expired, or incorrect certificates, as an added level of protection. Beyond search, reporting was also improved with an easier way to generate and manage reports.
“Bring your own device” (BYOD) security is of ever-increasing importance to organizations. Fortunately, CounterACT’s mobile capabilities are excellent. CounterACT can detect different mobile devices and apply any number of NAC policies, including guest management. CounterACT’s optional plug-in and mobile app (ForeScout Mobile) offers deeper inspection of iOS or Android devices. It can do an inventory and can enforce root detection, password strength, encryption, email and unwanted app policy – device violations can result in blocked or limited network access.
With ForeScout Mobile, you can go one step further and actually control some configuration of the device similar to that of a mobile device management (MDM) system. For example, with iOS devices, you can limit corporate WiFi access points, control corporate email access or even turn the camera off when connected to the corporate WiFi network. CounterACT doesn’t take ownership of the device, however. At the end of the day, the user can easily restore the previous device configuration. This plug-in also works with other MDMs – so you can see MDM-managed handhelds along with unmanaged and CounterACT-managed mobile devices on the same console.
On the whole, CounterACT offers a lot of useful features in a flexible package. With CounterACT 7.0, ForeScout has taken a solid access and endpoint security platform to greater heights – especially for IT managers who need to see and manage BYOD devices on their network.
Click here to read a review of ForeScout's CounterACT 6.4.
For more information, visit www.forescout.com/ITSJ2.
Mark Brownstein is a writer and editor, and has written for many leading technology publications. He has served as L.A. Bureau Chief at InfoWorld, Technology Editor at Network World, Senior Technology Editor at Network Magazine, and Executive Editor at Computer Technology Review. A networking and storage technologist and product reviewer, Mark has authored seven books and is a consultant. He can be reached at firstname.lastname@example.org.