ForeScout, which previously scanned network endpoints externally, is introducing client software that checks out machines as they try to join networks.

Secure Connector is a dissolvable agent that is downloaded to client machines and runs during a given session then dissolves. The agent can also be permanently installed on the client machines if, for example, they are managed by the customer.

Secure Connector interrogates the machines for security posture data that it forwards to the ForeScout CounterACT NAC platform to make a policy decision about whether to admit the machines to the network. The client, which is a .exe file, connects to the CounterACT platform via an SSL connection, making it possible for the agent on remote machines to link in through a corporate firewall.

If the end machines will not accept the agent, CounterACT performs a clientless interrogation that yields less information about the state of the machines.

An upgraded software version for CounterACT enables a new option for enforcing policies. Session-specific enforcement can enforce separate policies depending on what time of day a user is accessing the network, or what domain the machine is attached to, for instance.

The software can detect ARP spoofing that may indicate a man-in-the-middle attack and block it. The software can also perform open-port hardening that diverts traffic from non-used ports to a quarantined virtual LAN.

CounterACT software supports VoIP phones that are connected to PCs on corporate networks. If the PCs are found out of compliance with NAC policy, they can be restricted but the phones are still allowed to work.

The new software is available now.

Tim Greene is senior editor at Network World.