ForeScout CounterACT delivers on agentless NAC

ForeScout CounterACT

Cost: Starts at $13,995

Score: 4.38

The ForeScout CounterACT appliance monitors trunk and span ports on the switch to which its attached, sniffing network traffic to understand the status of devices and ensuring they adhere to the required security policies. For example, employees that are authenticated against an Active Directory domain can adhere to one set of policies while guest users, not being a member of the corporate Active Directory domain, must adhere to a different policy.

CounterACT uses Nmap to identify the role any device on the network and dynamically assign it to a device group for access purposes. For example, a printer is identified and placed in the printers group. This process cuts down on administration overhead, as new devices do not need to be explicitly excluded as they do in some other deployments of network-access control.

In addition to the standard clients and server used as part of the test bed, CounterAct also identified the VoIP phone, TiVo, and PDA on the network. Overall, using Nmap, a staple tool in any security professional’s arsenal, makes the management of all the embedded devices the easiest of all products tested.

For testing, we configured the CounterACT appliance on the network core Cisco 3750. That let us to control all aspects of our network from one switch and gave the appliance a view of all network traffic. Scalability is an obvious concern here, in that all network traffic passes through this single box. Testing scalability was beyond the scope of this review, so we don’t have a definitive answer on that point. We can say that ForeScout provides multiple appliances to meet varying scalability requirements, with the high end supporting 2,500 devices and 1GB throughput.

To support remote-access connections, ForeScout provides plug-ins for the CounterAct appliance that provide its NAC functions for popular VPN products. The plug-in for the Cisco VPN Concentrator used in our testing supports full endpoint assessment and enforcement functionality.

An 802.1X plug-in is also available from ForeScout that would let the appliance capture and participate in 802.1X connection attempts.

Authentication support is mainly provided passively with ties to Active Directory and repositories for Lightweight Directory Access Protocol if neither the 802.1X plug-in nor the VPN plug-in (which supports RADIUS) is in use. We configured the CounterACT integration with Active Directory -- a matter of providing account information and configuring base distinguished names for queries with the directory -- which was quick and easy to complete. A company can also push an active authentication process through a captive portal like most other products.

CounterACT administrators can only authenticate locally to the device which we view as a limitation because we’d like to have them authenticate to an existing repository.

ForeScout’s agentless approach to endpoint assessment overall pretty strong but does lack some coverage for what other vendors have included as basic components. Out-of-the-box AV support is minimal, covering only a handful of the major vendors like McAfee and Symantec. Other AV products can be tracked via custom checks, which is what we wrote in order to identify our Sophos AV installation. This check ran successfully. Custom checks are constructed through Visual Basic scripts. If you can script it, you can push a system check or trigger an enforcement action. While providing limitless flexibility, not all organizations may have the necessary time or in-house skills to work with a NAC product in this fashion.