Network Access Control and Policy Enforcement

Technical Note
CounterACT
Network Access. Controlled.™
CounterACT
Network Access. Controlled.
Technical Note
Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
CounterACT — Clientless Network Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
How CounterACT Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Setting Network Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The ForeScout Difference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Universal Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Endpoint X-Ray. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Table of CounterACT’s Continuously Updated Network Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Tailored Enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Compliance and Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Non-Disruptive Deployment of CounterACT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
About ForeScout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
CounterACT
Network Access. Controlled.
Technical Note
Introduction
Highlights
Point of Connection
(End Point Control)
•• Network-based, clientless solution —
NO desktop client or host agent required.
•• Provides flexibility to conduct pre- and
post-connection policy enforcement.
•• Policy control over devices — managed/
unmanaged/non-user.
•• No change required to user’s experience,
current configuration, or login process.
•• Turnkey appliance with a plug-and-play
“Virtual Firewall” feature.
Infrastructure
•• Seamless integration with existing
network infrastructure — no network
change required.
•• Not an inline device (typically deployed at
distribution layer switch).
•• Scalable and easy to deploy with no
network redesign.
•• Handling of peripheral devices (printers,
VoIP, WAP) in addition to host nodes.
After Connection
•• Continuous protection and enforcement
— devices monitored after connection
at regularly scheduled intervals or on
demand.
•• Real-time self propagating malware
quarantine — does not rely on signatures
or anomaly detection. Includes real-time
protection from zero-day threats and
malicious attackers.
Network Access Control (NAC) continues to build momentum as an ever-increasing number
of globally dispersed enterprises look for new and innovative ways to address network security
while continuing to support current infrastructure and the expanding mobile and contracted
workforce. The challenge facing enterprises is to find the delicate balance between having control
over network security and minimizing the disruption to end-user productivity. This whitepaper
will discuss ForeScout’s CounterACT clientless NAC solution, which provides an easy and flexible
solution to control access to networks and computing resources, defend against hackers and selfpropagating malware, and ensure business is not effected.
..................................................................................................
CounterACT — Clientless Network Access Control
As technology continues to advance and workers become more mobile, the traditional
network perimeter is no longer the primary focus of security technologies. Now more than ever,
organizations of all sizes have to consider the threats posed by mobile and unmanaged endpoints
that have the ability to walk around perimeter defenses. These devices, whether property of the
company (e.g. corporate laptop) or unmanaged devices (e.g. personal network-enabled PDA’s) have
the ability to move in and out of secured networks potentially exposing the corporate network to
threats.
ForeScout’s CounterACT is the only non-disruptive, clientless network access control solution
to deliver Endpoint X-ray™ and Fast Pass™, eliminating the usual mandatory “quarantine upon
connection” phase, allowing users to quickly become productive. Security checks include deep
interrogation for bullet-proof security, but are immediate, transparent and hassle-free to the user.
CounterACT also enables an extensive policy enforcement option to custom-fit network access
control, and scans devices that enters the network. This means laptops, PDA’s, printers and desktops
are all scanned by ForeScout’s clientless solution, which requires no endpoint software installation
or downloads. CounterACT ensures no disruption to the network or normal business operations
because it is not deployed inline, meaning there is no need to upgrade or install new gear; leaving
both the network and endpoints untouched.
How CounterACT Works
CounterACT provides IT security administrators with the ability to create and enforce granular
security policies without causing any disruption to the user and without requiring any form of agent
or client on the endpoint. Policies are predefined using a simple, granular GUI which guides the
process of creating access policies. Policies are created by defining the following steps:
3
CounterACT
Network Access. Controlled.
Technical Note
Setting Network Security Policy
1.Set Conditions — Administrators have the ability to create a granular set of conditions (policies). These pre-defined sets of values enable the
appliance to detect endpoint activities and detect when the endpoint has violated the corporate security policy. These conditions contain a variety
of values including registry keys, services, applications, service packs, security updates, etc.
Example: Policy can be defined to check if the device attempting to connect to the network has an up-to- date version of the corporate antivirus software
ensuring that the most recent .dat files are in place prior to being allowed access.
2.Set Triggers — With the network security policy set, this step allows for the determination of when the policy is to be enforced. The appliance
will detect policy violations both upon connection and through continuous monitoring of network activity. This allows for the detection of policy
violations post-connection ensuring the network security policy is always enforced.
Example: Policy can be triggered to check network security policies against the device attempting to connect when the device makes a DHCP call requesting
a new IP address. The appliance detects this connection attempt and applies appropriate policies triggered by this event. Furthermore, the policy can be
defined to continually check the connected device against access policies to ensure device remains in compliance.
3.Set IP Range — This step provides an additional level of flexibility allowing for policies to be applied network-wide or to a specific sub group within
the enterprise based on particular network configuration/security needs.
Example: The network is configured so guests are connecting through a single subnet. Specific policies can be established for that subnet providing guests
(unmanaged devices) only limited network access in a quarantined VLAN. In the case an employee were to plug into that subnet, the CounterACT would
recognize this employee and grant them full access based upon their role.
4.Set Automatic Enforcement — No network access solution would be complete without the ability to enforce the access policies in realtime. ForeScout provides administrators with a variety of options for enforcement. This tailored enforcement ranges from a simple notification
delivered through hijacking the HTTP session and providing a dialogue box notifying the user of the policy violation to complete and immediate
disconnection from the network. The administrator has the ability to custom fit which response should be taken based upon which policy violation
has occurred.
Example: CounterACT detects that the device attempting to connect to the network has not applied the latest Microsoft security patch. The policy is set
to deny access until the security patch is installed. The CounterACT system hijacks an HTTP session presenting the user with a dialogue box stating that the
Microsoft security patch has to be installed before the user will be granted access to the network. A link to the patch is provided and Internet access allowed
for the user to self-remediate. Once the patch is in place, the user is granted normal access to the network.
The ForeScout Difference
In addition to maintaining the company-owned managed devices, one of the most difficult challenges facing network administrators is employees
and guests with laptops or other forms of mobile endpoints, which have the ability to plug into the internal network or connect remotely through a
VPN. Even with the most vigilant security administration, the opportunity for an endpoint to be out of compliance with network security policies has
come to be expected.
With CounterACT, administrators can set and enforce network access policies (i.e., OS patch level, current AV file, etc.) without having prior knowledge
of the endpoint due to its unique ability to discover and interrogate endpoints connecting to the network including non-user devices. In addition, the
clientless technology allows users to gain access to the network with no disruptions required for the downloading or installing of an agent or client.
Administrators are provided with the ability to customize how each point of connection is handled depending on the compliance of the endpoint,
allowing for even less disruption to business productivity. Additionally, the CounterACT solution integrates with directory structures (e.g. Active
directory), enabling role-based network access ensuring that new connections only receive access to authorized segments of the network.
4
CounterACT
Network Access. Controlled.
Technical Note
Universal Discovery
As the corporate environment becomes more mobile and contract employees have become more prevalent, enforcing role-based network access
policies has become imperative. However, enforcing and maintaining such policies can create some unique challenges when it comes to finding a
solution that is easy to deploy and maintain. Currently there are two approaches to network access control: client/agent-based, or clientless. Clientbased systems are limited in regards to both unmanaged and non-user based devices and can face interoperability issues with the specific operating
systems. The right clientless solution can provide a thorough inspection with a fast connection, without these limitations of the types of connecting
devices that can be scanned.
ForeScout’s CounterACT is a clientless solution that requires no persistent or downloaded software agent to be installed on any connecting device,
yet still provides quick access to the network with a thorough interrogation of the endpoint. By enforcing security policies from the network,
administrators can just as effectively provide access control for managed and unmanaged/guest devices without the overhead/maintenance
nightmare of managing a client-based solution. In addition, this ensures universal discovery of endpoints connecting to the network, including nonuser devices such as network printers, VoIP phones, and PDA’s. Upon connection, CounterACT instantly determines the type of devices, ensures it does
not present a threat, and has the ability to place it in its appropriate logical location on the network.
Example: Unmanaged devices are simply defined as devices that are not part of any corporate domain and can not be found in any directory file. A typical
example of this would be a contractor using their own laptop to connect to the network. Due to the fact that CounterACT does not require an agent or any
form of code to be placed on the contractor’s laptop, the system will detect an unmanaged or guest device attempting to access the network. The device will
be allowed the level of connectivity determined by the policies that are in place for handling guests. This could include actions like moving the device from a
public VLAN to a quarantined VLAN which only has access to the Internet, but no access to the corporate network.
Example: Printers, fax machines, VoIP phones, etc., make up a category of network elements that have not typically been included in conventional network
policy enforcement schemas. CounterACT provides the ability to detect these devices and apply policies that would safeguard the network from security
threats emanating from these network devices. For example, a policy can be established to ensure that traffic coming from a network printer is specific to
print related traffic. If the printer begins to act like a different device, like in the case of someone spoofing the printer’s IP address, the CounterACT system will
detect the change in traffic and quarantine/disconnect the device.
Endpoint X-Ray™
One of the key challenges of deploying enterprise-wide network access control is the daunting task of educating the workforce. Many access control
technologies fail when they force users to change their behavior or add additional steps (multiple logins) to gain network access. CounterACT
features the most granular device interrogation engine in the industry. ForeScout’s Endpoint X-Ray technology provides for both a quick inspection
for self-propagating threats at the point of connection and a deep interrogation of the device to ensure policy compliance. By tapping directly into
the registry and file system of the device, CounterACT determines virtually everything about the state of the endpoint ranging from the presence of a
desktop firewall, the level of OS patches, last update of anti-virus definition file, or the presence of specific files or specific entries in the registry of the
system.
During this interrogation, CounterACT gathers a significant amount of data from connected devices. This information is simultaneously collected both
passively and actively.
Passive inspection: CounterACT sees traffic coming into and out of different network nodes. As such, it automatically learns, in an ongoing
manner, different parameters. Some examples of this include ports/services (from where CounterACT sits, it can tell which machines are connected
to which services, e.g. DHCP requests) and packet banners, (which indicates the type of activity within the packet, for example operating systems,
etc). Depending on what policies are defined to enforce, this passive inspection may suffice, or additional information may be required, which can
be obtained in an active manner.
Active inspection: In addition to the network/endpoint values that CounterACT can see just by “watching” the network activity passively,
CounterACT can actively obtain additional information from the different network nodes. Depending on what the administrator has defined to
enforce, information can be obtained regarding the end nodes accordingly. This includes A/V updates, patches, service packs, running applications,
running services, registry values, etc.1
Obtaining some of these values may require administrator privileges to the end points, which can easily be obtained through domain administration credentials. Once a device has successfully logged into
the domain, CounterACT has the ability to work through administrators credentials to inspect the full registry and check against corporate directories to determine if the device is known. If CounterACT does
not have this type of access granted, it continues to provide protection from know vulnerabilities, detect MAC/IP addresses, open services, etc.
1
5
CounterACT
Network Access. Controlled.
Technical Note
Table of CounterACT’s Continuously Updated Network Values
••Network policy violations
User Behavior
••Audited responses
••Self-remediation success
User Information
Applications
••Username
••Email address
••Authentication status
••Role/Department
••Workgroup
••Phone number
••Illegitimate applications
••File information
••Application versions
••Modification date
••Registry values
OS Integrity
Device Information
••OS fingerprint
••Un-patched vulnerabilities
••Antivirus update status
••Open services
••Jailbroken / rooted
••Running processes
••IP address
••Device type (PC, smartphone, tablet, printer,
wireless, etc.)
••MAC address
••Hostname
Physical Layer
••Physical switch
••802.1X
••VLAN
••Number of devices sharing a port
••Switch port
6
CounterACT
Network Access. Controlled.
Technical Note
Tailored Enforcement
The challenge that most enterprises face is its ability to enforce and ensure compliance with security policies, while still maintaining a high degree
of productivity amongst its users. Most NAC solutions on the market are limited to a binary enforcement response, meaning that a user is either
compliant or not, and those that are not compliant are not allowed on the network. This type of response can create more work for resource-strained
IT teams and frustration amongst the users of the system.
Example: In order to become compliant with virus definitions or operating system patches, users must be able to access the network. The Catch-22 is that
because they are not compliant, they cannot access the network to download the files they need to become compliant. As a result, users that fails to update
virus definitions or patches in a timely fashion must call upon IT for resolution. Note that this could be a reoccurring problem, depending upon the frequency
with which updates and patches are mandated.
Example: With a binary access scheme, guest users such as employees from another location, consultants, or customers needing to access the network even
for simple tasks such as downloading e-mail or using an Internet browser will not have the appropriate access credentials to gain access to the network.
Either these users must be given access to a compliant device or IT must make the guest device compliant by providing it the appropriate access credentials
which in some cases would include installing a client on the connecting device.
Instead of treating policy compliance as a binary scenario, ForeScout’s NAC solution utilizes a tailored enforcement approach which offers a range
of custom responses to each individual security event- ranging from informing the end user of policy violations through a hijacked HTTP session
dialogue box to complete, and immediate disconnection based upon the severity of the policy violation and the detected risk to network operations.
Additionally, devices connecting to the network can be moved into quarantined VLAN’s either at the point of connection or due to policy violation
after connection is made. With this approach, non- compliant users are no longer denied access due to minor policy violations (e.g., antivirus files outof-date by one day), but can continue to remain productive through limited access to applications like e-mail or the Internet. In addition, CounterACT
provides continued monitoring of connected devices to ensure policies are being enforced and provides a measured and appropriate response to
specific policy violations.
ALERT AND INFORM
Open Trouble Ticket
Send Email
SNMP Traps
Syslog
HTTP Browser Hijack
Auditable End-User Acknowledgement
Self-Remediation
SMS, PatchLink Integrations
RESTRICTIVE ACCESS
Deploy a Virtual Firewall around an infected
or non-compliant device
Reassign the device into a VLAN with
restricted access to resources and services
Update access lists on switches, firewalls and
routers to restrict access
Automatically move device to a
pre-configured guest network
MOVE AND DISABLE
Reassign device from production VLAN to a
quarantine VLAN
Block access with 802.1X
Alter the end user’s login credentials to restrict
or completely block access
Block access with device authentication
Turn off physical switch port
Terminate unauthorized applications
Figure 1: Flexible policy enforcement options
•• Alerts: CounterACT will alert appropriate network administrators to specific policy violations of unknown devices. This is accomplished
through SNMP traps, Syslog export, API level integration with trouble ticketing systems to automatically open a trouble ticket, e-mail, and pager
notification.
•• Engage/Inform: CounterACT will engage the visitor who is in violation of security policy. The appliance will hijack the HTTP session and present
the user with a dialogue box explaining which corporate policy has been violated. The visitor can choose to self-remediate, or may be instructed
to contact a network administrator before being allowed on the network.
•• Limit Network Access: A key feature of CounterACT is the ability to provide a plug-and-play virtual firewall which protects critical network
resources from unauthorized access, and provides protection of vulnerable systems from threats, including unknown devices.
7
CounterACT
Network Access. Controlled.
Technical Note
•• Update Network Access Lists: ForeScout has developed a full catalogue of network API level device plug-ins which allows the appliance to
communicate with network elements like switches, routers, and firewalls. This response is then used to deny access to a visitor device that is not
compliant with network policy, effectively blocking the device from connecting at the infrastructure level.
•• Move: Similar to the functions described in limiting network access, CounterACT provides a level of flexibility in enforcing network policy.
The range of response allows network administrators to control which devices have access to specific areas within the network. Part of this
functionality is having the ability to move connecting and connected devices between public, restricted, and quarantined VLAN’s.
•• Disable: The most definitive enforcement is to deny network access to a device which does not comply with the network security policies.
CounterACT can do this through its own blocking mechanisms or work with network elements to close connection. In the case of switch
integration, this could be accomplished through turning off the port that the device is attempting to connect to. The “virtual firewall” feature is
built into the CounterACT appliance.
Compliance and Reporting
One of the most important pieces of information for network administrators to have is a complete picture of network elements and their correlated
information. ForeScout’s CounterACT appliance not only provides this information, but gives network administrators the ability to search this
information using any piece of the correlated information for each element. This information includes important network identifiers like IP address,
MAC address, NetBIOS host name, DNS host name, etc.
The database of network information is always up to date ensuring that any change within the network is detected, logged, alerted if necessary and
stored in preparation for any future reports that will need to be generated.
Upon deployment, CounterACT immediately begins and continues to learn the network topology. The appliance populates the Network Information
Database with initial topology and inventory information. From that point on, the appliance remains in an automatic learning mode continually
updating the database with the most current network information. This information is then correlated and made available via the Network Information
Portal (see Figure 2) or through CounterACT’s standard reporting capabilities.
Figure 2: The Network Information Portal provides a current database of network information.
8
CounterACT
Network Access. Controlled.
Technical Note
Non-Disruptive Deployment of CounterACT
CounterACT seamlessly integrates with any network environment and does not require any infrastructure changes or costly equipment upgrades.
Typically spanned from a distribution layer switch for a highly scalable, cost-effective deployment, CounterACT is out-of-band and features
downstream enforcement to control devices at the access layer. The non-inline deployment method eliminates latency and point-of-failure issues.
To realize the full extent of CounterACT’s capabilities, the appliance needs to be properly deployed in the enterprise network. Since CounterACT
deployment is not inline — i.e. the network traffic does not need to flow through the appliance in order for it to realize its protection and policy
enforcement capabilities. Instead, the appliances are non-intrusively connected to the infrastructure. This is done either by connecting to monitoring
ports on switches (“SPAN” in some denominations), or by using network taps.
In order to employ the protection capabilities of CounterACT, the appliance is connected at network choke points, which separate sections of the
network that need to be protected from each other. For example, at an access layer (or distribution layer) switch serving a workgroup or a department;
at a VPN concentrator, connecting out-of-premises machines to the enterprise network; or at a WAN link connecting remote branches or different
offices. The appliances will then be able to automatically limit the spread of a threat (including a zero-day threat) to other parts of the network.
To fully utilize the NAC capabilities, the appliance will need to be able to monitor relevant network traffic. For example, to be able to monitor and
enforce Active Directory authentication, the appliance needs to monitor network traffic going to and from Domain Controllers. To monitor/enforce
policy regarding access to a specific server, the appliance needs to monitor the traffic to that server. This is achieved by using monitor ports (or
network taps) in the relevant switches — e.g. the switch where the Domain Controller is connected. To see new IP addresses (or new MAC addresses)
join the network, the appliance needs to be connected to the same LAN (technically, to the same broadcast domain) as the connecting hosts, and so
forth. CounterACT fully supports IEEE 802.1Q LAN trunking (VLAN’s), so multiple broadcast domains can be monitored via one port.
A full deployment graphic is included below, understanding that every network topology is different. With this in mind, the graphic has been created
to capture a generic example of a CounterACT deployment.
Figure 3: Typical CounterACT deployment
9
CounterACT
Network Access. Controlled.
Technical Note
Conclusion
The ever expanding number of devices that exist in and around the corporate world is increasing exponentially each year. As mobility proliferates, so
too does the requirement for network security solutions that protect organizations from not just external attacks but attacks, originating inside the
network perimeter. Policy enforcement plays an increasing role in this environment — due to both the increase in regulatory pressure and the ability
for more individuals to conduct malicious activity.
Implementing a network access control solution, such as ForeScout’s CounterACT appliance, provides organizations with the ability to automatically
enforce security policies, while still maintaining user productivity. Today, Fortune 1000 corporations and government agencies have deployed
ForeScout appliances globally to control access to their networks and resources, defend against hackers and self-propagating malware, and ensure
business continuity.
.....................................................................................................................................................
About ForeScout
ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks.
The company’s CounterACT appliance dynamically identifies and assesses network users, endpoints and applications to provide visibility, intelligence
and policy-based mitigation of security issues. ForeScout’s open ControlFabric™ technology allows a broad range of IT security products and
management systems to share information and automate remediation actions. Because ForeScout’s solutions are easy to deploy, unobtrusive, flexible
and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California, ForeScout
offers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com.
.....................................................................................................................................................
ForeScout Technologies, Inc.
900 E. Hamilton Ave.,
Suite 300
Campbell, CA 95008
U.S.A.
T 1-866-377-8771 (US)
T 1-408-213-3191 (Intl.)
F 1-408-371-2284
www.forescout.com
©2014 ForeScout Technologies, Inc. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are trademarks of ForeScout Technologies, Inc. All other trademarks are
the property of their respective owners.
Doc: 2013.0068
10