ForeScout CounterACT: Virtual Firewall

Technical Note
ForeScout CounterACT:
Virtual Firewall
ForeScout CounterACT:
Virtual Firewall
Technical Note
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What is the vFW? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Technically, How Does vFW Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
How Does vFW Compare to a Real Firewall?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
How Does vFW Compare to other Blocking Methods? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
When is vFW the Best Network Control Method?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
What Are the Limitations of the vFW Method?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Configuring the vFW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Example 1: Create a rule to block traffic to a specific host:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Example 2: Create a rule to block traffic from a specific host:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Example 3: Define exceptions to a blocking rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
About ForeScout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2
ForeScout CounterACT:
Virtual Firewall
Technical Note
Introduction
ForeScout CounterACT™ includes several different mechanisms with which you can control network access. Within the CounterACT policy system,
these mechanisms are known as enforcement options. Of all the enforcement options, the Virtual Firewall (vFW) option stands out as being particularly
interesting because it does not require writing to your network architecture. In some environments, this can make deployment and ongoing
maintenance easier than any other network control technology, from any vendor.
In this tech note, we will describe the capabilities, use cases, and limitations of vFW technology. This will bring help you understand how to best utilize
the vFW feature. vFW technology is proprietary to ForeScout, unlike mechanisms such as VLAN assignment, ACL management, and port blocking
which are included within ForeScout CounterACT as well as many other commercially available NAC products.
.....................................................................................................................................................
What is the vFW?
ForeScout’s vFW lets you block, limit or quarantine hosts on the network by detecting their network traffic and then disrupting their communication
with a target host/server. The blocking can target all or some of the traffic from one or more sources to one or more hosts. For example, you can block
all traffic to a specific destination, or you can block all traffic except HTTP to that destination.
The vFW gives you all the benefits of an inline firewall without actually being inline. This means there are no issues of latency or dependency on 3rd
party hardware.
There are multiple applications for the vFW:
1.Create security zones: ForeScout vFW technology lets you create network security zones, giving you more control over network traffic.
Specifically, by defining a vFW policy you can:
•• Create network zones or segments that you want to close off entirely as a result of new threats or newly detected vulnerabilities
•• Create network zones or segments that you want to close off to specific sources
•• Prevent unwanted protocols from being transmitted within your network or between specific network segments, for example, if you know
that RPC traffic should not be transmitted between various departments in your organization
•• Designate business critical services that should always remain open
2.Quarantine non-compliant and/or non-corporate hosts: The vFW can be incorporated within NAC policies to detect non-compliant and/
or non-corporate hosts and limit their access to the network. In the case of a non-compliant host, the vFW will be applied as soon as the host is
detected to be non-compliant. If CounterACT policies are setup to automatically remediate the non-compliant host, the vFW will be removed
automatically as soon as the remediation is successful.
For non-corporate hosts (BYOD), the vFW can be used to control and limit access to the corporate network. ForeScout CounterACT can apply
different vFW rules on non-corporate hosts depending on whether the user of the device has registered as a guest using the guest management
system that comes included with ForeScout CounterACT.
3.Quarantine infected or malicious hosts: ForeScout CounterACT can continuously monitor traffic from all endpoints and can detect if the
traffic is malicious, e.g. if the endpoint has been infected with a worm or a virus, or if the user is intentionally trying to attack the network. If
CounterACT dectects such a condition, it can dynamically apply a vFW against the host to limit the spread of the infection or to disrupt the user’s
attempt to hack into network resources.
3
ForeScout CounterACT:
Virtual Firewall
Technical Note
Technically, How Does vFW Work?
The vFW works by detecting a connection request from a source host that has a vFW action applied against it, then emulating that source host and
sending TCP reset packets to the target, telling it to terminate and ignore the TCP/IP connection request from the source host. The diagram below
shows the step by step process that takes place when a vFW is applied against a host. In this example, the source is a PC, and the target is a server.
Figure 1: vFW applied against a PC to a server.
How Does vFW Compare to a Real Firewall?
The vFW gives you all the benefits of an inline firewall without actually being inline. The vFW sits logically inline but physically out-of-band. Meaning,
the traffic flows to one of our ports from a span or tap. Then we introduce TCP reset packets into the network from a separate management port. This
means that network traffic doesn’t physically flow through the CounterACT appliance. As a result, the CounterACT appliance doesn’t introduce latency
in the network, doesn’t affect throughput of the network, and doesn’t represent a failure point if the CounterACT appliance should go down. Since the
CounterACT appliance sees all network traffic and has the ability to immediately respond, you have all the benefits of an inline security device without
any drawbacks.
A second difference is that unlike a real firewall, vFW is policy-based, therefore is more dynamic. ForeScout CounterACT can dynamically adapt to
the changing network environment. For example, a physical firewall will open a port for egress traffic and typically leave the port open. But vFW can
dynamically respond to the egress traffic request, closing it off on the basis of many different conditions, for example the type of device, the ownership
of the device, whether the employee is an employee or a guest, whether the device is running certain apps, etc.
The vFW lets you create network segmentation without the need to modify your existing infrastructure. For example, if your data repositories are all
at the core of your network or in a “virtual DMZ”, ForeScout’s vFW can ensure that all data paths into your data stores are monitored and that only
authorized users/devices can access those data stores.
How Does vFW Compare to other Blocking Methods?
As mentioned earlier, ForeScout CounterACT provides other mechanisms for controlling network access: VLAN assignment, ACL management, and
switch port block. All of these mechanisms can block or limit traffic from a host, except for the switch port block which can only provide complete
host block. What differentiates the vFW from other blocking methods is the following:
•• ForeScout’s vFW can be deployed immediately and is totally independent of whatever switching hardware you have in place. vFW does not
require any interoperation with switching hardware and does not require switch privileges. All that is needed for the vFW to work is visibility into
the blocked host traffic through a span port on the switch, which most enterprise switch vendors support. In contrast, VLAN assignment, ACL
management, and switch port block actions require SNMP and/or SSH access to the switches and routers the hosts are connected to.
4
ForeScout CounterACT:
Virtual Firewall
Technical Note
•• ForeScout’s vFW reacts to (blocks) traffic faster. There is no wait time for an action to be written to a switch, such as the case with VLAN
assignment and ACL management
•• ForeScout’s vFW is non-disruptive to the end user. The endpoint doesn’t have to renegotiate an IP address as it does with a VLAN change. With the
popular VLAN change method of other NAC vendors, as an endpoint changes VLANs, the following has to happen:
‐‐ VLAN change is written to switch port (takes a few seconds)
‐‐ Switch port is disabled and enabled quickly to force the endpoint to renegotiate and receive a new IP address
‐‐ Endpoint goes through the DHCP process to receive a mew IP address (can take 5+ seconds depending on the device)
‐‐ As appropriate, the endpoint gets remediated and becomes compliant with corporate policy, or the user registers as a guest
‐‐ VLAN change is written again to move the endpoint back (a few seconds)
‐‐ Switch port is disabled and enabled quickly to force the endpoint to renegotiate and receive a new IP address
‐‐ Endpoint goes through the DHCP process to receive a new IP address (can take 5+ seconds depending on the device)
‐‐ User continues working
In contrast, the same process with ForeScout vFW looks like this:
‐‐ CounterACT introduces TCP resets to prevent access to certain resources (almost instantaneous)
‐‐ As appropriate, the endpoint gets remediated and becomes compliant with corporate policy, or the user registers as a guest
‐‐ CounterACT releases TCP reset action (almost instantaneous)
‐‐ User continues working
When is vFW the Best Network Control Method?
Since ForeScout CounterACT has so many network control mechanisms, customers sometimes ask “Which network control method should I use?”
While each situation is different, here are two obvious situations where vFW technology is probably the right choice:
1. If the switch and/or router does not support SNMP or CLI access for applying other blocking methods.
2. If your network environment is centralized with a natural choke point between the endpoints and the computing resources or sensitive data,
then a single centralized CounterACT appliance can use vFW to control access to these resources. The CounterACT appliance would need to be
able to see all of the traffic at that choke point via a mirror port or span port.
What Are the Limitations of the vFW Method?
Just like any technology, the vFW has some limitations. For example:
•• TCP vs. UDP blocking. The vFW was designed to block traffic that uses the TCP protocol, which represents over 95% of all traffic. With TCP traffic,
three packets are sent even before the first data packet. Each packet gives the vFW an opportunity to terminate the session, making it very
effective against this kind of traffic. But UDP traffic is different. While vFW can block traffic using the UDP protocol, the effectiveness depends
on the nature of the service. With UDP traffic, the number of wait periods for response packets ranges between zero and higher. If there is no
response packet, there is no opportunity for ForeScout vFW to intervene and terminate the UDP traffic flow. The greater the number of packets
sent, the more opportunities to terminate the UPD traffic flow. Consider these examples:
‐‐ With syslog, there is no opportunity to terminate the session. The sender transmits the data message to the syslog server but does not wait
for a reply.
‐‐ With DNS, there is a single opportunity to terminate the session. After the sender transmits a query, he/she waits for a reply. If the vFW
responds with a “port unreachable” ICMP message before the server responds, the session will be terminated.
‐‐ With TFTP, the vFW has multiple opportunities to terminate the session. Chunks of the files are transferred within individual packets, and each
packet provides a termination opportunity.
In conclusion, if you want to be sure to terminate UDP sessions, we recommend that you utilize ForeScout CounterACT’s ACL management
technologies, or integrate CounterACT with a 3rd party firewall such as Cisco ASA.
•• The vFW relies on the ability of the CounterACT appliance to see all traffic from the source host. In some cases, this might be hard to achieve. The
main concern will always be the ability (or inability) to see inter-switch traffic, i.e traffic that does not traverse the network, does not flow to an
upper layer switch where CounterACT is listening to traffic via the span port.
5
ForeScout CounterACT:
Virtual Firewall
Technical Note
Configuring the vFW
The vFW can be manually invoked at any time from the CounterACT console, or it can be included within an automated policy.
Manual invocation is as simple as selecting right-clicking on a host, then select “Virtual Firewall” from the list of “Restrict” actions that are available.
Figure 2: Policy editor window — Almost any ForeScout CounterACT policy can include
an automated network control using vFW.
Figure 3: Sub-rules can be set up for specified conditions.
6
ForeScout CounterACT:
Virtual Firewall
Technical Note
The vFW is customizable on what it should and should not block, which makes it a great tool for creating security zones as mentioned earlier. The vFW
can be configured to:
•• Block traffic to specific hosts
•• Block traffic from specific hosts
•• Block traffic to all hosts except a range of hosts
•• Block all traffic from/to a host.
•• Block certain type of traffic from/to a host(e.g. add an exception to allow http traffic only)
Example 1: Create a rule to block traffic to a specific host:
1. From the Virtual Firewall Rule dialog box, select the Add button from the Blocking Rules section.
2. Select “The FW will block traffic to the detected host” radio button. This allows you to block inbound traffic to detected hosts.
3. In the Source IP section, define the hosts that are prevented from communicating with the detected host.
4. In the Target Port section, define the services on the detected host that is blocked.
5. Select OK.
Figure 4: Virtual firewall rules are added to block traffic to specific hosts.
7
ForeScout CounterACT:
Virtual Firewall
Technical Note
Example 2: Create a rule to block traffic from a specific host:
1. From the Blocking Rules dialog box, select the Add button from the Blocking Rules section.
2. Select “The FW will block traffic from the detected host” radio button. This allows you to block outbound traffic from detected hosts to other
network hosts.
3. In the Target Port section, define the services the detected hosts are prevented from accessing on other network hosts .
4. Select OK. The rules you defined appear in the Action dialog box.
5. Use the Edit and Remove buttons as required.
Example 3: Define exceptions to a blocking rule.
Exceptions are when you define a range of addresses to block, but you want to allow traffic to and from IT administrator hosts or VIP hosts.
To create exceptions to specified hosts:
1. From the Virtual Firewall Rule dialog box, select the Add button from the Blocking Exceptions
section.
2. Select The FW will allow traffic to the detected host radio button. This allows you to
allow inbound traffic to detected hosts.
3. In the Source IP section, define the hosts that are allowed to communicate with the
detected host.
4. In the Target Port section, define the services on the detected host that are allowed.
5. Select OK.
To create exceptions from specified hosts:
1. From the Virtual Firewall Rule dialog box, select the Add button from the Blocking
Exceptions section.
2. Select The FW will allow traffic from the detected host radio button. This allows
you to allow outbound traffic from detected hosts.
3. In the Source IP section, define the hosts the detected hosts are allowed to
communicate with.
4. In the Target Port section, define the services the detected hosts are allowed to
access on other network hosts.
Figure 5: Set up blocking exceptions for added flexibility and control.
5. Select OK.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About ForeScout
ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks.
The company’s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility,
intelligence and policy-based mitigation of security issues. ForeScout’s open ControlFabric™ technology allows a broad range of IT security products
and management systems to share information and automate remediation actions. Because ForeScout’s solutions are easy to deploy, unobtrusive,
flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California,
ForeScout offers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com.
.....................................................................................................................................................
ForeScout Technologies, Inc.
900 E. Hamilton Ave.,
Suite 300
Campbell, CA 95008
U.S.A.
T 1-866-377-8771 (US)
T 1-408-213-3191 (Intl.)
F 408-213-2283
www.forescout.com
©2013 ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March 2002. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are trademarks
of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners.
Doc: 2013.0062
8