December 15, 2009
From £3,200 for 50 users
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: No infrastructure changes required, uncomplicated deployment, strong NAC policies, malicious trafffic identification
- Weaknesses: OS identification could be better; may require an agent deployed
- Verdict: A network security solution that avoids most of the pitfalls of NAC by being easy to deploy and manage
ForeScout Technologies' CounterACT NAC stands out. It aims to avoid most of the gripes with NAC, seen to be expensive and overly complex.
Its appliance functions in out-of-band (OOB) mode, so just needs port mirroring to be configured on the switch it's connected to. We had no problems installing it in the lab; we configured our 48-port HP ProCurve Gigabit switch to mirror all traffic to its port.
Three network ports are used, with one passively monitoring all traffic and the other 'response' port used to enforce NAC policies with functions such as HTTP redirection, VLAN quarantining and virtual firewall blocking. Appliance management access is isolated on the third network port.
Management is via CounterACT Console, installed from the appliance. This offers a quick-start wizard where you provide information about the protected network ranges, AD credentials, SNMP details and authentication servers. The appliance gets straight down to business by identifying all network devices and populating the console with their details.
The interface is a tidy affair with a pane top left showing discovered devices, policies and their status. The pane below allows views to be filtered, where you place hosts with common attributes in groups and apply NAC policies.
CounterACT did a fairly good job of spotting systems on our test network. However, it was unable to identify the OS, with Windows Server 2008 and Windows 7 installed. The problem here is that the appliance uses the open source Nmap scanner utility for this process, so ForeScout is largely at the whims of the Nmap developers.
There are ways round this. CounterACT is designed to be agentless, but you can deploy its Secure Connector Agent (SCA) where admin access is not allowed.
The SCA is used to allow systems behind a firewall to communicate with the appliance. It doesn't provide any local enforcement, so wouldn't protect mobile workers. The SCA is also required to control system devices - eg USB ports - where the app is not allowed to log on to the host.
An important feature is a passive mode that runs policies with all actions deactivated so you can test them before going live.
Companies with wireless network security concerns will find guest policies useful.
Group members can be scanned using compliancy policies. The presence of Windows patches and Service Packs can be verified and there are self-remediation tools to reduce demands on support staff.
Nuisance IM and P2P app activities can be blocked and CounterACT can also control the use of USB devices. It has another trick up its sleeve - it can detect and block malicious traffic, providing day-zero protection.
We could use policies to control our network switch ports by allowing the app to disable those our rogue systems were attached to. New is the ability to use policies to dynamically configure switch ACL lists, a more elegant enforcement than port blocking.
With its simple deployment, CounterACT avoids many of the problems around NAC. Nmap has issues with OS identification but the app's OOB monitoring means it will slot into your existing infrastructure - and it's better value than a lot of the competition.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack
- 9.2 million medical records for sale on darkweb
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry