Strengths: No infrastructure changes required, uncomplicated deployment, strong NAC policies, malicious trafffic identification
Weaknesses: OS identification could be better; may require an agent deployed
Verdict: A network security solution that avoids most of the pitfalls of NAC by being easy to deploy and manage
ForeScout Technologies' CounterACT NAC stands out. It aims to avoid most of the gripes with NAC, seen to be expensive and overly complex.
Its appliance functions in out-of-band (OOB) mode, so just needs port mirroring to be configured on the switch it's connected to. We had no problems installing it in the lab; we configured our 48-port HP ProCurve Gigabit switch to mirror all traffic to its port.
Three network ports are used, with one passively monitoring all traffic and the other 'response' port used to enforce NAC policies with functions such as HTTP redirection, VLAN quarantining and virtual firewall blocking. Appliance management access is isolated on the third network port.
Management is via CounterACT Console, installed from the appliance. This offers a quick-start wizard where you provide information about the protected network ranges, AD credentials, SNMP details and authentication servers. The appliance gets straight down to business by identifying all network devices and populating the console with their details.
The interface is a tidy affair with a pane top left showing discovered devices, policies and their status. The pane below allows views to be filtered, where you place hosts with common attributes in groups and apply NAC policies.
CounterACT did a fairly good job of spotting systems on our test network. However, it was unable to identify the OS, with Windows Server 2008 and Windows 7 installed. The problem here is that the appliance uses the open source Nmap scanner utility for this process, so ForeScout is largely at the whims of the Nmap developers.
There are ways round this. CounterACT is designed to be agentless, but you can deploy its Secure Connector Agent (SCA) where admin access is not allowed.
The SCA is used to allow systems behind a firewall to communicate with the appliance. It doesn't provide any local enforcement, so wouldn't protect mobile workers. The SCA is also required to control system devices - eg USB ports - where the app is not allowed to log on to the host.
An important feature is a passive mode that runs policies with all actions deactivated so you can test them before going live.
Companies with wireless network security concerns will find guest policies useful.
Group members can be scanned using compliancy policies. The presence of Windows patches and Service Packs can be verified and there are self-remediation tools to reduce demands on support staff.
Nuisance IM and P2P app activities can be blocked and CounterACT can also control the use of USB devices. It has another trick up its sleeve - it can detect and block malicious traffic, providing day-zero protection.
We could use policies to control our network switch ports by allowing the app to disable those our rogue systems were attached to. New is the ability to use policies to dynamically configure switch ACL lists, a more elegant enforcement than port blocking.
With its simple deployment, CounterACT avoids many of the problems around NAC. Nmap has issues with OS identification but the app's OOB monitoring means it will slot into your existing infrastructure - and it's better value than a lot of the competition.